1

I replaced our domain name with "demo"... please ignore missing commas and such in the image below.

My question is as follows:

I want to authenticate the SBSUsers in my ASP.NET web application. I cannot figure out what my active directory path needs to be in order to get it to work...

When I set it as follows, it fails to authenticate (I assume because my users are not under that path)... but it doesn't give me an error:

string adPath = "LDAP://ac-dc01.demo.local:389/CN=Configuration,DC=demo,DC=local";
string domainAndUsername = domain + @"\" + username;
DirectoryEntry entry = new DirectoryEntry(adPath, domainAndUsername, pwd);
// Bind to the native AdsObject to force authentication.
Object obj = entry.NativeObject;
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + username + ")";
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();
if (null == result)
{
    return false;
}
// Update the new path to the user in the directory
adPath = result.Path;
_filterAttribute = (String)result.Properties["cn"][0];

When I set it to what I think it should be, it errors on the entry.NativeObject line.

string adPath = "ldap://ac-dc01.demo.local:389/OU=SBSUsers,OU=Users,OU=MyBusiness,DC=demo,DC=local";

Any ideas? Do I need to open it up for "global" access somehow? If so, how would I go about doing that?

LDAP

I was able to successfully connect using another piece of software...

LDAP

Community
  • 1
  • 1
daniel
  • 155
  • 3
  • 10
  • What is the error it's giving you? – Joel Etherton Mar 15 '13 at 18:59
  • 1
    "*...it errors on the entry.NativeObject line.*" - Tell us the error, silly. – Josh Darnell Mar 15 '13 at 19:00
  • Error is on the DirectoryEntry.Bind... Unknown error (0x80005000) – daniel Mar 15 '13 at 19:01
  • Daniel I have helped someone with this same issue a while back look at this link where I have demonstrated to the OP how to get this to work. http://stackoverflow.com/questions/14218204/error-0x80005000-with-ldapconnection-and-ldaps – MethodMan Mar 15 '13 at 19:04
  • Daniel to determine if a user is AD/LDAP you can reference the link I am going to post the code as well which utilizes UserPrincipal and PrincipalContext – MethodMan Mar 15 '13 at 19:08
  • There's no need to be insulting, daniel. I've removed my answer, sorry to bother you. – Josh Darnell Mar 15 '13 at 19:15
  • 1
    That's awesome Daniel Principal Context was the correct way to go then. I think that I was right on initially but was not use to seeing your DC's set the way that you have it in your current environment I think that's what thru me off.. Glad that we were all able to lend you some great suggestions – MethodMan Mar 18 '13 at 15:52

2 Answers2

1

This is how we connect to our AD and it works great:

<yourConfig>LDAP://ADServerName/OU=GROUPNAME,DC=domainName,DC=com</YourConfig>

And here is a sample code on how you can validate a user:

using (PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain,
                                                            ENTER YOUR DOMAIN NAME,
                                                            This is where the config that I mentioned above comes in,
                                                            ContextOptions.Negotiate,
                                                            ENTER YOUR AD SERVICE NAME,
                                                            ENTER YOUR AD PASSWORD))
            {
                UserPrincipal oUser = UserPrincipal.FindByIdentity(oPrincipalContext, THE USERNAME THAT YOU WANT TO VALIDATE);
                if (oUser != null)
                {
                    oADAcct = new CUserADAcct();
                    oADAcct.dumpAcctAttrs(oUser);
                }
            }
PM_ME_YOUR_CODE
  • 321
  • 1
  • 6
1

this is what you can try.. also are you sure that your DC=Demo and DC=Local those look like OU's to me

const string Domain = "ServerAddress:389";
const string constrParts = @"OU=Users,DC=domain,DC=com";
const string Username = @"someusername";
PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, Domain, constrParts);
UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(principalContext,  username);
MethodMan
  • 18,625
  • 6
  • 34
  • 52
  • I tried this and I am getting an error on creating the PrincipalContext object: "The server could not be contacted." I suspect that this is the original issue as well. – daniel Mar 15 '13 at 19:35
  • I copy/pasted the url from Softerra LDAP Administrator. Would it have anything to do with the fact that the one that *does* work has the url as the node name? Is the Users node not available? – daniel Mar 15 '13 at 19:42
  • It sounds like Right / Permissions on how you are doing it 389 does not use SSL or anything like that.. wonder if you have that setup on the AD side.. did you look at the other answer I posted on my original posting in regards to why and what that error means..? – MethodMan Mar 15 '13 at 19:47
  • That is possible. Do you know how I would go about verifying that AD is configured properly? – daniel Mar 15 '13 at 20:52
  • There is.. I actually have the code on my other machine which I did not bring with me to work..I can look at it later when I get home in about 2 hours and I can post some sample code as well as things to try..in the mean time you do you have a AD Administrator ..? if so ask if connections are Secure or not.. ' – MethodMan Mar 15 '13 at 20:57
  • have you thought about trying it a different way by checking isValid for example `System.DirectoryServices.AccountManagement namespace and easily verify your credentials: // create a "principal context" - e.g. your domain (could be machine, too) using(PrincipalContext pc = new PrincipalContext(ContextType.Domain, "YOURDOMAIN")) { // validate the credentials bool isValid = pc.ValidateCredentials("myuser", "mypassword"); }` – MethodMan Mar 15 '13 at 21:03
  • checkout the example located here as well http://stackoverflow.com/questions/290548/validate-a-username-and-password-against-active-directory look at the answer that had `16` votes he implements what you were trying to do earlier.. – MethodMan Mar 15 '13 at 21:06
  • It still fails to connect to the server. Either I have the wrong server url, or AD is not configured in such a way as to let me access that "directory" from code. – daniel Mar 15 '13 at 21:13
  • Can you find out what the exact domain name is for that server.. if it works using LDAP connection then I think it may be configured to accept password and or SSL I have code at home that I will definitely post for you I had this problem when they changed the way that they wanted us to connect to AD it's an Enum setting I can't remember it off the top of my head I think its `ADS_SECURE_AUTHENTICATION` or something like that – MethodMan Mar 15 '13 at 21:16
  • this is a good example as well hope you don't mind reading http://www.c-sharpcorner.com/UploadFile/ankithakur/Login_Using_Active_Directory04052006061801AM/Login_Using_Active_Directory.aspx || http://www.c-sharpcorner.com/UploadFile/ecabral/ADand.NET08242005065451AM/ADand.NET.aspx – MethodMan Mar 15 '13 at 21:20
  • Since you are only checking if the users exist you can use this link http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx also what I was trying to remember was `AuthenticationTypes.Secure;` reference the question in this on this page http://stackoverflow.com/questions/7955377/authenticate-against-a-user-in-active-directory – MethodMan Mar 15 '13 at 21:26
  • I added a screen shot to the question. It appears to be simple authentication. – daniel Mar 15 '13 at 22:23
  • It looks like it is authenticating now... but failing on the first step within the "isAuthenticated" method now... DirectorySearcher search = new DirectorySearcher(_path); search.Filter = "(cn=" + _filterAttribute + ")"; search.PropertiesToLoad.Add("memberOf"); StringBuilder groupNames = new StringBuilder(); – daniel Mar 15 '13 at 22:44
  • Was able to get it working using this: http://stackoverflow.com/questions/7969425/groupprincipal-method-findbyidentity-throw-strange-exception – daniel Mar 18 '13 at 15:48