Ok, do me a favor, grab this ad testing tool and see if you can run queries against your AD. Now one caveat to keep in mind, when you run your application, you are running as network service. You may need to turn on identity impersonate so that the user
doing the logon is actually doing the query. If you try to query ad as anonymous or network service, that will probably fail on you.
I used the software call 'Softerra LDAP Browser'. When i type in the LDAP Url in Softerra LDAP Browser, it takes me into the LDAP directory without authenticating the user. And of course it has an option to authenticate user through CN,OU,O and providing
Password. I can easily access LDAP directory and view all the directory using LDAP url in Softerra LDAP Browser without providing further detail such as CN,OU,O and Password. I can do Scrope Subtree search when i login as anonymous user using Softerra LDAP
Browse..What do i need to add in my code to do the search in the Subtree to Authenticate the user?
Well, lets not forget that the reason the LDAP Browser opens without asking to authenticate is because it is running under your identity. You should be able to search right down to the point of ROOTDSE without too much trouble. I'll take a peek at your code
and see if I can come up with anything.
Well, i downloaded the software into my laptop, then i just typed in the URL for LDAP into 'Softerra LDAP Browser', it took me into LDAP directory without authenticating. Thank you so much for walking me through this, i will be waiting for your reply.
Again, its running under your user identity so that is why its having no trouble touching the AD. YOu could try right clicking the icon and click Run As... then run as the user identity that you're having difficulty with. I suspect you will get an error.
I have a thought that maybe your web server might not have a Service Protocol Name in AD. The SPN is critical in allowing logged in users to authenticate against AD effectively. Take a look at this article for the basics to get this working:
"Kerberos is the default method of network authentication for services in Windows Server 2003.
A service can use Kerberos only if that service first registers a service principal name (SPN) in Active Directory. By default, Active Directory registers the NetBIOS, or computer, name of the server, but if the SPN is different, you
must manually register the service. Before Kerberos can authenticate a service, the service must be registered on only one account object. If the logon account name of a service instance changes, the service must be reregistered under the new account. Therefore,
only one application pool that has the service registered can authenticate with Kerberos."
bbcompent1
All-Star
33097 Points
8529 Posts
Moderator
Re: LDAP authentication
Dec 02, 2011 07:52 PM|LINK
Ok, do me a favor, grab this ad testing tool and see if you can run queries against your AD. Now one caveat to keep in mind, when you run your application, you are running as network service. You may need to turn on identity impersonate so that the user doing the logon is actually doing the query. If you try to query ad as anonymous or network service, that will probably fail on you.
http://www.joeware.net/freetools/tools/adfind/index.htm
spyxdaxworld
Member
431 Points
232 Posts
Re: LDAP authentication
Dec 07, 2011 03:34 AM|LINK
I download the software that you provided in the link. i ran the AdFind.exe, it runs DOS windows for few sec then it disspear.
bbcompent1
All-Star
33097 Points
8529 Posts
Moderator
Re: LDAP authentication
Dec 07, 2011 10:15 AM|LINK
It's a program that you have to run from the command prompt since it is a command script.
spyxdaxworld
Member
431 Points
232 Posts
Re: LDAP authentication
Dec 17, 2011 06:25 PM|LINK
I used the software call 'Softerra LDAP Browser'. When i type in the LDAP Url in Softerra LDAP Browser, it takes me into the LDAP directory without authenticating the user. And of course it has an option to authenticate user through CN,OU,O and providing Password. I can easily access LDAP directory and view all the directory using LDAP url in Softerra LDAP Browser without providing further detail such as CN,OU,O and Password. I can do Scrope Subtree search when i login as anonymous user using Softerra LDAP Browse..What do i need to add in my code to do the search in the Subtree to Authenticate the user?
spyxdaxworld
Member
431 Points
232 Posts
Re: LDAP authentication
Dec 17, 2011 06:29 PM|LINK
i added the objDseSearcher.SearchScope = SearchScope.Subtree; to the code and it still doesnt work. Below is the full code.
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; using System.Net; using System.DirectoryServices; namespace WebApplication1 { public partial class WebForm1 : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { } protected void btnLogin_Click(object sender, EventArgs e) { string strDomain = "ldap://11.20.201.40:389"; NetworkCredential _objNetWorkC = new NetworkCredential(txtUserID.Text, txtPassword.Text, strDomain); if (AuthenticateAndGetUserDataFromAD(txtUserID.Text, strDomain, txtPassword.Text)) { this.Page.ClientScript.RegisterStartupScript(this.GetType(), "Alert", "javascript:alert('Hi You are autheticated user');", true); } else { this.Page.ClientScript.RegisterStartupScript(this.GetType(), "Alert", "javascript:alert('Your are not Authorized User !!!!');", true); } } public bool AuthenticateAndGetUserDataFromAD(string strusername, string strDomain, string strPassword) { string strRootDN = string.Empty; DirectoryEntry objDseSearchRoot = null, objDseUserEntry = null; DirectorySearcher objDseSearcher = null; SearchResultCollection objResults = null; string strLDAPPath = string.Empty; try { /* Give LDAP Server IP along with OU * e.g : LDAP://29.29.29.29:389/DC=YourDomain,DC=com" */ strLDAPPath = "ldap://11.20.201.40:389"; string strDomainname = strDomain; objDseSearchRoot = new DirectoryEntry(strLDAPPath, strDomainname + "\\" + strusername, strPassword, AuthenticationTypes.None); strRootDN = objDseSearchRoot.Properties["defaultNamingContext"].Value as string; objDseSearcher = new DirectorySearcher(objDseSearchRoot); objDseSearcher.SearchScope = SearchScope.Subtree; objDseSearcher.CacheResults = false; objResults = objDseSearcher.FindAll(); if (objResults.Count > 0) { objDseUserEntry = objResults[0].GetDirectoryEntry(); } if (objDseUserEntry == null) { return false; } } catch (Exception e) { return false; ; } finally { //Dipose Object Over Here } return true; } } }bbcompent1
All-Star
33097 Points
8529 Posts
Moderator
Re: LDAP authentication
Dec 19, 2011 10:07 AM|LINK
Well, lets not forget that the reason the LDAP Browser opens without asking to authenticate is because it is running under your identity. You should be able to search right down to the point of ROOTDSE without too much trouble. I'll take a peek at your code and see if I can come up with anything.
spyxdaxworld
Member
431 Points
232 Posts
Re: LDAP authentication
Dec 20, 2011 01:50 AM|LINK
Well, i downloaded the software into my laptop, then i just typed in the URL for LDAP into 'Softerra LDAP Browser', it took me into LDAP directory without authenticating. Thank you so much for walking me through this, i will be waiting for your reply.
bbcompent1
All-Star
33097 Points
8529 Posts
Moderator
Re: LDAP authentication
Dec 20, 2011 09:57 AM|LINK
Again, its running under your user identity so that is why its having no trouble touching the AD. YOu could try right clicking the icon and click Run As... then run as the user identity that you're having difficulty with. I suspect you will get an error.
spyxdaxworld
Member
431 Points
232 Posts
Re: LDAP authentication
Dec 20, 2011 05:44 PM|LINK
Thanks clearing up my confusion.if we could approach this issue in any other ways, it will be really helpful.
bbcompent1
All-Star
33097 Points
8529 Posts
Moderator
Re: LDAP authentication
Dec 21, 2011 10:14 AM|LINK
I have a thought that maybe your web server might not have a Service Protocol Name in AD. The SPN is critical in allowing logged in users to authenticate against AD effectively. Take a look at this article for the basics to get this working:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true
"Kerberos is the default method of network authentication for services in Windows Server 2003. A service can use Kerberos only if that service first registers a service principal name (SPN) in Active Directory. By default, Active Directory registers the NetBIOS, or computer, name of the server, but if the SPN is different, you must manually register the service. Before Kerberos can authenticate a service, the service must be registered on only one account object. If the logon account name of a service instance changes, the service must be reregistered under the new account. Therefore, only one application pool that has the service registered can authenticate with Kerberos."