Active Directory LDAP Authentication Fails in IIS 6

Discussion in 'ASP .Net' started by P Webster, Mar 23, 2006.

  1. P Webster

    P Webster Guest

    We recently moved a web site that validated user credentials in Active
    Directory from IIS 5.1 to IIS 6, and the validation code no longer works.
    The web.config file is set to Windows authentication because all we do is
    verify the user on the login form so we can redirect them to the appropriate
    page based on their group.
    The code to authenticate is:
    Public Function IsAuthenticated(ByVal domain As String, ByVal username As
    String, ByVal pwd As String) As Boolean
    Dim domainAndUsername As String = domain & "\" & username
    Dim entry As DirectoryEntry = New DirectoryEntry(_path,
    domainAndUsername, pwd)
    Try
    'Bind to the native AdsObject to force authentication.
    Dim obj As Object = entry.NativeObject
    Dim search As DirectorySearcher = New DirectorySearcher(entry)
    search.Filter = "(SAMAccountName=" & username & ")"
    search.PropertiesToLoad.Add("cn")
    Dim result As SearchResult = search.FindOne()
    If (result Is Nothing) Then
    Return False
    End If
    'Update the new path to the user in the directory.
    _path = result.Path
    _filterAttribute = CType(result.Properties("cn")(0), String)
    Catch ex As Exception
    Throw New Exception("Error authenticating user. " & ex.Message &
    "<BR>" & ex.StackTrace.ToString)
    End Try
    Return True
    End Function

    In IIS 6, we have tried all possible combinations of directory security.

    When we first moved the site to IIS 6, an error was generated by the above
    code stating the parameter was incorrect, so we tried adding
    AuthenticationTypes.None and AuthenticationTypes.Anonymous as the final
    parameter for DirectoryEntry(... The result was a message returned as
    "unknown user name or bad password. The user name and password entered were
    correct, so I don't understand why that error was generated.

    Any ideas would be greatly appreciated.

    Paul
     
    P Webster, Mar 23, 2006
    #1
    1. Advertising

  2. Paul,
    It seems you can't Authenticate using the Active Directory thats why you are
    getting:
    "unknown user name or bad password.
    Is the server in the same domain of the Active Directory and again.
    Are you sure the IIS can authenticate on the domain?
    Is integrated Windows Auth checked in the IIS ?
    Patrick


    "P Webster" <> wrote in message
    news:...
    > We recently moved a web site that validated user credentials in Active
    > Directory from IIS 5.1 to IIS 6, and the validation code no longer works.
    > The web.config file is set to Windows authentication because all we do is
    > verify the user on the login form so we can redirect them to the
    > appropriate page based on their group.
    > The code to authenticate is:
    > Public Function IsAuthenticated(ByVal domain As String, ByVal username As
    > String, ByVal pwd As String) As Boolean
    > Dim domainAndUsername As String = domain & "\" & username
    > Dim entry As DirectoryEntry = New DirectoryEntry(_path,
    > domainAndUsername, pwd)
    > Try
    > 'Bind to the native AdsObject to force authentication.
    > Dim obj As Object = entry.NativeObject
    > Dim search As DirectorySearcher = New DirectorySearcher(entry)
    > search.Filter = "(SAMAccountName=" & username & ")"
    > search.PropertiesToLoad.Add("cn")
    > Dim result As SearchResult = search.FindOne()
    > If (result Is Nothing) Then
    > Return False
    > End If
    > 'Update the new path to the user in the directory.
    > _path = result.Path
    > _filterAttribute = CType(result.Properties("cn")(0), String)
    > Catch ex As Exception
    > Throw New Exception("Error authenticating user. " & ex.Message &
    > "<BR>" & ex.StackTrace.ToString)
    > End Try
    > Return True
    > End Function
    >
    > In IIS 6, we have tried all possible combinations of directory security.
    >
    > When we first moved the site to IIS 6, an error was generated by the above
    > code stating the parameter was incorrect, so we tried adding
    > AuthenticationTypes.None and AuthenticationTypes.Anonymous as the final
    > parameter for DirectoryEntry(... The result was a message returned as
    > "unknown user name or bad password. The user name and password entered
    > were correct, so I don't understand why that error was generated.
    >
    > Any ideas would be greatly appreciated.
    >
    > Paul
    >
     
    Patrick.O.Ige, Mar 25, 2006
    #2
    1. Advertising

  3. P Webster

    P Webster Guest

    Patrick,
    Thanks for the reply.
    I actually cross-posted this message in ...aspnet.security and received very
    good help from Joe Kaplan.
    It turns out we were struggling with this problem in the wrong way. The
    original code that worked on the W2K server with IIS 5.1 had a bad
    parameter, and it probably shouldn't have been working in the first place.
    Here is the final post I made in the other group just in case this problem
    happens to someone else.

    The DirectoryEntry parameters being sent (and I might mention successfully
    in IIS 5.1) were:
    entry = New DirectoryEntry("LDAP://biz.xxx.yyy.com/DC=biz, DC=xxx, DC=yyy,
    DC=com", "DC=biz\username", "password")
    For some reason, the domain\username included "DC=" in front of it and IIS
    5.1 must have dropped that off when trying to authenticate the user. When
    we removed the "DC=" and just used "biz\username", everything worked as
    expected.

    We didn't figure it out until we decided to write a test application in
    ASP.NET 2.0. When everything worked correctly, we started from scratch and
    wrote the entire process in ASP.NET 1.1 without reviewing the existing code.
    When it worked, we compared the two and found the mistake. When we found
    the sample code used to originally write the AD Authenticatio a couple of
    years ago, it included the "DC=" before the user name. Since it has always
    functioned properly, we never looked there. We kind of feel stupid now :)

    "Patrick.O.Ige" <> wrote in message
    news:...
    > Paul,
    > It seems you can't Authenticate using the Active Directory thats why you
    > are getting:
    > "unknown user name or bad password.
    > Is the server in the same domain of the Active Directory and again.
    > Are you sure the IIS can authenticate on the domain?
    > Is integrated Windows Auth checked in the IIS ?
    > Patrick
    >
    >
    > "P Webster" <> wrote in message
    > news:...
    >> We recently moved a web site that validated user credentials in Active
    >> Directory from IIS 5.1 to IIS 6, and the validation code no longer works.
    >> The web.config file is set to Windows authentication because all we do is
    >> verify the user on the login form so we can redirect them to the
    >> appropriate page based on their group.
    >> The code to authenticate is:
    >> Public Function IsAuthenticated(ByVal domain As String, ByVal username As
    >> String, ByVal pwd As String) As Boolean
    >> Dim domainAndUsername As String = domain & "\" & username
    >> Dim entry As DirectoryEntry = New DirectoryEntry(_path,
    >> domainAndUsername, pwd)
    >> Try
    >> 'Bind to the native AdsObject to force authentication.
    >> Dim obj As Object = entry.NativeObject
    >> Dim search As DirectorySearcher = New DirectorySearcher(entry)
    >> search.Filter = "(SAMAccountName=" & username & ")"
    >> search.PropertiesToLoad.Add("cn")
    >> Dim result As SearchResult = search.FindOne()
    >> If (result Is Nothing) Then
    >> Return False
    >> End If
    >> 'Update the new path to the user in the directory.
    >> _path = result.Path
    >> _filterAttribute = CType(result.Properties("cn")(0), String)
    >> Catch ex As Exception
    >> Throw New Exception("Error authenticating user. " & ex.Message &
    >> "<BR>" & ex.StackTrace.ToString)
    >> End Try
    >> Return True
    >> End Function
    >>
    >> In IIS 6, we have tried all possible combinations of directory security.
    >>
    >> When we first moved the site to IIS 6, an error was generated by the
    >> above code stating the parameter was incorrect, so we tried adding
    >> AuthenticationTypes.None and AuthenticationTypes.Anonymous as the final
    >> parameter for DirectoryEntry(... The result was a message returned as
    >> "unknown user name or bad password. The user name and password entered
    >> were correct, so I don't understand why that error was generated.
    >>
    >> Any ideas would be greatly appreciated.
    >>
    >> Paul
    >>

    >
    >
     
    P Webster, Mar 25, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tdar
    Replies:
    2
    Views:
    9,007
    Arnel
    Oct 11, 2005
  2. Ken Dourado

    Active Directory, LDAP and Forms Authentication Problem

    Ken Dourado, Nov 10, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    220
    Ken Dourado
    Nov 10, 2003
  3. Tdar
    Replies:
    1
    Views:
    228
    Steven Cheng[MSFT]
    Sep 30, 2005
  4. Thana
    Replies:
    2
    Views:
    265
    Patrick.O.Ige
    Oct 3, 2006
  5. hharry

    active directory authentication using ldap

    hharry, Nov 9, 2007, in forum: ASP .Net Security
    Replies:
    1
    Views:
    251
    Joe Kaplan
    Nov 9, 2007
Loading...

Share This Page