Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Use IsInRole method with Domain and Username, but without password

Reply
Thread Tools

Use IsInRole method with Domain and Username, but without password

 
 
Steve Kallal
Guest
Posts: n/a
 
      06-08-2005
I am a relative newbie to ASP .NET security. I have an administrivate screen
to add users to a small database that manages privileges within a Web app.
The table contains the domain name and username. I want to be able to add a
user to the table and check to see if the Domain\Username combination is
valid in an Active Directory role.

However all of the .NET code samples I find require the domain, username and
password. I am looking for a way to verify a user is in an Active Directory
role without passing the password. For example, I can pass my Domain and
Username to a routine along with a password using the LogonUser API call and
then verify my membership in a role. But I want to be able to do this for
other users without knowing their passwords. My hunch is that this is not
possible. But I am hoping it is.

Otherwise, I will simply need to wait until the user logs onto the app and
the windows login fails.

Thanks in advance,

Steve Kallal

 
Reply With Quote
 
 
 
 
Joseph Bittman MCAD
Guest
Posts: n/a
 
      06-08-2005
June 8, 2005

You could use LDAP and System.DirectoryServices to query Active
Directory and find out yourself. Then you won't have to know the password,
but would require programming on your part. It also might require greater
privileges than you have right now, but you might want to look into it. I'm
not familiar with LDAP, so I hope that this will lead you in the right
direction.

--
Joseph Bittman
Microsoft Certified Application Developer

Web Site: http://71.35.110.42
Dynamic IP -- Check here for future changes

"Steve Kallal" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am a relative newbie to ASP .NET security. I have an administrivate
>screen
> to add users to a small database that manages privileges within a Web app.
> The table contains the domain name and username. I want to be able to add
> a
> user to the table and check to see if the Domain\Username combination is
> valid in an Active Directory role.
>
> However all of the .NET code samples I find require the domain, username
> and
> password. I am looking for a way to verify a user is in an Active
> Directory
> role without passing the password. For example, I can pass my Domain and
> Username to a routine along with a password using the LogonUser API call
> and
> then verify my membership in a role. But I want to be able to do this for
> other users without knowing their passwords. My hunch is that this is not
> possible. But I am hoping it is.
>
> Otherwise, I will simply need to wait until the user logs onto the app and
> the windows login fails.
>
> Thanks in advance,
>
> Steve Kallal
>



 
Reply With Quote
 
 
 
 
Steve Kallal
Guest
Posts: n/a
 
      06-08-2005
Thanks Joseph. I was searching the newsgroups and came up with similar ideas.
Sorry you're not familar with it, but at least I have some direction.

Steve Kallal

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      06-08-2005
The best way to do this is with the "protocol transition" constructor for
WindowsIdentity which just takes a userPrincipalName as an argument. It
will use Kerberos S4U to create a WindowsIdentity which can create a
WindowsPrincipal. This can be used for role checks.

The downside is that it requires Windows Server 2003 to run on AND Windows
Server 2003 native mode domain controllers. However, it does work. We use
it internally to do something very similar in a custom SharePoint
application and it is great.

As Joseph mentioned, unwinding groups via S.DS/LDAP is also a possibility,
but that sucks quite a bit more.

HTH,

Joe K.

"Steve Kallal" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am a relative newbie to ASP .NET security. I have an administrivate
>screen
> to add users to a small database that manages privileges within a Web app.
> The table contains the domain name and username. I want to be able to add
> a
> user to the table and check to see if the Domain\Username combination is
> valid in an Active Directory role.
>
> However all of the .NET code samples I find require the domain, username
> and
> password. I am looking for a way to verify a user is in an Active
> Directory
> role without passing the password. For example, I can pass my Domain and
> Username to a routine along with a password using the LogonUser API call
> and
> then verify my membership in a role. But I want to be able to do this for
> other users without knowing their passwords. My hunch is that this is not
> possible. But I am hoping it is.
>
> Otherwise, I will simply need to wait until the user logs onto the app and
> the windows login fails.
>
> Thanks in advance,
>
> Steve Kallal
>



 
Reply With Quote
 
Steve Kallal
Guest
Posts: n/a
 
      06-09-2005
Thanks Joe. I had looked at WindowsIdentity constructor earlier today. I
could not find any real documentation on what string to pass. So I tried
serveral without any success. I do believe we are using Windows 2003 Server
here, but as to Native Mode, I will need to research.

Please elaborate on the userPrincipalName string if you can.

Thanks,

Steve Kallal

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      06-09-2005
User principal name (UPN) is the logon name format of http://www.velocityreviews.com/forums/(E-Mail Removed). If
you don't know yours, you can look it up in AD Users and Computers or
another AD query tool.

Note also that you can only RUN this code on a 2003 server. The underlying
API variant is only supported there. Calling it from XP or lower won't
work, regardless of your AD environment.

Joe K.

"Steve Kallal" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks Joe. I had looked at WindowsIdentity constructor earlier today. I
> could not find any real documentation on what string to pass. So I tried
> serveral without any success. I do believe we are using Windows 2003
> Server
> here, but as to Native Mode, I will need to research.
>
> Please elaborate on the userPrincipalName string if you can.
>
> Thanks,
>
> Steve Kallal
>



 
Reply With Quote
 
Steve Kallal
Guest
Posts: n/a
 
      06-09-2005
Thanks again Joe for the prompt reply. Unfortunately the domain controllers
are Windows 2000. As for the client machine calling it, I use XP Pro as my
development desktop. The Web servers that will host the code are Windows
Server 2003. My DBA tells me we are a Windows 2000 network for now because
there are still some NT 4 servers lingering.

I guess this leaves me with Joseph's LDAP solution, which he claims, no
knowledge. If you know anything about the LDAP solution and the
System.DirectoryServices namespace, let me know. Otherwise I will repost this
question accordingly.

Thanks again,

Steve Kallal

 
Reply With Quote
 
Joseph Bittman MCAD
Guest
Posts: n/a
 
      06-09-2005
June 9, 2005

LOL No, I don't have any knowledge. (Now for the resume line.) But I am
eager to learn! LOL Okay, but seriously, if Joe knows of a
System.DirectoryServices book, let me know! I've been looking for one for
quite a while now and have yet to find one. I would prefer a Microsoft Press
but just need a book from any source. I'm actually in a beta where LDAP is
used for one of the features, but I need to find a book to learn LDAP. If
anybody has suggestions, I would greatly appreciate them!

--
Joseph Bittman
Microsoft Certified Application Developer

Web Site: http://71.35.110.42
Dynamic IP -- Check here for future changes

"Steve Kallal" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks again Joe for the prompt reply. Unfortunately the domain
> controllers
> are Windows 2000. As for the client machine calling it, I use XP Pro as my
> development desktop. The Web servers that will host the code are Windows
> Server 2003. My DBA tells me we are a Windows 2000 network for now because
> there are still some NT 4 servers lingering.
>
> I guess this leaves me with Joseph's LDAP solution, which he claims, no
> knowledge. If you know anything about the LDAP solution and the
> System.DirectoryServices namespace, let me know. Otherwise I will repost
> this
> question accordingly.
>
> Thanks again,
>
> Steve Kallal
>



 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      06-09-2005
Start with Ryan's blog posting here:
http://dunnry.com/blog/archive/2005/03/09/211.aspx

It explains how to do group membership expansion for a user in AD via LDAP.
I think his sample may have a bug, but I'm sitting next to him at Tech Ed
and will ask him to fix it.

There are a few gotchas when doing LDAP programming in ASP.NET that you have
to watch out for. This article is a good start.

http://support.microsoft.com/default...b;en-us;329986

If you get stuck, come back and start a new thread.

Joe K.

"Steve Kallal" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks again Joe for the prompt reply. Unfortunately the domain
> controllers
> are Windows 2000. As for the client machine calling it, I use XP Pro as my
> development desktop. The Web servers that will host the code are Windows
> Server 2003. My DBA tells me we are a Windows 2000 network for now because
> there are still some NT 4 servers lingering.
>
> I guess this leaves me with Joseph's LDAP solution, which he claims, no
> knowledge. If you know anything about the LDAP solution and the
> System.DirectoryServices namespace, let me know. Otherwise I will repost
> this
> question accordingly.
>
> Thanks again,
>
> Steve Kallal
>



 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      06-09-2005
I'm hoping we have a good answer on a .NET LDAP book around the new year.


In the meantime, there is an APress title that is ok, but not great.

Joe K.

"Joseph Bittman MCAD" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> June 9, 2005
>
> LOL No, I don't have any knowledge. (Now for the resume line.) But I am
> eager to learn! LOL Okay, but seriously, if Joe knows of a
> System.DirectoryServices book, let me know! I've been looking for one for
> quite a while now and have yet to find one. I would prefer a Microsoft
> Press but just need a book from any source. I'm actually in a beta where
> LDAP is used for one of the features, but I need to find a book to learn
> LDAP. If anybody has suggestions, I would greatly appreciate them!
>
> --
> Joseph Bittman
> Microsoft Certified Application Developer
>
> Web Site: http://71.35.110.42
> Dynamic IP -- Check here for future changes
>
> "Steve Kallal" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Thanks again Joe for the prompt reply. Unfortunately the domain
>> controllers
>> are Windows 2000. As for the client machine calling it, I use XP Pro as
>> my
>> development desktop. The Web servers that will host the code are Windows
>> Server 2003. My DBA tells me we are a Windows 2000 network for now
>> because
>> there are still some NT 4 servers lingering.
>>
>> I guess this leaves me with Joseph's LDAP solution, which he claims, no
>> knowledge. If you know anything about the LDAP solution and the
>> System.DirectoryServices namespace, let me know. Otherwise I will repost
>> this
>> question accordingly.
>>
>> Thanks again,
>>
>> Steve Kallal
>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Change a users password without knowing the old password nor the answer to the password question AAaron123 ASP .Net 1 01-16-2009 02:56 PM
Changing a users password without knowing the old password nor the answer to the password question AAaron123 ASP .Net 2 01-16-2009 02:08 PM



Advertisments