System.DirectoryServices

[Brian]

I have a few pages which authenticate a user to our site.

Checking a login and password with syntax as below:

Dim entry As New DirectoryEntry(_path, domainAndUsername, PWD)

My problem is I can only do this if I elevate the anonymous user to
ADMINISTRATOR of my domain.

Should my ASPX page have to be running the ADMIN account to use this
namespace.
Another task I need is to enumerate users in a GROUP using this
namespace.
That also only works with the ADMIN account.

Thanks,
Brian

[Joe Kaplan \(MVP - ADSI\)]

No, you should be able to use the user's credentials to bind. Is this
Active Directory or an NT4 domain? Are you using the LDAP provider (your
_path variable doesn't make this clear)? What is the path you are using?

Joe K.

"Brian" <bonei@vafb.com> wrote in message
news:d2129775.0406011420.17d94784@posting.google.c om...

> I have a few pages which authenticate a user to our site.
>
> Checking a login and password with syntax as below:
>
> Dim entry As New DirectoryEntry(_path, domainAndUsername, PWD)
>
> My problem is I can only do this if I elevate the anonymous user to
> ADMINISTRATOR of my domain.
>
> Should my ASPX page have to be running the ADMIN account to use this
> namespace.
> Another task I need is to enumerate users in a GROUP using this
> namespace.
> That also only works with the ADMIN account.
>
> Thanks,
> Brian

[Brian]

Thanks,
I am using syntax "LDAP://" and then the name of the user to get his
SAMAccountName, etc..
We have found this code works differently on different servers here.
Could be my question is voided by that. I have tried making myself the
anonymous user and gotten some success as well on some servers.
The consistent problem is executing the looping over users in a
group as follows:

Dim de As System.DirectoryServices.DirectoryEntry = _
New DirectoryServices.DirectoryEntry(adPath,
domainAndUsername, strPassword)
Dim ds As DirectorySearcher = New DirectorySearcher(de)
ds.Filter = "((cn=" & strGroupName & "))"
Dim dResults As SearchResultCollection = ds.FindAll()
For Each dResult As SearchResult In dResults
Dim resultPropColl As ResultPropertyCollection =
dResult.Properties
For Each memberItem As Object In resultPropColl("member")
Dim foundUser As DirectoryEntry = _
New DirectoryEntry("LDAP://" &
memberItem.ToString(), domainAndUsername, strPassword)
Dim userProps As PropertyCollection =
foundUser.Properties
If Not IsNothing(userProps("SAMAccountName").Value)
Then
stSorted.Add(userProps("SAMAccountName").Value,
userProps("Name").Value)
End If
Next
Next

This chunk of code is the one that fails upon moving to varying
servers.
Is it possible that FINDALL requires more permission than simply "New
Entry"?



"Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:<eRpTe7ESEHA.3628@TK2MSFTNGP12.phx.gbl>...

> No, you should be able to use the user's credentials to bind. Is this
> Active Directory or an NT4 domain? Are you using the LDAP provider (your
> _path variable doesn't make this clear)? What is the path you are using?
>
> Joe K.
>
> "Brian" <bonei@vafb.com> wrote in message
> news:d2129775.0406011420.17d94784@posting.google.c om...

> > I have a few pages which authenticate a user to our site.
> >
> > Checking a login and password with syntax as below:
> >
> > Dim entry As New DirectoryEntry(_path, domainAndUsername, PWD)
> >
> > My problem is I can only do this if I elevate the anonymous user to
> > ADMINISTRATOR of my domain.
> >
> > Should my ASPX page have to be running the ADMIN account to use this
> > namespace.
> > Another task I need is to enumerate users in a GROUP using this
> > namespace.
> > That also only works with the ADMIN account.
> >
> > Thanks,
> > Brian

[Joe Kaplan \(MVP - ADSI\)]

Do you also specify a server or domain in the LDAP path? If the current
security context is a local machine user, then ADSI may not be able to
automatically determine a domain controller to use, so the bind might not
work. I'd try that first.

LDAP://servername.com/dn


Also, two other things:
- You should generally ALWAYS use AuthenticationTypes.Secure as the 4th
parameter in your DirectoryEntry constructors when using AD. This makes
sure that SSPI is used to exchange credentials instead of passing your
password plaintext on the network. There is really no reason to not do
this. This advice doesn't necessarily apply to other LDAP directories
though.
- Don't forget to call dispose on all of your IDisposable objects
(DirectoryEntry, DirectorySearcher, SearchResultCollection) or you may leak
resources. This is especially important in the current version of the .NET
Framework, the Finalize method on DirectoryEntry doesn't actually close the
underlying COM object, so relying on the garbage collector/finalizer thread
to clean these up won't work.

Joe K.

"Brian" <bonei@vafb.com> wrote in message
news:d2129775.0406091131.5fc529ec@posting.google.c om...

> Thanks,
> I am using syntax "LDAP://" and then the name of the user to get his
> SAMAccountName, etc..
> We have found this code works differently on different servers here.
> Could be my question is voided by that. I have tried making myself the
> anonymous user and gotten some success as well on some servers.
> The consistent problem is executing the looping over users in a
> group as follows:
>
> Dim de As System.DirectoryServices.DirectoryEntry = _
> New DirectoryServices.DirectoryEntry(adPath,
> domainAndUsername, strPassword)
> Dim ds As DirectorySearcher = New DirectorySearcher(de)
> ds.Filter = "((cn=" & strGroupName & "))"
> Dim dResults As SearchResultCollection = ds.FindAll()
> For Each dResult As SearchResult In dResults
> Dim resultPropColl As ResultPropertyCollection =
> dResult.Properties
> For Each memberItem As Object In resultPropColl("member")
> Dim foundUser As DirectoryEntry = _
> New DirectoryEntry("LDAP://" &
> memberItem.ToString(), domainAndUsername, strPassword)
> Dim userProps As PropertyCollection =
> foundUser.Properties
> If Not IsNothing(userProps("SAMAccountName").Value)
> Then
> stSorted.Add(userProps("SAMAccountName").Value,
> userProps("Name").Value)
> End If
> Next
> Next
>
> This chunk of code is the one that fails upon moving to varying
> servers.
> Is it possible that FINDALL requires more permission than simply "New
> Entry"?
>
>
>
> "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@removethis.accenture.com>

wrote in message news:<eRpTe7ESEHA.3628@TK2MSFTNGP12.phx.gbl>...

> > No, you should be able to use the user's credentials to bind. Is this
> > Active Directory or an NT4 domain? Are you using the LDAP provider

(your

> > _path variable doesn't make this clear)? What is the path you are

using?

> >
> > Joe K.
> >
> > "Brian" <bonei@vafb.com> wrote in message
> > news:d2129775.0406011420.17d94784@posting.google.c om...

> > > I have a few pages which authenticate a user to our site.
> > >
> > > Checking a login and password with syntax as below:
> > >
> > > Dim entry As New DirectoryEntry(_path, domainAndUsername, PWD)
> > >
> > > My problem is I can only do this if I elevate the anonymous user to
> > > ADMINISTRATOR of my domain.
> > >
> > > Should my ASPX page have to be running the ADMIN account to use this
> > > namespace.
> > > Another task I need is to enumerate users in a GROUP using this
> > > namespace.
> > > That also only works with the ADMIN account.
> > >
> > > Thanks,
> > > Brian