Retrieving User's Groups from Active Directory using ASP.NET

L Magarian · L Magarian

I'm using forms based authentication and LDAP to authenticate a user against
Active Directory. This is working fine.

The point where I'm stuck is retireving the groups this user is assigned.

My web server and active directory servers are different machines. When I
test by deploying the web app on the active directory machine it does work.
However, I will not be able to employ this work around in the production
setting.

Can anyone advise me as to how retrieve these user groups?

Are there special settings for searching the Active Directory when running a
web app off a different server?

Many Thanks!

Paul Clement · Paul Clement

On Tue, 28 Sep 2004 01:51:03 -0700, "L Magarian" <LMagarian@discussions.microsoft.com> wrote:

¤ I'm using forms based authentication and LDAP to authenticate a user against
¤ Active Directory. This is working fine.
¤
¤ The point where I'm stuck is retireving the groups this user is assigned.
¤
¤ My web server and active directory servers are different machines. When I
¤ test by deploying the web app on the active directory machine it does work.
¤ However, I will not be able to employ this work around in the production
¤ setting.
¤
¤ Can anyone advise me as to how retrieve these user groups?
¤
¤ Are there special settings for searching the Active Directory when running a
¤ web app off a different server?

Could you indicate what type of error you are receiving and identify the line of code where it
occurs?

Paul ~~~ [email]pclement@ameritech.net[/email]
Microsoft MVP (Visual Basic)

L Magarian · L Magarian

The error is: "The specified domain either does not exist or could not be
contacted ", and is thrown by the FindOne() method.
The path I'm using looks like LDAP://company.com/CN=My Name,OU=User
Accounts,OU=Accounts,DC=company,DC=com

This is the method I'm using to get the user's groups:

public string GetGroups()
{
DirectorySearcher search = new DirectorySearcher(_path);
search.Filter = "(cn=" + _filterAttribute + ")";
search.PropertiesToLoad.Add("memberOf");
StringBuilder groupNames = new StringBuilder();

SearchResult result = search.FindOne();
int propertyCount = result.Properties["memberOf"].Count;
int equalsIndex, commaIndex;

for( int i = 0; i < propertyCount; i++)
{
String dn = (String)result.Properties["memberOf"][i];

equalsIndex = dn.IndexOf("=", 1);
commaIndex = dn.IndexOf(",", 1);
if (-1 == equalsIndex)
{
return null;
}
groupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex - equalsIndex)
- 1));
groupNames.Append("|");
}
return groupNames.ToString();
}

"Paul Clement" wrote:

> On Tue, 28 Sep 2004 01:51:03 -0700, "L Magarian" <LMagarian@discussions.microsoft.com> wrote:
>
> Â¤ I'm using forms based authentication and LDAP to authenticate a user against
> Â¤ Active Directory. This is working fine.
> Â¤
> Â¤ The point where I'm stuck is retireving the groups this user is assigned.
> Â¤
> Â¤ My web server and active directory servers are different machines. When I
> Â¤ test by deploying the web app on the active directory machine it does work.
> Â¤ However, I will not be able to employ this work around in the production
> Â¤ setting.
> Â¤
> Â¤ Can anyone advise me as to how retrieve these user groups?
> Â¤
> Â¤ Are there special settings for searching the Active Directory when running a
> Â¤ web app off a different server?
>
> Could you indicate what type of error you are receiving and identify the line of code where it
> occurs?
>
>
> Paul ~~~ [email]pclement@ameritech.net[/email]
> Microsoft MVP (Visual Basic)
>

Joe Kaplan \(MVP - ADSI\) · Joe Kaplan \(MVP - ADSI\)

This is a security context problem that is very common in ASP.NET. It can
be rectified a number of ways, including using specific domains and
credentials in your DirectoryEntry objects or changing the identity that
ASP.NET is running under. There are more details here:

[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;329986[/url]

Additionally, this is very bad approach for discovering a user's group
membership for security purposes. I know it is based on published MS
samples, but they are still bad. MemberOf includes non-security groups and
doesn't included nested group membership or the primary group.
Additionally, you shouldn't use the CN of the group name for security
purposes as a group with that name may exist in multiples containers.
Instead, you should use a domain unique security name such as the
samAccountName of the group.

The better approach is to look up group membership using tokenGroups. There
are numerous samples posted on the web and newsgroups that show how to do
this. A Google search will find them easily.

Joe K.

"L Magarian" <LMagarian@discussions.microsoft.com> wrote in message
news:A84183AC-B3D1-4818-A6C8-944AFDF445AB@microsoft.com...

> The error is: "The specified domain either does not exist or could not be
> contacted ", and is thrown by the FindOne() method.
> The path I'm using looks like LDAP://company.com/CN=My Name,OU=User
> Accounts,OU=Accounts,DC=company,DC=com
>
> This is the method I'm using to get the user's groups:
>
> public string GetGroups()
> {
> DirectorySearcher search = new DirectorySearcher(_path);
> search.Filter = "(cn=" + _filterAttribute + ")";
> search.PropertiesToLoad.Add("memberOf");
> StringBuilder groupNames = new StringBuilder();
>
> SearchResult result = search.FindOne();
> int propertyCount = result.Properties["memberOf"].Count;
> int equalsIndex, commaIndex;
>
> for( int i = 0; i < propertyCount; i++)
> {
> String dn = (String)result.Properties["memberOf"][i];
>
> equalsIndex = dn.IndexOf("=", 1);
> commaIndex = dn.IndexOf(",", 1);
> if (-1 == equalsIndex)
> {
> return null;
> }
> groupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex -
> equalsIndex)
> - 1));
> groupNames.Append("|");
> }
> return groupNames.ToString();
> }
>
>
>
> "Paul Clement" wrote:
>

>> On Tue, 28 Sep 2004 01:51:03 -0700, "L Magarian"
>> <LMagarian@discussions.microsoft.com> wrote:
>>
>> ¤ I'm using forms based authentication and LDAP to authenticate a user
>> against
>> ¤ Active Directory. This is working fine.
>> ¤
>> ¤ The point where I'm stuck is retireving the groups this user is
>> assigned.
>> ¤
>> ¤ My web server and active directory servers are different machines.
>> When I
>> ¤ test by deploying the web app on the active directory machine it does
>> work.
>> ¤ However, I will not be able to employ this work around in the
>> production
>> ¤ setting.
>> ¤
>> ¤ Can anyone advise me as to how retrieve these user groups?
>> ¤
>> ¤ Are there special settings for searching the Active Directory when
>> running a
>> ¤ web app off a different server?
>>
>> Could you indicate what type of error you are receiving and identify the
>> line of code where it
>> occurs?
>>
>>
>> Paul ~~~ [email]pclement@ameritech.net[/email]
>> Microsoft MVP (Visual Basic)
>>

Retrieving User's Groups from Active Directory using ASP.NET

Thread Tools

Display

Retrieving User's Groups from Active Directory using ASP.NET

Similar Questions and Discussions

Active Directory Groups - more than 1000 members

using OpenQuery to get GROUPS in Active Directory

Problem with Searching Groups in Active Directory

CFLDAP - Active Directory Groups

Active Directory Search fails ("The directory service is unavailab

Re: Retrieving User's Groups from Active Directory using ASP.NET

Re: Retrieving User's Groups from Active Directory using ASP.NET

Re: Retrieving User's Groups from Active Directory using ASP.NET

Posting Permissions