Last post May 20, 2008 11:27 AM by johram
May 19, 2008 10:25 AM|Tegud83|LINK
Feel like I'm getting nowhere with this so was hoping someone had encountered this problem before or had an idea of why it was happening.
I'm trying to authenticate users on a domain, so far it was working great, but some of the users are set up so they can only logon to certain machines. When the machines are removed from the Logon list in the AD control panel, and the users are able to
logon to any machine it works fine, soon as you replace the logon restrictions they can no longer authenticate.
Basis of the login method is below, I've tried accessing the user's only record as opposed to the root domain entry but that doesnt appear to have any impact. (Username and password are the username and password being authenticated, e.g: user: SOMEDOMAIN\USER1,
DirectoryEntry AuthUser = new DirectoryEntry("LDAP://"+_LDAPRootDomain,
username, password, AuthenticationTypes.Secure);
object nativeObject = AuthUser.NativeObject;
authentic = true;
authentic = false;
It cant be (to my knowledge) be the context the code is being run in as it would not explain it starting to work as soon as the login restriction has been lifted. We tried adding the Domain Controllers to the Logon list, but this worked unreliably to begin
with and now no longer works at all.
Any help of suggestions people had would be very much appreciated.
May 20, 2008 04:57 AM|Tegud83|LINK
Just correcting myself, it does seem to work when the IIS server is added to the Logon To list in the Active directory. I'm assuming this is because the user passes the login information to the IIS server and this authorises with AD on the users behalf
so it looks like the login request is coming from the IIS server, not the user's machine. Can anyone confirm this for me? I am curious to the exact reason or if anyone's encountered this before.
May 20, 2008 11:27 AM|johram|LINK
That's a really interesting situation you have right there. Problem is I don't think it is common to restrict users to certain machines, which is why google returns 0 or less hits on this [;)]
I can't really confirm your assumption to be true, but I think it makes sense. Accessing the native object of a DirectoryEntry will force an authentication against the domain, which is why the host that performs the authentication need to be in the list
of valid computers for logon.
Using Reflector, I checked what happens behind the scenes when NativeObject is accessed. Internally, the DirectoryEntry will do a Bind, which in turn generates a call to
ADsOpenObject. This is an API method, and we can only guess what happens in it :-)