ASP .NET and Active Directory

[clamum]

I'm working on this web application in ASP .NET and it is supposed to authenticate though Active Directory with a given domain and username (no password is supplied).

To get around the issue of not having a password, I created a user in Active Directory with a given account name and password. I hoped to be able to login to the domain with that username and password, then do a search for the real username and see what groups that user belongs to.

This works up to a point... I can authenticate into Active Directory with that user I setup for this purpose and also search and find the username I'm looking for, but I cannot get a list of that user's groups. There's only a few properties returned in the search (cn, displayname, samaccoutname, and a few others, but no memberOf).

I'm just wondering if there's a way to do this. Any help would be great, thanks.

 

[KB]

If this ASP.net application is on your intranet and uses Windows Authentication I would use the User.IsInRole("domain\groupname") to check on the users rights.

For what you are doing (suing a DirectorySearcher) take a look at this page:

http://www.codeproject.com/use...directory_in_vbnet.asp

particularly this statement is needed:

dirSearcher.PropertiesToLoad.Add("memberOf")

 

[clamum]

Originally posted by: KB
If this ASP.net application is on your intranet and uses Windows Authentication I would use the User.IsInRole("domain\groupname") to check on the users rights.

For what you are doing (suing a DirectorySearcher) take a look at this page:

http://www.codeproject.com/use...directory_in_vbnet.asp

particularly this statement is needed:

dirSearcher.PropertiesToLoad.Add("memberOf")

It will be deployed on Intranets but the client don't want to use Windows Authentication. We did have it using Windows Authentication but a popup box would come up as soon as the website was accessed and they didn't want that. The changes they wanted to this web application were to make logging in more seemless, hence not wanting another popup box.

In addition, the current user may launch the web app, and leave the computer without logging off, and another may launch it (and have different priviledges), so that may not work getting the local user's role. Very good idea though, I'll keep it in mind in case things change.

About that PropertiesToLoad.Add(), I actually did have that in place originally. I ended up getting an array out of bounds exception which stumped me for a bit, turns out memberOf was returned, but it was blank (even though the user was in a few groups). So I removed that PropertiesToLoad line so it would return all properties, and memberOf was not among them.

 

[Snapster]

If this is just a web site on the Intranet you can configure the application in IIS to use windows authentication, no pop-up box will appear if configured correctly.

 

[KB]

The code definately works.. at least in my domain it does.

MemberOf is a collection.. did you try to walk through it using a for loop?

For i As Integer = 0 To dirSearchResults.Properties("memberOf").Count - 1
MsgBox(dirSearchResults.Properties("memberOf")(i))
Next


The user you created to connect to AD. Did you give it "Read Group membership" rights to be able to view all users in AD?
For testing add the account to the Account Operators and see if you can see group membership then with your code.

 

[clamum]

Originally posted by: Snapster
If this is just a web site on the Intranet you can configure the application in IIS to use windows authentication, no pop-up box will appear if configured correctly.

Yeah I figured that there shouldn't be a popup box but it just probably wasn't configured correctly. Only problem with that is like I mentioned earlier, these users may not logoff of their account after using this web app. So the next user that comes by and logs in may be still under the first user's credentials.

 

[Snapster]

Doesn't sound like the company is too hot on security. Oh well, you can look at http://msdn2.microsoft.com/en-US/library/aa302397.aspx and use the IsAuthenticated method to get your desired effect.

 

[clamum]

Originally posted by: Snapster
Doesn't sound like the company is too hot on security.

Haha yeah, well it's software that is used in hospitals and I've been told that there is the possibility that the doctors/nurses/whoever using those computer may not log out each time they're done. This web app interacts with another piece of software already installed that does the actual authenticating for each user.

Originally posted by: KB
The user you created to connect to AD. Did you give it "Read Group membership" rights to be able to view all users in AD?
For testing add the account to the Account Operators and see if you can see group membership then with your code.

I didn't even think of that. I added the account to Account Operators and it did in fact give me the groups and the rest of the properties that weren't showing up before. Thanks a million!