retrieve LDAP info within webservice

[Roland Wolters]

Hi,

Using wse2.0 a user logs on to my application. The webservice runs
within the domain, the user does not (not allways). So I use the
websrvice to read from the central database and to veryfy the
username/pasword. Doing that I want to return the full name for the
user.

To do this I wrote (well, partially find it on the internet ;-)) this
method:

public static String GetLDAPName(String userAccount)
{
DirectoryEntry entry = new DirectoryEntry("LDAP://xxx");
String account =userAccount.Replace(@"@xxx", "");
try
{
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + account + ")";
search.PropertiesToLoad.Add("displayName");
SearchResult result = search.FindOne();

if( result != null )
{
return result.Properties["displayname"][0].ToString();
}
else
{
return "Unknown User";
}
}
catch( Exception ex )
{
return ex.Message;
}
}

If I try it, it allways returns "an operations error occured". That's
good info isn't it!! NOT!

To find out if the method is wrong I also put it in a windows app and
testied it on another machine (no visual studio installed, just x-copy
deployed) in the same domein as the webserver. Without having to set any
trusts it ran fine!

What's wrong here? Is this a matter of setting permissions on the
webserver? And what would that be?


MAzzel,


Roland
--
---
Roland Wolters
[url]http://www.habbiebabbie.net[/url]
***** Please react via UseNet only ********


--
---
Roland Wolters
[url]http://www.habbiebabbie.net[/url]
***** Please react via UseNet only ********

[Dilip Krishnan]

Hello Roland,

Need to make sure that the account ASP.net runs under has been set up
as a user in LDAP
HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
[url]http://www.geniant.com[/url]

> Hi,
>
> Using wse2.0 a user logs on to my application. The webservice runs
> within the domain, the user does not (not allways). So I use the
> websrvice to read from the central database and to veryfy the
> username/pasword. Doing that I want to return the full name for the
> user.
>
> To do this I wrote (well, partially find it on the internet ;-)) this
> method:
>
> public static String GetLDAPName(String userAccount)
> {
> DirectoryEntry entry = new DirectoryEntry("LDAP://xxx");
> String account =userAccount.Replace(@"@xxx", "");
> try
> {
> DirectorySearcher search = new DirectorySearcher(entry);
> search.Filter = "(SAMAccountName=" + account + ")";
> search.PropertiesToLoad.Add("displayName");
> SearchResult result = search.FindOne();
> if( result != null )
> {
> return result.Properties["displayname"][0].ToString();
> }
> else
> {
> return "Unknown User";
> }
> }
> catch( Exception ex )
> {
> return ex.Message;
> }
> }
> If I try it, it allways returns "an operations error occured". That's
> good info isn't it!! NOT!
>
> To find out if the method is wrong I also put it in a windows app and
> testied it on another machine (no visual studio installed, just x-copy
> deployed) in the same domein as the webserver. Without having to set
> any trusts it ran fine!
>
> What's wrong here? Is this a matter of setting permissions on the
> webserver? And what would that be?
>
> MAzzel,
>
> Roland
>

[Roland Wolters]

Dilip Krishnan <dkrishnan@NOSPAM.geniant.com> wrote in
news:127809632409810325414784@msnews.microsoft.com :

Hi,

The user running the webservice has not been set as a user in LDAP. The
admin is not going to change this.

Is there a way around this? I do have a valid authenticated
usernametoken. Can I use this to read the full name for that user? Maybe
use impersonation via this username token? how?


Roland

> Hello Roland,
>
> Need to make sure that the account ASP.net runs under has been set

up

> as a user in LDAP
> HTH
> Regards,
> Dilip Krishnan
> MCAD, MCSD.net
> dkrishnan at geniant dot com
> [url]http://www.geniant.com[/url]
>

>> Hi,
>>
>> Using wse2.0 a user logs on to my application. The webservice runs
>> within the domain, the user does not (not allways). So I use the
>> websrvice to read from the central database and to veryfy the
>> username/pasword. Doing that I want to return the full name for the
>> user.
>>
>> To do this I wrote (well, partially find it on the internet ;-)) this
>> method:
>>
>> public static String GetLDAPName(String userAccount)
>> {
>> DirectoryEntry entry = new DirectoryEntry("LDAP://xxx");
>> String account =userAccount.Replace(@"@xxx", "");
>> try
>> {
>> DirectorySearcher search = new DirectorySearcher(entry);
>> search.Filter = "(SAMAccountName=" + account + ")";
>> search.PropertiesToLoad.Add("displayName");
>> SearchResult result = search.FindOne();
>> if( result != null )
>> {
>> return result.Properties["displayname"][0].ToString();
>> }
>> else
>> {
>> return "Unknown User";
>> }
>> }
>> catch( Exception ex )
>> {
>> return ex.Message;
>> }
>> }
>> If I try it, it allways returns "an operations error occured". That's
>> good info isn't it!! NOT!
>>
>> To find out if the method is wrong I also put it in a windows app and
>> testied it on another machine (no visual studio installed, just x-

copy

>> deployed) in the same domein as the webserver. Without having to set
>> any trusts it ran fine!
>>
>> What's wrong here? Is this a matter of setting permissions on the
>> webserver? And what would that be?
>>
>> MAzzel,
>>
>> Roland
>>

>
>
>

--
---
Roland Wolters
[url]http://www.habbiebabbie.net[/url]
***** Please react via UseNet only ********

[HG]

Hello Roland

Maybe you're better off asking in the aspnet.security group. I know there
have been a lot discussion of the "multi-hop" issue, especially then
retrieving information from AD.

Not much help, but give it a try.

Regards
Henrik
[url]http://websolver.blogspot.com[/url]


"Roland Wolters" <Roland@wolters-ict.nl> skrev i en meddelelse
news:Xns95DB6A9A1AFDEwoltersictnl@207.46.248.16...

> Dilip Krishnan <dkrishnan@NOSPAM.geniant.com> wrote in
> news:127809632409810325414784@msnews.microsoft.com :
>
> Hi,
>
> The user running the webservice has not been set as a user in LDAP. The
> admin is not going to change this.
>
> Is there a way around this? I do have a valid authenticated
> usernametoken. Can I use this to read the full name for that user? Maybe
> use impersonation via this username token? how?
>
>
> Roland
>
>

> > Hello Roland,
> >
> > Need to make sure that the account ASP.net runs under has been set

> up

> > as a user in LDAP
> > HTH
> > Regards,
> > Dilip Krishnan
> > MCAD, MCSD.net
> > dkrishnan at geniant dot com
> > [url]http://www.geniant.com[/url]
> >

> >> Hi,
> >>
> >> Using wse2.0 a user logs on to my application. The webservice runs
> >> within the domain, the user does not (not allways). So I use the
> >> websrvice to read from the central database and to veryfy the
> >> username/pasword. Doing that I want to return the full name for the
> >> user.
> >>
> >> To do this I wrote (well, partially find it on the internet ;-)) this
> >> method:
> >>
> >> public static String GetLDAPName(String userAccount)
> >> {
> >> DirectoryEntry entry = new DirectoryEntry("LDAP://xxx");
> >> String account =userAccount.Replace(@"@xxx", "");
> >> try
> >> {
> >> DirectorySearcher search = new DirectorySearcher(entry);
> >> search.Filter = "(SAMAccountName=" + account + ")";
> >> search.PropertiesToLoad.Add("displayName");
> >> SearchResult result = search.FindOne();
> >> if( result != null )
> >> {
> >> return result.Properties["displayname"][0].ToString();
> >> }
> >> else
> >> {
> >> return "Unknown User";
> >> }
> >> }
> >> catch( Exception ex )
> >> {
> >> return ex.Message;
> >> }
> >> }
> >> If I try it, it allways returns "an operations error occured". That's
> >> good info isn't it!! NOT!
> >>
> >> To find out if the method is wrong I also put it in a windows app and
> >> testied it on another machine (no visual studio installed, just x-

> copy

> >> deployed) in the same domein as the webserver. Without having to set
> >> any trusts it ran fine!
> >>
> >> What's wrong here? Is this a matter of setting permissions on the
> >> webserver? And what would that be?
> >>
> >> MAzzel,
> >>
> >> Roland
> >>

> >
> >
> >

>
>
>
> --
> ---
> Roland Wolters
> [url]http://www.habbiebabbie.net[/url]
> ***** Please react via UseNet only ********

[Dilip Krishnan]

Hello Roland,

> Dilip Krishnan <dkrishnan@NOSPAM.geniant.com> wrote in
> news:127809632409810325414784@msnews.microsoft.com :
>
> Hi,
>
> The user running the webservice has not been set as a user in LDAP.
> The admin is not going to change this.
>
> Is there a way around this? I do have a valid authenticated
> usernametoken. Can I use this to read the full name for that user?
> Maybe use impersonation via this username token? how?
>

Yes you could setup the username token to authenticate against windows domain
(no custom username token manager). You will probably have to jump a few
hoops to get that user to impersonate as the web service identity however.
This is because of the subtle difference in transport based security and
soap based security, which we will not go into here. The easiest way to go
about this is use a surrogate user that is provisioned in LDAP and use that
account to connect always. That way you dont have to provision users for
each web server you have.

> Roland
>

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
[url]http://www.geniant.com[/url]

[Shaun]

I'm having this exact same problem. Roland have you found a solution to it?
Basically I can get info from when not using a trust connection (SSL). But
when I try to enable trust connection it just doesn't work. Tracing through
the code I can tell that it does "connect" to the ldap server but when it
tries to bind a user/pass to it, it gives an exception.

Another thing I noticed is that if I DON'T use it as a webservice and use it
as a class driver, everything works fine and dandy.

Does anyone have any solution? About the user impersonating as a webservice
"solution" above. Can you tell me what I have to do step by step?

Thanks

"Dilip Krishnan" wrote:

> Hello Roland,
>

> > Dilip Krishnan <dkrishnan@NOSPAM.geniant.com> wrote in
> > news:127809632409810325414784@msnews.microsoft.com :
> >
> > Hi,
> >
> > The user running the webservice has not been set as a user in LDAP.
> > The admin is not going to change this.
> >
> > Is there a way around this? I do have a valid authenticated
> > usernametoken. Can I use this to read the full name for that user?
> > Maybe use impersonation via this username token? how?
> >

>
> Yes you could setup the username token to authenticate against windows domain
> (no custom username token manager). You will probably have to jump a few
> hoops to get that user to impersonate as the web service identity however.
> This is because of the subtle difference in transport based security and
> soap based security, which we will not go into here. The easiest way to go
> about this is use a surrogate user that is provisioned in LDAP and use that
> account to connect always. That way you dont have to provision users for
> each web server you have.
>

> > Roland
> >

> HTH
> Regards,
> Dilip Krishnan
> MCAD, MCSD.net
> dkrishnan at geniant dot com
> [url]http://www.geniant.com[/url]
>
>
>
>