Query AD using Integrated Authentication?

[Joe Kaplan \(MVP - ADSI\)]

You don't have a password with integrated auth, so essentially, you are
trying to do a bind with a username and a blank password. That won't work
for sure and if you try it very often, you'll lock out that poor user.

The way you have to do this with WIA is to impersonate the logged on user
(via your web.config) and don't supply any credentials. Then, ADSI will use
the credentials of the current security context (the user you are
impersonating) to contact AD.

The trick here is that if the AD server is on a different machine (very
likely), you'll need to Kerberos Delegation to get this impersonation to
work. Read these articles:
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;329986[/url]
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;810572[/url]

Good luck,

Joe K.


"Dave" <Dave@discussions.microsoft.com> wrote in message
news:0FAA654B-B390-416D-99F8-18F0E39D226C@microsoft.com...

> Hi,
>
> I want to query AD for user's information once they are logged in.
>
> Under Basic authentication, this worked fine using the code below.
>
> However, when I switched to Integrated for an intranet site, the FindOne()

bombs with "Logon failure: unknown user name or bad password". I don't know
how to pass the username/password information while using Integrated
Security. Is there a way to do this?

>
> System.DirectoryServices.DirectoryEntry entry = new

System.DirectoryServices.DirectoryEntry("GC://mycompanydomain.com",
HttpContext.Current.Request.ServerVariables["AUTH_USER"],
HttpContext.Current.Request.ServerVariables["AUTH_PASSWORD"]);

> System.DirectoryServices.DirectorySearcher search = new

System.DirectoryServices.DirectorySearcher(entry);

>
> search.Filter = "(sAMAccountName=" + sSAMAccountName + ")";
> search.PropertiesToLoad.Add("sAMAccountName");
> search.PropertiesToLoad.Add("cn");
> search.PropertiesToLoad.Add("givenName");
> search.PropertiesToLoad.Add("sn");
> search.PropertiesToLoad.Add("mail");
> search.PropertiesToLoad.Add("telephoneNumber");
>
> System.DirectoryServices.SearchResult result = search.FindOne();
>
>

[Joe Kaplan \(MVP - ADSI\)]

That is possible. You definitely only want to impersonate a domain account.
You can ensure that only domain accounts get in to the site by setting your
authorization element in web.config to:
<allow roles="yourdomain\domain users"/><deny users="*"/>

That said, impersonation may not be enough. You may also need Kerberos
delegation in order for the multiple machine hops to work:
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;810572[/url]

Joe K.

"Dave" <Dave@discussions.microsoft.com> wrote in message
news:BBB77B50-89C6-4C5E-8D30-7D1C58F6D49D@microsoft.com...

> Joe,
>
> I got as far as setting the impersonation to "true", setting everything to

integrated and testing the site on my local machine which is part of the
domain. I'm logged in the machine with my domain account and password.
Everything worked.

>
> When I move the app to our dev server (same configuration) which is also

part of the domain I get the error below. Could it be that the
"Administrator" account used when logging in to our dev server when it
booted isn't a domain account? It's the only difference I see between the
two..

>
> System.Runtime.InteropServices.COMException: An operations error occurred

when executing...

>
> System.DirectoryServices.SearchResult result = search.FindOne();
>
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>

> > You don't have a password with integrated auth, so essentially, you are
> > trying to do a bind with a username and a blank password. That won't

work

> > for sure and if you try it very often, you'll lock out that poor user.
> >
> > The way you have to do this with WIA is to impersonate the logged on

user

> > (via your web.config) and don't supply any credentials. Then, ADSI will

use

> > the credentials of the current security context (the user you are
> > impersonating) to contact AD.
> >
> > The trick here is that if the AD server is on a different machine (very
> > likely), you'll need to Kerberos Delegation to get this impersonation to
> > work. Read these articles:
> > [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;329986[/url]
> > [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;810572[/url]
> >
> > Good luck,
> >
> > Joe K.
> >
> >
> > "Dave" <Dave@discussions.microsoft.com> wrote in message
> > news:0FAA654B-B390-416D-99F8-18F0E39D226C@microsoft.com...

> > > Hi,
> > >
> > > I want to query AD for user's information once they are logged in.
> > >
> > > Under Basic authentication, this worked fine using the code below.
> > >
> > > However, when I switched to Integrated for an intranet site, the

FindOne()

> > bombs with "Logon failure: unknown user name or bad password". I don't

know

> > how to pass the username/password information while using Integrated
> > Security. Is there a way to do this?

> > >
> > > System.DirectoryServices.DirectoryEntry entry = new

> > System.DirectoryServices.DirectoryEntry("GC://mycompanydomain.com",
> > HttpContext.Current.Request.ServerVariables["AUTH_USER"],
> > HttpContext.Current.Request.ServerVariables["AUTH_PASSWORD"]);

> > > System.DirectoryServices.DirectorySearcher search = new

> > System.DirectoryServices.DirectorySearcher(entry);

> > >
> > > search.Filter = "(sAMAccountName=" + sSAMAccountName + ")";
> > > search.PropertiesToLoad.Add("sAMAccountName");
> > > search.PropertiesToLoad.Add("cn");
> > > search.PropertiesToLoad.Add("givenName");
> > > search.PropertiesToLoad.Add("sn");
> > > search.PropertiesToLoad.Add("mail");
> > > search.PropertiesToLoad.Add("telephoneNumber");
> > >
> > > System.DirectoryServices.SearchResult result = search.FindOne();
> > >
> > >

> >
> >
> >

[HG]

Hi there

Couldn't help myself... I am having a similar problem..

The article that Joe refers to, says that you have to change browser
settings (Enable Integrated Authentication), that is, each of the browser
clients. I do not know if this is a viable option for me.

However.

I use Integrated Authentication up until IIS, so far so good...The problem
arises when you want to contact other servers/services as for example an
Active Directory. Is this correct?

Isn't it possible to user a fixed user account to query the AD, and thereby
NO need to setup browsers for IA, say:
Use IA up until IIS (IA + impersonate, no anonymous), in you ASP.NET page
autheticate to the AD by using a predefined user, retrieve the settings you
want (fx. the full name of the user), and process the ASP.NET page further.
Is this possible?

Must be, because how does IIS handle connections to MSSQL?

Anyone..Please

Best regards

Henrik

[Joe Kaplan \(MVP - ADSI\)]

You can definitely use a fixed account to query AD. You can do that by
specifying explicit credentials in your DirectoryEntry binds or by changing
the identity of the process or impersonated account to the appropriate
domain account. You can also put all your S.DS code in a COM+ component and
set it up with its own identity, so you have a LOT of options, must like you
do with SQL server. I can provide more specific samples if you need them,
or you can probably dig them up with a Google groups search.

The original question had to do with why impersonation wasn't working in a
machine hopping scenario, in which case the answer was related to Kerberos
delegation.

Joe K.

"HG" <hg@nospam.websolver.dk> wrote in message
news:eGU4E8TdEHA.2544@TK2MSFTNGP10.phx.gbl...

> Hi there
>
> Couldn't help myself... I am having a similar problem..
>
> The article that Joe refers to, says that you have to change browser
> settings (Enable Integrated Authentication), that is, each of the browser
> clients. I do not know if this is a viable option for me.
>
> However.
>
> I use Integrated Authentication up until IIS, so far so good...The problem
> arises when you want to contact other servers/services as for example an
> Active Directory. Is this correct?
>
> Isn't it possible to user a fixed user account to query the AD, and

thereby

> NO need to setup browsers for IA, say:
> Use IA up until IIS (IA + impersonate, no anonymous), in you ASP.NET page
> autheticate to the AD by using a predefined user, retrieve the settings

you

> want (fx. the full name of the user), and process the ASP.NET page

further.

> Is this possible?
>
> Must be, because how does IIS handle connections to MSSQL?
>
> Anyone..Please
>
> Best regards
>
> Henrik
>
>

[HG]

Hi Joe..

Yep, .NET indeed gives you a lot of options. :-)

Thanx for your reply.

I will use the explicit credentials then.

Regards

Henrik



"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> skrev i
en meddelelse news:%23nAajdXdEHA.644@tk2msftngp13.phx.gbl...

> You can definitely use a fixed account to query AD. You can do that by
> specifying explicit credentials in your DirectoryEntry binds or by

changing

> the identity of the process or impersonated account to the appropriate
> domain account. You can also put all your S.DS code in a COM+ component

and

> set it up with its own identity, so you have a LOT of options, must like

you

> do with SQL server. I can provide more specific samples if you need them,
> or you can probably dig them up with a Google groups search.
>
> The original question had to do with why impersonation wasn't working in a
> machine hopping scenario, in which case the answer was related to Kerberos
> delegation.
>
> Joe K.
>
> "HG" <hg@nospam.websolver.dk> wrote in message
> news:eGU4E8TdEHA.2544@TK2MSFTNGP10.phx.gbl...

> > Hi there
> >
> > Couldn't help myself... I am having a similar problem..
> >
> > The article that Joe refers to, says that you have to change browser
> > settings (Enable Integrated Authentication), that is, each of the

browser

> > clients. I do not know if this is a viable option for me.
> >
> > However.
> >
> > I use Integrated Authentication up until IIS, so far so good...The

problem

> > arises when you want to contact other servers/services as for example an
> > Active Directory. Is this correct?
> >
> > Isn't it possible to user a fixed user account to query the AD, and

> thereby

> > NO need to setup browsers for IA, say:
> > Use IA up until IIS (IA + impersonate, no anonymous), in you ASP.NET

page

> > autheticate to the AD by using a predefined user, retrieve the settings

> you

> > want (fx. the full name of the user), and process the ASP.NET page

> further.

> > Is this possible?
> >
> > Must be, because how does IIS handle connections to MSSQL?
> >
> > Anyone..Please
> >
> > Best regards
> >
> > Henrik
> >
> >

>
>