Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Problem in Accessing Active Directory from ASP.net

Reply
Thread Tools

Problem in Accessing Active Directory from ASP.net

 
 
Maqsood Ahmed [MCAD .NET]
Guest
Posts: n/a
 
      06-23-2006
Environment:
Windows XP, .NET/ASP .NET 2.0

I am developing an intranet application for my company. I want to use LDAP
to get the existing users of the company and allow them access according to
their roles. I have set identity impersonation = true and authentication mode
= "Windows" in the Web.config file of the application.

I get an COMException whenever I try to access LDAP objects using the
DirectoryEntry class. It only happens when I use it through IIS. it works
fine with ASP .NET Development Server. Please note that I am using Serverless
binding.
The exception message is like the following:
System.Runtime.InteropServices.COMException (0x8007054B): The specified
domain either does not exist or could not be contacted.

Code:
DirectoryEntry de = new DirectoryEntry();
string domainName = de.Name; //This line generates exception
I have also tried to assign a domain account as the Anonymous account for
the Virtual Direcotry, but it didn't help either.
Can anyone of you please let me know that what should I do to get it
working. Should I always provide the domain name, username and password to
access the LDAP objects, can't it be used via anonymous access?
 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      06-23-2006
We cover this type of stuff in great detail in our book, but here are a few
pointers.

First, you may not need to use LDAP at all to get the user's groups. If you
are using Windows auth in IIS (IWA, Basic or Digest), then ASP.NET already
"knows" the users group via the WindowsIdentity and WindowsPrincipal objects
in Context.User. Just call IsInRole to access the Groups property.

If you really do need to access AD using the authenticated user's
credentials and you are using IWA for authentication, then you'll need to
enable Kerberos delegation. You also may need to provide a domain hint in
your path as serverless binding may not work the way you want to. Simply
put the DNS domain name in your path:

LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of

LDAP://DC=yourdomain,DC=com

Getting Kerberos delegation working will likely be the more tricky part.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Maqsood Ahmed [MCAD .NET]" <Maqsood Ahmed [MCAD
..NET]@discussions.microsoft.com> wrote in message
news:(E-Mail Removed)...
> Environment:
> Windows XP, .NET/ASP .NET 2.0
>
> I am developing an intranet application for my company. I want to use LDAP
> to get the existing users of the company and allow them access according
> to
> their roles. I have set identity impersonation = true and authentication
> mode
> = "Windows" in the Web.config file of the application.
>
> I get an COMException whenever I try to access LDAP objects using the
> DirectoryEntry class. It only happens when I use it through IIS. it works
> fine with ASP .NET Development Server. Please note that I am using
> Serverless
> binding.
> The exception message is like the following:
> System.Runtime.InteropServices.COMException (0x8007054B): The specified
> domain either does not exist or could not be contacted.
>
>
Code:
> DirectoryEntry de = new DirectoryEntry();
> string domainName = de.Name; //This line generates exception
>
>
> I have also tried to assign a domain account as the Anonymous account for
> the Virtual Direcotry, but it didn't help either.
> Can anyone of you please let me know that what should I do to get it
> working. Should I always provide the domain name, username and password to
> access the LDAP objects, can't it be used via anonymous access?



 
Reply With Quote
 
 
 
 
Maqsood Ahmed
Guest
Posts: n/a
 
      06-26-2006
Hello Joe,
Thanks for replying. Please note that I am facing difficultly in accessing
LDAP object only on Application startup (i.e. when I try to access it in
Application.Start event). It works fine if I access it via any aspx page.
--
Maqsood Ahmed
MCAD .NET [Windows/Web]
Senior Software Developer/Analyst
Kolachi Advanced Technologies
http://www.kolachi.net


"Joe Kaplan (MVP - ADSI)" wrote:

> We cover this type of stuff in great detail in our book, but here are a few
> pointers.
>
> First, you may not need to use LDAP at all to get the user's groups. If you
> are using Windows auth in IIS (IWA, Basic or Digest), then ASP.NET already
> "knows" the users group via the WindowsIdentity and WindowsPrincipal objects
> in Context.User. Just call IsInRole to access the Groups property.
>
> If you really do need to access AD using the authenticated user's
> credentials and you are using IWA for authentication, then you'll need to
> enable Kerberos delegation. You also may need to provide a domain hint in
> your path as serverless binding may not work the way you want to. Simply
> put the DNS domain name in your path:
>
> LDAP://yourdomain.com/DC=yourdomain,DC=com
>
> instead of
>
> LDAP://DC=yourdomain,DC=com
>
> Getting Kerberos delegation working will likely be the more tricky part.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "Maqsood Ahmed [MCAD .NET]" <Maqsood Ahmed [MCAD
> ..NET]@discussions.microsoft.com> wrote in message
> news:(E-Mail Removed)...
> > Environment:
> > Windows XP, .NET/ASP .NET 2.0
> >
> > I am developing an intranet application for my company. I want to use LDAP
> > to get the existing users of the company and allow them access according
> > to
> > their roles. I have set identity impersonation = true and authentication
> > mode
> > = "Windows" in the Web.config file of the application.
> >
> > I get an COMException whenever I try to access LDAP objects using the
> > DirectoryEntry class. It only happens when I use it through IIS. it works
> > fine with ASP .NET Development Server. Please note that I am using
> > Serverless
> > binding.
> > The exception message is like the following:
> > System.Runtime.InteropServices.COMException (0x8007054B): The specified
> > domain either does not exist or could not be contacted.
> >
> >
Code:
> > DirectoryEntry de = new DirectoryEntry();
> > string domainName = de.Name; //This line generates exception
> >
> >
> > I have also tried to assign a domain account as the Anonymous account for
> > the Virtual Direcotry, but it didn't help either.
> > Can anyone of you please let me know that what should I do to get it
> > working. Should I always provide the domain name, username and password to
> > access the LDAP objects, can't it be used via anonymous access?

>
>
>

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      06-26-2006
Perhaps the security context is different here then. What is the value of
System.Security.Principal.WindowsIdentity.GetCurre nt().Name in each case?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Maqsood Ahmed" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello Joe,
> Thanks for replying. Please note that I am facing difficultly in
> accessing
> LDAP object only on Application startup (i.e. when I try to access it in
> Application.Start event). It works fine if I access it via any aspx page.
> --
> Maqsood Ahmed
> MCAD .NET [Windows/Web]
> Senior Software Developer/Analyst
> Kolachi Advanced Technologies
> http://www.kolachi.net
>
>



 
Reply With Quote
 
Maqsood Ahmed
Guest
Posts: n/a
 
      06-27-2006
Hello,
Yes, that is what I wanted to say earlier. That the security context is
different for both.
It is using ASPNET local account in Application.Start event handler, while
it is using my Logged On Domain account context when I access LDAP using an
aspx page.

How can I access LDAP in Application.Start event handler?
--
Maqsood Ahmed
MCAD .NET [Windows/Web]
Senior Software Developer/Analyst
Kolachi Advanced Technologies
http://www.kolachi.net


"Joe Kaplan (MVP - ADSI)" wrote:

> Perhaps the security context is different here then. What is the value of
> System.Security.Principal.WindowsIdentity.GetCurre nt().Name in each case?
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "Maqsood Ahmed" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hello Joe,
> > Thanks for replying. Please note that I am facing difficultly in
> > accessing
> > LDAP object only on Application startup (i.e. when I try to access it in
> > Application.Start event). It works fine if I access it via any aspx page.
> > --
> > Maqsood Ahmed
> > MCAD .NET [Windows/Web]
> > Senior Software Developer/Analyst
> > Kolachi Advanced Technologies
> > http://www.kolachi.net
> >
> >

>
>
>

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      06-27-2006
I'm guessing you are running under XP or Win2K then, right? In this case,
you either need to programmatically impersonate a service account or
(probably better), change the process account to a valid domain account that
can access AD. In XP and 2K, you do this by changing the processModel
configuration in machine.config.

If you were using IIS 6/Win2K3, you just change the app pool identity as
required.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Maqsood Ahmed" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
> Yes, that is what I wanted to say earlier. That the security context is
> different for both.
> It is using ASPNET local account in Application.Start event handler, while
> it is using my Logged On Domain account context when I access LDAP using
> an
> aspx page.
>
> How can I access LDAP in Application.Start event handler?
> --
> Maqsood Ahmed
> MCAD .NET [Windows/Web]
> Senior Software Developer/Analyst
> Kolachi Advanced Technologies
> http://www.kolachi.net
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> Perhaps the security context is different here then. What is the value
>> of
>> System.Security.Principal.WindowsIdentity.GetCurre nt().Name in each case?
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "Maqsood Ahmed" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Hello Joe,
>> > Thanks for replying. Please note that I am facing difficultly in
>> > accessing
>> > LDAP object only on Application startup (i.e. when I try to access it
>> > in
>> > Application.Start event). It works fine if I access it via any aspx
>> > page.
>> > --
>> > Maqsood Ahmed
>> > MCAD .NET [Windows/Web]
>> > Senior Software Developer/Analyst
>> > Kolachi Advanced Technologies
>> > http://www.kolachi.net
>> >
>> >

>>
>>
>>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem while accessing Active Directory Maqsood Ahmed ASP .Net Security 1 11-03-2006 03:14 PM
Accessing Active Directory Diego F. ASP .Net 2 06-07-2005 09:27 AM
Accessing Active Directory Bill Smith ASP .Net 0 02-18-2004 02:08 AM
Accessing Active Directory Remco Bosman ASP .Net 2 12-05-2003 12:13 PM
Problems accessing Active directory from asp page on different machine. Jeremy Chapman ASP .Net 0 12-01-2003 06:36 PM



Advertisments