Access Active Directory in ASP.NET?

Question

Access Active Directory in ASP.NET?

I use a console application to write test code:

/// <summary> /// Returns AD information for a specified userID. /// </summary> /// <param name="ntID"></param> /// <returns></returns> public ADUser GetUser(string ntID) { DirectorySearcher search = new DirectorySearcher(); search.Filter = String.Format("(cn={0})", ntID); search.PropertiesToLoad.Add("mail"); search.PropertiesToLoad.Add("givenName"); search.PropertiesToLoad.Add("sn"); search.PropertiesToLoad.Add("displayName"); search.PropertiesToLoad.Add("userPrincipalName"); search.PropertiesToLoad.Add("cn"); SearchResult result = search.FindOne(); return new ADUser(result); }

And this works great in a console application. However, when I moved it to an ASP.NET application, I received an error message not knowing the correct domain.

Is there a trick I'm missing for accessing AD when working in an ASPNET account?

EDIT . Passing only the LDAP: // domain connection string is not enough, since it requires an actual login / password. Since this runs on a local account on the computer, I'm not sure which AD L / P to use. Can I delegate this account to users?

EDIT No. 2 . When I try to use identity impersonation, I get a DirectoryServicesCOMException code with:

Authentication mechanism is unknown.

+6

asp.net credentials active-directory

Flyswat Dec 08 '08 at 19:44

source share

5 answers

Thesmurf · Answer 1 · 2008-12-08T19:47:22+0000

Yes. You need to specify a directory connection string. The console application (works like you) works with your credentials, including access to directories. An ASP.NET application works with ASPNET user credentials that are local to the system on which the application is running, and not to the global catalog.

kd7 · Answer 2 · 2008-12-08T19:51:13+0000

Alternatively, you can specify the identifier impersonate = true in the web.config file, and the Active Directory directory request will be sent as the calling user instead of Machine \ ASPNET

Edit: if you get an authentication error, see the PIPTHEGEEK message, you need to trust the web server for delegation, but be careful with the delegation trust (since it opens another can of worms for security types). You must allow the web server to transfer the credentials of the current AD user.

If possible, go to the AD properties for the computer, select the delegation tab and select "Trust this computer to delegate to any service (Kerberos only)

See if this works. If so, you can further clear permissions using the third option, which states

"Trust this computer only to delegate only the specified services"

Then select Use Only Kerberos

and in the "Services for which this account can provide delegated credentials", add the appropriate service information.

Tom jelen · Answer 3 · 2008-12-08T19:57:35+0000

If this is an intranet application that uses Windows authentication, you can wrap your AD call in the context of impersonating the user.

Something like:

 using (((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate()) { // Do your AD stuff here }

pipTheGeek · Answer 4 · 2008-12-08T19:58:20+0000

The easiest way is to create a web application pool as a domain account with the necessary access. This avoids secure password storage. Remember to make the account a member of the local IIS_WPG group. If you decide to use impersonation, you will have to configure Kerberos delegation and also change the configuration of ASP.NET for impersonation. This will cause the application pool to start as a domain account, granting permission for the domain account to delegate credentials (the delegation tab of the properties of the user account of AD users and MMC computers). Then, make sure the website is configured to use negoiate in the metabase (this is the default for IIS6, not sure about other versions) and register the SPN for the new domain account.

Edit: An “Unknown Authentication” error sounds like an incorrectly configured delegation. Make sure your application pool account is running, as it is delegated to trust that IIS is configured to use Windows authentication ONLY and that a valid SPN is registered for the application pool authentication account.

Mark hosang · Answer 5 · 2011-06-27T12:33:48+0000

You can also try to include the domain in login

 adSharepointUsers = new DirectoryEntry("LDAP://MyDomain","MyDomain/ADUser","password");

Access Active Directory in ASP.NET?

Authentication mechanism is unknown.

More articles: