Active Directory Authentication using services account

Question

I'm working on Web Services which authenticates users against Active Directory. My current solution is working, however, I'm trying to take a different approach.

I have an Active Directory (production) which is sitting behind the firewall. I also installed an Active Directory in DMZ. There's a one way relationship between them. DMZ trusts production and production doesn't care about DMZ.

What I'm trying to accomplish is Authenticate everyone through DMZ Active Directory. Currently, based on the username I know which AD server to authenticate against.

For example, my production Active Directory (let say domain domain.local) and my DMZ Active directory (let say domain domain.public). Before I do authentication against any AD server, I check if the username provided exists in one of the server. Then, I check if the user is active and only then I do authentication. (I'm having issues in the first function. It never reaches to the second or third functions).

UPDATE: ADDED EVERYTHING:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.Serialization;
using System.ServiceModel;
using System.Text;
using System.DirectoryServices;
using System.Security.Principal;
using System.DirectoryServices.AccountManagement;

namespace ActiveDirectory
{
// NOTE: You can use the "Rename" command on the "Refactor" menu to change the class name "Service1" in both code and config file together.
public class Service1 : IService1
{
    #region Does User Exist in AD

    public string local = string.Empty;
    public string ldappath = string.Empty;
    public string userNameToUse = string.Empty;
    public string domain = string.Empty;

    public bool DoesUserExist(string userName)
    {
        string _userName = userName;

        bool exist = true;

        using (var domainContext = new PrincipalContext(ContextType.Domain, domain))
        {
            using (var foundUser = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, userNameToUse))
            {
                if (foundUser == null)
                {
                    exist = false;
                }
                else
                {
                    return exist;
                }
            }
        }
        return exist;
    }

    #endregion

    #region Check if User Active
    public bool isActive (string userName)
    {
        string _userNameToBeSearched = userNameToUse;
        string _username = string.Empty;
        string _pwd = string.Empty;

        if (local == "YES")
        {
             _username = "xx";
             _pwd = "xx";
            ldappath = "LDAP://xxx/DC=xx, DC=local";
        }
        else
        {
             _username = "xx";
             _pwd = "xx";
             ldappath = "LDAP://xxx/DC=xx, DC=public";
        }

        bool isActive = true;

        try
        {
            DirectoryEntry entry = new DirectoryEntry(ldappath, _username, _pwd);
            DirectorySearcher search = new DirectorySearcher(entry);
            entry.AuthenticationType = AuthenticationTypes.Secure;
            search.SearchRoot = entry;
            search.Filter = "(SAMAccountName=" + _userNameToBeSearched + ")";

            SearchResult results = search.FindOne();

            if (results.ToString() != "")
            {
                int flags = Convert.ToInt32(results.Properties["userAccountControl"][0].ToString());

                //CHECK IF THE ACCOUNT IS DISABLED
                if (flags == 66050)
                {
                    isActive = false;
                }
            }
        }
        catch (DirectoryServicesCOMException ex)
        {
            ex.ToString();
        }
        return isActive;
    }

    #endregion

    #region Is user authenticated
    public string isAuthenticated (string userName, string pwd)
    {
        string _userName, _pwd, message;
        _userName = userName;
        _pwd = pwd;

        char[] splitchar = { '@' };

        string[] strSplit = _userName.Split(splitchar);

        string z = strSplit[0];

        if (strSplit.Length == 2)
        {
            domain = "x.public";
            userNameToUse = z.ToString();
            local = "NO";
        }
        else
        {
            domain = "x.local";
            userNameToUse = z.ToString();
            local = "YES";
        }

        if (DoesUserExist (userNameToUse) == true)
        {
            if (isActive(userNameToUse) == true)
            {
                try
                {
                    DirectoryEntry entry = new DirectoryEntry(ldappath, userNameToUse, _pwd);
                    object nativeObject = entry.NativeObject;
                    var GUIDID = "";

                    using (var domainContext = new PrincipalContext(ContextType.Domain, domain))
                    {
                        using (var user = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, userNameToUse))
                        {
                            if (user != null)
                            {
                                GUIDID = user.Guid.ToString();
                            }
                        }
                        message = "Successfully authenticated:" + GUIDID;
                    }
                }
                catch (DirectoryServicesCOMException)
                {
                    message = "Invalid password.";
                }
            }
            else
            {
                message = "Account is disabled";
            }
        }
        else
        {
            message = "There's an issue with your account.";
        }
        return message;      
    }

    #endregion
}
}

If username exists in DMZ AD it will return true else it will return false. However, there're going to be users who will only exists in production AD, but will not have any entry in DMZ. Since, I built ONE WAY trust I should be able to do this:

username@domain.local for production and username@domain.public However, even though I specify fully username if entry doesn't exists in DMZ AD it will return null although it exists in production AD.

Any suggestion, on how I can authenticate everybody through DMZ AD using webservices account which has full permission to production AD?

Note if needed I can provide the rest of the code...*

Thanks

Answer 1

What is the value of domain in the PrincipalContext? If you aren't already, you'll need to use the proper domain for the user you're looking up to user your current code. PrincipalContext does not support searches across domains in your forest.

Here is an example of using a DirectorySearcher to do it.

Answer 2

The code has several issues, I only talk about major ones.

1. In method DoesUserExist you use service account (no credential is passed to PrincipalContext) to query both domains. But in method isActive you have different credentials for different domains. So we have 3 credentials for 2 domains...

   At least use a consistent way for both methods.

2. For 1-way trust(e.g. A trusts B), accounts in B should be able to access both domain A and B.

   May be you can simply use an account in trusted domain as service account. And then use service account (null to username and password) to perform all AD access. So you don't even need to put password in your code.

3. In isActive, where does the "66050" come from?
   66060 is 10202 in hex, which means (1)user, (2)disabled and (3)don't expire password.

   To check if an account is enabled, check only the ACCOUNTDISABLE bit (0x0002). It should be 0 for enabled.

4. You already get the UserPrincipal in DoesUserExist. Can simply check enabled by looking at UserPrincipal.Enabled.

I need to do code review in my daily work. Now I'm doing it also on Stack Overflow... :)