Listing domain users

[Felix_WafyTech]

Hello,

I'm using windows authentication to authenticate users to my site. I now
want to

1. Add the ability of listing domain users (From Active Directory)
2. Filter the user list based on the roles (or groups) assigned to them (via
Active Directory).

Any help would be greatly appreciated.

Thanks,
Felix.J

 

[Felix_WafyTech]

Forgot to mention that the site is created using VS 2005 / ASP .NET 2.0.

 

[MikeS]

Maybe have a look at System.DirectoryServices, the DirectorySearcher,
SearchResult and DirectoryEntry.

 

[Luke Zhang [MSFT]]

I agree with Mike that you need to query AD with classes in
System.DirectoryServices. Here is a simple sample which may help you
understand:

http://support.microsoft.com/?id=326340

Hope this help,

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Felix_WafyTech]

Thanks for the reply.

The article that you quoted applies to ASP .NET 1.0 and 1.1. How about ASP
..NET 2.0? Are there any enhancements to the way AD Authentication is
performed using ASP .NET 2.0?

Thanks,
Felix.J

 

[Joe Kaplan \(MVP - ADSI\)]

All of the binding code in ASP.NET 2.0 for S.DS is about the same. What
kind of enhancements were you looking for? If you explain more what your
app is trying to do and whose credentials you are trying to use to do it,
that would help.

The primary directory services enhancements in .NET 2.0 are a large number
of additional searching features, some cool enhancements for managing ACLs
on DS objects and the S.DS.ActiveDirectory namespace.

Joe K.

 

[Felix]

Thanks. I read the How To's listed in MSDN, and I'm quite clear about the
authentication.

I'm now trying to secure a page that allows users to view, insert and edit
data. I now want to secure this page using windows authentication role based
security. This is what I would like to do:

1. All users including anonymous users should be able to view data.
2. All users with the Managers role can view and insert data.
3. All users with the Administrators role can view, insert and edit data.

I've seen examples that create three different folders (and .aspx files) for
each of these actions and use the web.config file to allow or deny access to
those pages based on roles. I would like to do the same but with a single
page. I do not want to duplicate web pages. Any help would be greatly
appreciated.

Thanks,
Felix.J

 

[MikeS]

The simple answer may be that you may need to use of a rolemanager and
make use of calls to User.IsInRole to determine what you will allow
your users see and do.

I wonder about some other things...

Are you using the WindowsTokenRoleProvider, that is, are the roles you
mentioned defined as NT groups?

Do you have your sql procs locked down with grants based on these same
roles so that you need to impersonate the callers role back to the
database? If so you may want to use different connection strings based
on each type of user. ...Or is there a (nother can of worms) middle
tier...

Me, I think it is probably more trouble to manage different views in a
single page than to just create the three pages that know exactly who
they are dealing with and isolate as much common functionality using
web controls and master pages. But otherwise maybe look at the
multiview control.

Note that location tag lock downs using windows auth and NT group names
don't need a full blown rolemanger but as soon as you want to call any
Roles.* method or anything like it you need the rolemanager.

 

[Joe Kaplan \(MVP - ADSI\)]

Agreed. Don't do any LDAP for this. Windows does all of the group lookup
stuff for you with WindowsPrincipal.IsInRole (for any version of ASP.NET)
and the new membership stuff for 2.0.

Joe K.

 

[Felix_WafyTech]

Hi,

Thanks for the reply.

I'm getting an error "Logon failure: unknown user name or bad password." when using the following code to retrieve the users list from Active Directory. The error occurs in the line mySearcher.FindAll(). I'm using windows authentication role based security. The site map menus hide/unhide based on the user logged into windows. I do not understand why the below code says unknown user name when the sitemap menu's work as expected. Any help is very much appreciated.

DirectoryEntry entry = new DirectoryEntry("LDAP://" + domainName);

DirectorySearcher mySearcher = new DirectorySearcher(entry);

mySearcher.Filter = ("(objectClass=user)");

foreach (System.DirectoryServices.SearchResult resEnt in mySearcher.FindAll())

Thanks,

Felix.J

 

[Joe Kaplan \(MVP - ADSI\)]

You are trying to connect to the directory with default credentials. That may or may not work, depending on the state of the current security context. It is pretty much the exact same set of rules governing connecting to SQL server using SSPI.

Why do you need to do this though? I thought you were going to use the built-in role-based security stuff that ASP.NET already supports with Windows auth?

Joe K.

Hi,

Thanks for the reply.

I'm getting an error "Logon failure: unknown user name or bad password." when using the following code to retrieve the users list from Active Directory. The error occurs in the line mySearcher.FindAll(). I'm using windows authentication role based security. The site map menus hide/unhide based on the user logged into windows. I do not understand why the below code says unknown user name when the sitemap menu's work as expected. Any help is very much appreciated.

DirectoryEntry entry = new DirectoryEntry("LDAP://" + domainName);

DirectorySearcher mySearcher = new DirectorySearcher(entry);

mySearcher.Filter = ("(objectClass=user)");

foreach (System.DirectoryServices.SearchResult resEnt in mySearcher.FindAll())

Thanks,

Felix.J

 

[MikeS]

As Joe remarked...

Perhaps because you are trying to connect to the LDAP server using
ASP's credentials which are shown in
System.Security.Principal.WindowsIdentity.GetCurrent.Name.

Maybe try to use the DirectoryEntry (String, String, String)
constructor as shown in the article that Luke referenced and provide
credentials that have rights to query AD.

Might be a better topic for the AD forum now.

I'll tell you what though, if you go and flesh out the whole
RoleProvider interface that uses NT groups instead of AzMan and isn't
half implemented like the WindowsTokenRoleProvider then please share it
with me.