LDAP query fails from ASP.NET

Discussion in 'ASP .Net Security' started by maria.s, Aug 31, 2005.

  1. maria.s

    maria.s Guest

    Hi,

    I've got a problem with an LDAP query submitted from my ASP.NET application.
    Configuration: Windows 2003 Server Standard Ed., the application uses
    Windows Integrated Authentication and is configured with <identity
    impersonate=â€true†/>

    I try to submit the following query:

    Dim IdentityName as String = Context.User.Identity.Name
    Dim sRoot As String = "LDAP://" + rootDomain

    Dim de As New DirectoryServices.DirectoryEntry(sRoot)
    de.AuthenticationType = DirectoryServices.AuthenticationTypes.Secure
    Or DirectoryServices.AuthenticationTypes.Delegation

    Dim filter As String =
    String.Format("(&((objectClass=user)(sAMAccountName={0})))",
    IdentityName.Split("\"c)(1))
    Dim ds As New DirectoryServices.DirectorySearcher(de, filter)

    Dim sr As DirectoryServices.SearchResult = ds.FindOne
    Dim desr As DirectoryServices.DirectoryEntry = sr.GetDirectoryEntry

    This query fails at the last line (sr = Nothing)

    If I change the configuration to use Basic authentication, the query succeeds.

    If I put a userName and password to the identity tag the query also
    succeeds. (but other parts of the program will not work with this
    configuration).

    I would appriciate any help in this
    maria.s, Aug 31, 2005
    #1
    1. Advertising

  2. maria.s

    Paul Clement Guest

    On Wed, 31 Aug 2005 08:46:30 -0700, "maria.s" <> wrote:

    ¤ Hi,
    ¤
    ¤ I've got a problem with an LDAP query submitted from my ASP.NET application.
    ¤ Configuration: Windows 2003 Server Standard Ed., the application uses
    ¤ Windows Integrated Authentication and is configured with <identity
    ¤ impersonate=”true” />
    ¤
    ¤ I try to submit the following query:
    ¤
    ¤ Dim IdentityName as String = Context.User.Identity.Name
    ¤ Dim sRoot As String = "LDAP://" + rootDomain
    ¤
    ¤ Dim de As New DirectoryServices.DirectoryEntry(sRoot)
    ¤ de.AuthenticationType = DirectoryServices.AuthenticationTypes.Secure
    ¤ Or DirectoryServices.AuthenticationTypes.Delegation
    ¤
    ¤ Dim filter As String =
    ¤ String.Format("(&((objectClass=user)(sAMAccountName={0})))",
    ¤ IdentityName.Split("\"c)(1))
    ¤ Dim ds As New DirectoryServices.DirectorySearcher(de, filter)
    ¤
    ¤ Dim sr As DirectoryServices.SearchResult = ds.FindOne
    ¤ Dim desr As DirectoryServices.DirectoryEntry = sr.GetDirectoryEntry
    ¤
    ¤ This query fails at the last line (sr = Nothing)
    ¤
    ¤ If I change the configuration to use Basic authentication, the query succeeds.
    ¤
    ¤ If I put a userName and password to the identity tag the query also
    ¤ succeeds. (but other parts of the program will not work with this
    ¤ configuration).
    ¤
    ¤ I would appriciate any help in this
    ¤
    ¤

    Sounds like there might be an issue with the delegation of credentials, however you don't mention
    the error that is being generated (access denied?) so I can only make a wild guess.

    I don't see the line of code you mentioned in the sample you posted. You may want to add some error
    handling (Try...Catch) to your code.


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
    Paul Clement, Sep 1, 2005
    #2
    1. Advertising

  3. maria.s

    maria.s Guest

    The exception is object reference not set to an instance of an object (i
    think that means FindOne returns no result)

    "Paul Clement" wrote:


    >
    > Sounds like there might be an issue with the delegation of credentials, however you don't mention
    > the error that is being generated (access denied?) so I can only make a wild guess.
    >
    > I don't see the line of code you mentioned in the sample you posted. You may want to add some error
    > handling (Try...Catch) to your code.
    >
    >
    > Paul
    > ~~~~
    > Microsoft MVP (Visual Basic)
    >
    maria.s, Sep 1, 2005
    #3
  4. Yes, this is a delegation issue. If you want to use the security context of
    the authenticated user to access AD, you must imperonate the user and have
    Kerberos delegation enabled in order to make the additional machine hop.

    If you don't need to use the credentials of the current user, then the other
    approaches you tried are all viable.

    Joe K.

    "maria.s" <> wrote in message
    news:...
    > The exception is object reference not set to an instance of an object (i
    > think that means FindOne returns no result)
    >
    > "Paul Clement" wrote:
    >
    >
    >>
    >> Sounds like there might be an issue with the delegation of credentials,
    >> however you don't mention
    >> the error that is being generated (access denied?) so I can only make a
    >> wild guess.
    >>
    >> I don't see the line of code you mentioned in the sample you posted. You
    >> may want to add some error
    >> handling (Try...Catch) to your code.
    >>
    >>
    >> Paul
    >> ~~~~
    >> Microsoft MVP (Visual Basic)
    >>
    Joe Kaplan \(MVP - ADSI\), Sep 7, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Saunders
    Replies:
    1
    Views:
    645
    John Saunders
    Nov 18, 2003
  2. =?Utf-8?B?bWFyaWEucw==?=

    LDAP Query fails from ASP.NET

    =?Utf-8?B?bWFyaWEucw==?=, Aug 31, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    2,817
  3. =?Utf-8?B?cmFqZW5zMDA=?=
    Replies:
    1
    Views:
    557
    Patrick.O.Ige
    Nov 8, 2005
  4. Replies:
    1
    Views:
    190
    Austin Ziegler
    Oct 11, 2006
  5. dacat

    Net::LDAP vs ruby/ldap

    dacat, Apr 27, 2007, in forum: Ruby
    Replies:
    3
    Views:
    278
    Ian Macdonald
    May 18, 2007
Loading...

Share This Page