Last post Mar 03, 2006 02:54 PM by EnergySmithe
Jan 12, 2006 12:03 PM|JayArmstrong00|LINK
I have inherited some code for a web site and asked to expand on it. I grabbed the books and did some quick learning on asp.net and c#. For the last year I have been adding LDAP lookups and AD account management tools to the site. All of this is behind a
logon page that worked, so I didn't mess with it.
Over the past few weeks as the load on the system is growing I have been experiencing some errors at logon that I can't quite track the cause of and now I am looking at redesigning the login methods. The errors continue until I reboot the server. Luckilly
it is load balanced so I can take one down and the other keeps the site up. Sometimes the error will clear on it's own, so when this is returned I let the user into the site. Cycling IIS or the ASP.Net processes do not clear the error.
If I can get the current process working for now that would be best. They (higher up the food chain) have a list of priorities and doing this redesign in not high on the list. I can do it between other projects, but that will take a couple weeks.
I have been looking at the forms documentation and just wanted to get a some input from more experianced minds. I still don't quite understand how I can get the logon information to authenticate against AD and tie that to the user object so I can do my LDAP
calls later, but I am still reading.
Student and Staff website with one logon page, redirects to sub-sited done by evaluation of values in AD.
Need to be able to authenticate against AD with the username/password throughout the session. This is for LDAP/ADSI functions against AD. Currently storing the username/password pair in the session and passing it into methods as needed. Would like to find
a more secure way of doing this.
Authentication is done in this manner -
errormessage = ptools.login_successful(domain, LoginUserNameBox.Text, LoginPasswordBox.Text);
The error I have been recieving from this process is this:
Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again
One or two of these is not a problem. After about 20 or so users having this error on logon my LDAP Directory searches start to return:
System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT has been returned from a call to a COM component.
The code that returns that error is:
// Create AD LDAP search target
// Configure Search Returns
(...Find one code...)
System.Runtime.InteropServices.COMException exception =
errorMessage += exception;
Thanks in advance for any help,
Jan 12, 2006 02:02 PM|dunnry|LINK
Jan 12, 2006 02:55 PM|JayArmstrong00|LINK
While reading your post I had one of those "Well Duh" moments about the WinNT provider. Don't know why I didn't see it before, but that is why I needed another set of eyes to review the existing code.
Thanks for the list of options. Considering I need this to scale to a potentially huge number of users I am going to look into the 2.0 LDAP option. Of course I am still waiting on the security guys to approve 2.0 on our environment and it has been like pulling
teeth to get a server cert. Gotta love working for the Gov!
I will fiddle with the LDAP provider on my dev site to see what I can do. If you have any code resources for this type of authentication please post a link. I come from an Active Directory, vbscript, ADSI background and have barely scratched the surface
If I understand the concept correctly I should change my code to retrieve the user object using the passed in username/password. I will have to play with any errors to get the correct text to return to the user.
Again, I think I understand it. I'll have to play some.
Thanks for the help.
Feb 10, 2006 03:29 PM|JayArmstrong00|LINK
I am in need of some more help. I have set up a test site and implemented the LDAP login using .Net 2.0. It works, but only under some fixed circumstances.
If the user's account is normal, the site logs in just fine.
If the user's account is set to change password at next login, the login fails.
If the user's password has expired, the login fails.
The problem I am having is I need to be able to capture the last two and redirect to a password reset page. I am currently doing this with the WinNT provider, but can't capture the messages out of the login control to do the redirects.
Do you have any resources that you can point me to so I can figure this out?
Feb 13, 2006 11:31 AM|dunnry|LINK
Mar 01, 2006 05:50 PM|EnergySmithe|LINK
Mar 03, 2006 02:54 PM|EnergySmithe|LINK
So far, switching to the LogonUser API seems to be working great, it actually seems really responsive. I used the LOGON32_LOGON_NETWORK logon type.
Thanks again to you both - we have been trying to scratch that itch for a long time.