I can never get this connection string to work, it keeps telling me that it is an invalid LDAP adspath.:
LDAP://chestnut.net/CN=Users,DC=chestnut,DC=net
Could this be a permissions thing, because I am not Domain Admin, but I do have Create/Delete Users and groups permission in Active Directory.[*-)]
That gave me a path that didn't work either. It said DC=chestnut,DC=net. That exact path did not work (of course with LDAP added). It kept telling me that the server could not be found. Now if I input this code:
Protected Sub LoginBtn_Click(ByVal sender As Object, ByVal e As System.EventArgs)
Dim adPath As String = "LDAP://chestnut.net/CN=SR-Network_Team,OU=SR,DC=chestnut,DC=net" 'Path to your LDAP directory server
Dim adAuth As FormsAuth.LdapAuthentication = New FormsAuth.LdapAuthentication(adPath)
Try
If (True = adAuth.IsAuthenticated(DomainBx.Text, UserNamBx.Text, PassBx.Text)) Then
Dim groups As String = adAuth.GetGroups()
'Create the ticket, and add the groups.
Dim isCookiePersistent As Boolean = chkPersist.Checked
Dim authTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _
UserNamBx.Text, DateTime.Now, DateTime.Now.AddMinutes(60), isCookiePersistent, groups)
'Encrypt the ticket.
Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)
'Create a cookie, and then add the encrypted ticket to the cookie as data.
Dim authCookie As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
If (isCookiePersistent = True) Then
authCookie.Expires = authTicket.Expiration
End If
'Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie)
'You can redirect now.
Response.Redirect(FormsAuthentication.GetRedirectUrl(UserNamBx.Text, False))
Else
errorLabel.Text = "Authentication did not succeed. Check user name and password."
End If
Catch ex As Exception
errorLabel.Text = "Error authenticating. " & ex.Message
End Try
End Sub
I am getting my errorLabel text "Authenication did not succeed. Check user name and password."
Now I am assuming that my connectivity is not an issue now. The user credentials are correct, the domainbx.text=chestnut.net is correct. I am left to think that it is dealing with the cookies creation. Any suggestions?
If you are running this under the ASPNET account, you cannot use serverless binding. It is dependant on the netlogon locator service. It needs to run under domain credentials to know which domain to use a serverless bind against.
You can rectify this in your code by adding the domain to the beginning of the AdsPath or by adding a specific controller:
LDAP://<servername>/DC=chestnut,DC=net
or
LDAP://chestnut.net/DC=chestnut,DC=net
As long as your DNS is not bunged up, it should resolve for you.
Now, that only will fix the ability for you to get a proper SearchRoot for the DirectorySearcher. I have no idea based on the code that you show if there is another issue that is causing the code to fail. If you got this particular code from MSDN called "Forms
Auth with Active Directory", it tends to have problems and is one of their more craptastic examples.
I did get it from MSDN. This is my adspath string:
"LDAP://chestnut.net/CN=SR-Network_Team,OU=SR,DC=chestnut,DC=net"
as you can see, I do have chestnut.net at the beginning. This SR-Network_Team is a group in our Active Directory that have members that I only want to have access to the site that I am creating and it is located in that OU. So there is were I want it to authenicate
against in the active directory. As far as the rest of the code, I guess I will have to go line by line and figure it out.
Ah... I see the problem. I should have asked what the SR-Nework_Team was. I assumed it was a container you created. That is definitely your problem.
Groups do not hold other objects in AD. They have attributes which point to other objects. Containers like CN=Users or organizational units like OU=someOU hold objects. You are searching the directory to see if a users exists. You need to give it a location
in your directory that is a parent to your users. So just cut everything off until the DC= stuff and you would be good.
What will happen is that it will bind and authenticate the user. It is then up to you to check the user's group membership using User.IsInRole("SR-Network_Team") to see if they are in the group you want them to be.
Ah... I see the problem. I should have asked what the SR-Nework_Team was. I assumed it was a container you created. That is definitely your problem.
Groups do not hold other objects in AD. They have attributes which point to other objects. Containers like CN=Users or organizational units like OU=someOU hold objects. You are searching the directory to see if a users exists. You need to give it a location
in your directory that is a parent to your users. So just cut everything off until the DC= stuff and you would be good.
What will happen is that it will bind and authenticate the user. It is then up to you to check the user's group membership using User.IsInRole("SR-Network_Team") to see if they are in the group you want them to be.
It is all dependant on you finding them first.
Many thanks for this tip. I got mine to work after several days of searching on the asp.net forum and posting. But here's what I am wondering. Instead of checking the group as you suggested, is there a way to create roles and/or users that I want to allow to
the page inside the web.config file? I will only allow a couple of users to this page so is there a way to specify which user can log into this page in the web.config file? Same thing with the roles, can I also specify the roles in the web.config file?
Okay, I just realized I got this error everytime I compiled.
Message 1 Could not find schema information for the element 'http://schemas.microsoft.com/.NetConfiguration/v2.0:configuration'. U:\web.config 10 2 U:\
Make sure you have selected ASP.NET 2.0 in your IIS MMC as the version of ASP.NET to use. It is likely that you have 1.1 selected now. You should see an ASP.NET tab there in the properties where you can set it.
As for declarative security in your web.config - there certainly is a way to do what you are asking. Look up the <location> tag as well as the <authorization> and <allow>, <deny> tags. I know there are a few samples on MSDN as well as the Security forum here.
Thanks for the response. Yes, I'm positive that we are using ASP.NET 2.0. The error I mentioned only occurs when I build the page. The page works fine when viewing through the browser. So I'm not sure where the cause is since I already am using ASP.NET 2.0.
rhinton
Member
60 Points
12 Posts
LDAP Connection String
Dec 06, 2005 07:12 PM|LINK
LDAP://chestnut.net/CN=Users,DC=chestnut,DC=net
Could this be a permissions thing, because I am not Domain Admin, but I do have Create/Delete Users and groups permission in Active Directory.[*-)]
dunnry
Star
9098 Points
1806 Posts
Re: LDAP Connection String
Dec 06, 2005 08:11 PM|LINK
DirectoryEntry root = new DirectoryEntry("LDAP://RootDSE");
using (root)
{
string dnc = root.Properties["defaultNamingContext"][0].ToString();
string server = root.Properties["dnsHostName"][0].ToString();
string adsPath = String.Format(
"LDAP://{0}/{1}",
server,
dnc
);
}
Run this from a local (non-ASP.NET) application to get your string value. Then use that for your ASP.NET applications.
Weblog
The Book
LDAP Programming Help
rhinton
Member
60 Points
12 Posts
Re: LDAP Connection String
Dec 13, 2005 05:49 PM|LINK
Protected Sub LoginBtn_Click(ByVal sender As Object, ByVal e As System.EventArgs)
Dim adPath As String = "LDAP://chestnut.net/CN=SR-Network_Team,OU=SR,DC=chestnut,DC=net" 'Path to your LDAP directory server
Dim adAuth As FormsAuth.LdapAuthentication = New FormsAuth.LdapAuthentication(adPath)
Try
If (True = adAuth.IsAuthenticated(DomainBx.Text, UserNamBx.Text, PassBx.Text)) Then
Dim groups As String = adAuth.GetGroups()
'Create the ticket, and add the groups.
Dim isCookiePersistent As Boolean = chkPersist.Checked
Dim authTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _
UserNamBx.Text, DateTime.Now, DateTime.Now.AddMinutes(60), isCookiePersistent, groups)
'Encrypt the ticket.
Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)
'Create a cookie, and then add the encrypted ticket to the cookie as data.
Dim authCookie As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
If (isCookiePersistent = True) Then
authCookie.Expires = authTicket.Expiration
End If
'Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie)
'You can redirect now.
Response.Redirect(FormsAuthentication.GetRedirectUrl(UserNamBx.Text, False))
Else
errorLabel.Text = "Authentication did not succeed. Check user name and password."
End If
Catch ex As Exception
errorLabel.Text = "Error authenticating. " & ex.Message
End Try
End Sub
I am getting my errorLabel text "Authenication did not succeed. Check user name and password."
Now I am assuming that my connectivity is not an issue now. The user credentials are correct, the domainbx.text=chestnut.net is correct. I am left to think that it is dealing with the cookies creation. Any suggestions?
dunnry
Star
9098 Points
1806 Posts
Re: LDAP Connection String
Dec 14, 2005 01:58 PM|LINK
You can rectify this in your code by adding the domain to the beginning of the AdsPath or by adding a specific controller:
LDAP://<servername>/DC=chestnut,DC=net
or
LDAP://chestnut.net/DC=chestnut,DC=net
As long as your DNS is not bunged up, it should resolve for you.
Now, that only will fix the ability for you to get a proper SearchRoot for the DirectorySearcher. I have no idea based on the code that you show if there is another issue that is causing the code to fail. If you got this particular code from MSDN called "Forms Auth with Active Directory", it tends to have problems and is one of their more craptastic examples.
Weblog
The Book
LDAP Programming Help
rhinton
Member
60 Points
12 Posts
Re: LDAP Connection String
Dec 14, 2005 02:44 PM|LINK
"LDAP://chestnut.net/CN=SR-Network_Team,OU=SR,DC=chestnut,DC=net"
as you can see, I do have chestnut.net at the beginning. This SR-Network_Team is a group in our Active Directory that have members that I only want to have access to the site that I am creating and it is located in that OU. So there is were I want it to authenicate against in the active directory. As far as the rest of the code, I guess I will have to go line by line and figure it out.
dunnry
Star
9098 Points
1806 Posts
Re: LDAP Connection String
Dec 15, 2005 01:31 PM|LINK
Groups do not hold other objects in AD. They have attributes which point to other objects. Containers like CN=Users or organizational units like OU=someOU hold objects. You are searching the directory to see if a users exists. You need to give it a location in your directory that is a parent to your users. So just cut everything off until the DC= stuff and you would be good.
What will happen is that it will bind and authenticate the user. It is then up to you to check the user's group membership using User.IsInRole("SR-Network_Team") to see if they are in the group you want them to be.
It is all dependant on you finding them first.
Weblog
The Book
LDAP Programming Help
mychucky
Contributor
4358 Points
3709 Posts
Re: LDAP Connection String
Jul 12, 2006 06:57 PM|LINK
Many thanks for this tip. I got mine to work after several days of searching on the asp.net forum and posting. But here's what I am wondering. Instead of checking the group as you suggested, is there a way to create roles and/or users that I want to allow to the page inside the web.config file? I will only allow a couple of users to this page so is there a way to specify which user can log into this page in the web.config file? Same thing with the roles, can I also specify the roles in the web.config file?
Again, thanks for your help.
mychucky
Contributor
4358 Points
3709 Posts
Re: LDAP Connection String
Jul 12, 2006 08:41 PM|LINK
Message 1 Could not find schema information for the element 'http://schemas.microsoft.com/.NetConfiguration/v2.0:configuration'. U:\web.config 10 2 U:\
Here's my web.config
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings/>
<connectionStrings>
<add name="DBConnectionString" connectionString="Data Source=myServer\Tom;Initial Catalog=myDB;Persist Security Info=True;User ID=myUser;Password=myPass" providerName="System.Data.SqlClient"/>
<add name="ADConnectionString" connectionString="LDAP://mySite.com/DC=mySite,DC=com" />
</connectionStrings>
<system.web>
<compilation debug="true" strict="false" explicit="true">
<assemblies>
<add assembly="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/></assemblies></compilation>
<pages>
<namespaces>
<clear/>
<add namespace="System"/>
<add namespace="System.Collections"/>
<add namespace="System.Collections.Specialized"/>
<add namespace="System.Configuration"/>
<add namespace="System.Text"/>
<add namespace="System.Text.RegularExpressions"/>
<add namespace="System.Web"/>
<add namespace="System.Web.Caching"/>
<add namespace="System.Web.SessionState"/>
<add namespace="System.Web.Security"/>
<add namespace="System.Web.Profile"/>
<add namespace="System.Web.UI"/>
<add namespace="System.Web.UI.WebControls"/>
<add namespace="System.Web.UI.WebControls.WebParts"/>
<add namespace="System.Web.UI.HtmlControls"/>
</namespaces>
</pages>
<authentication mode="Forms">
<forms name=".ADAuthCookie" timeout="10" loginUrl="Admin/Login.aspx"/>
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<membership defaultProvider="ActiveDirectoryMembershipProvider">
<providers>
<add
name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString" />
</providers>
</membership>
<customErrors mode="Off"/>
</system.web>
</configuration>
The page works fine under a web browser but I kept getting this error when building the page. Help is appreciated.
dunnry
Star
9098 Points
1806 Posts
Re: LDAP Connection String
Jul 12, 2006 09:53 PM|LINK
As for declarative security in your web.config - there certainly is a way to do what you are asking. Look up the <location> tag as well as the <authorization> and <allow>, <deny> tags. I know there are a few samples on MSDN as well as the Security forum here.
Weblog
The Book
LDAP Programming Help
mychucky
Contributor
4358 Points
3709 Posts
Re: LDAP Connection String
Jul 13, 2006 12:49 PM|LINK
Where do I look up all the tags you mentioned?