Last post May 11, 2006 04:48 AM by objecta
Apr 27, 2006 01:41 PM|objecta|LINK
I'm having the same problem, and what I'm trying to do, is to find a way to use the logged in users credentials to get access to AD. My customer will not accept any username or password in the code or config files, every user information should come from
I have read the "Common System.DirectoryServices Issues and Solutions", and my setup is the same as #3, so could You please show some example on how this can be done?
This is my web.config entry: (IIS 5.0 set to Integrated Windows authentication only)
This is the code snip I use to test with:
If (DirectoryEntry.Exists("LDAP://rootDSE")) Then
Dim objDir As New DirectoryEntry("LDAP://rootDSE")
Dim sPath As String = objDir.Properties("rootDomainNamingContext").Value.ToString()
objDir = New DirectoryEntry("LDAP://" + sPath)
objDir.AuthenticationType = AuthenticationTypes.Secure
objSearch = New DirectorySearcher(objDir)
objSearch.Filter = "(&(objectclass=user)(objectcategory=person))"
objSearch.SearchScope = SearchScope.Subtree
Dim colQueryResults As SearchResultCollection
colQueryResults = objSearch.FindAll()
Dim objResult As SearchResult
For Each objResult In colQueryResults
Label1.Text += objResult.Properties("cn")(0) + "<BR>"
Apr 28, 2006 02:12 AM|objecta|LINK
Somehow this post has been taken out of context. I meant to post as an reply for this post
Apr 28, 2006 12:50 PM|dunnry|LINK
Apr 28, 2006 12:56 PM|dunnry|LINK
May 10, 2006 07:43 AM|objecta|LINK
Thanks for Your replay and sorry for the delay.
I have changed the test code as follows and the code works fine on my deloper machine, but fails when I try on a server (Windows 2003), with the following error "The specified directory service attribute or value does not exist ". Now if I set a username
and a password for at valid AD user, the code works fine.
rootGC = new DirectoryEntry("LDAP://rootDSE");
sADPath = "LDAP://" + rootGC.Properties["defaultNamingContext"].Value.ToString();
DE = new DirectoryEntry(sADPath,
null, null, AuthenticationTypes.Secure | AuthenticationTypes.Sealing | AuthenticationTypes.Signing );
Label1.Text = "OK: " + User.Identity.Name;
Label1.Text = e.Message;
May 10, 2006 10:35 AM|dunnry|LINK
May 11, 2006 02:29 AM|objecta|LINK
Thx for the quick reply. This is the output from my test:
On localhost (Developer PC)
User Identity name: VALUEDOM\test
LDAP path: LDAP://DC=ValueDom,DC=Valuenetics,DC=com
The specified directory service attribute or value does not exist
I will look into the IIS not being in the domain or on a different one.
So It should be possible to read a list of all Users and a list of all Groups from AD and to read a specific groupe memberships, without any specific credentials. In my application I only need to read and not to do any insert, update or delete ever.
May 11, 2006 04:48 AM|objecta|LINK
I have been looking into the IIS settings to see if there where some problem with the server running the IIS, not being member of the domain. I think I have some information regarding this.
Could my IIS/Server be a victim of the "IIS Double-Hop" issue?
I have added some code to test this.
Label2.Text = "<B>LDAP path: </B>" + sADPath;
WindowsIdentity connectedUser = WindowsIdentity.GetCurrent();
Label3.Text = WindowsIdentity.GetCurrent().Name + "<BR>";
label3.Text += "OK: " + User.Identity.Name;
Label3.Text = e.Message;
NT AUTHORITY\NETWORK SERVICE
So it looks like if I impersonate the IIS user (AppPool) and also gives the
NT AUTHORITY\NETWORK SERVICE
access to AD it could work.