Problem in Accessing Active Directory from ASP.net

Discussion in 'ASP .Net Security' started by Maqsood Ahmed [MCAD .NET], Jun 23, 2006.

  1. Environment:
    Windows XP, .NET/ASP .NET 2.0

    I am developing an intranet application for my company. I want to use LDAP
    to get the existing users of the company and allow them access according to
    their roles. I have set identity impersonation = true and authentication mode
    = "Windows" in the Web.config file of the application.

    I get an COMException whenever I try to access LDAP objects using the
    DirectoryEntry class. It only happens when I use it through IIS. it works
    fine with ASP .NET Development Server. Please note that I am using Serverless
    binding.
    The exception message is like the following:
    System.Runtime.InteropServices.COMException (0x8007054B): The specified
    domain either does not exist or could not be contacted.

    Code:
    DirectoryEntry de = new DirectoryEntry();
    string domainName = de.Name; //This line generates exception
    
    I have also tried to assign a domain account as the Anonymous account for
    the Virtual Direcotry, but it didn't help either.
    Can anyone of you please let me know that what should I do to get it
    working. Should I always provide the domain name, username and password to
    access the LDAP objects, can't it be used via anonymous access?
    Maqsood Ahmed [MCAD .NET], Jun 23, 2006
    #1
    1. Advertising

  2. We cover this type of stuff in great detail in our book, but here are a few
    pointers.

    First, you may not need to use LDAP at all to get the user's groups. If you
    are using Windows auth in IIS (IWA, Basic or Digest), then ASP.NET already
    "knows" the users group via the WindowsIdentity and WindowsPrincipal objects
    in Context.User. Just call IsInRole to access the Groups property.

    If you really do need to access AD using the authenticated user's
    credentials and you are using IWA for authentication, then you'll need to
    enable Kerberos delegation. You also may need to provide a domain hint in
    your path as serverless binding may not work the way you want to. Simply
    put the DNS domain name in your path:

    LDAP://yourdomain.com/DC=yourdomain,DC=com

    instead of

    LDAP://DC=yourdomain,DC=com

    Getting Kerberos delegation working will likely be the more tricky part.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Maqsood Ahmed [MCAD .NET]" <Maqsood Ahmed [MCAD
    ..NET]@discussions.microsoft.com> wrote in message
    news:...
    > Environment:
    > Windows XP, .NET/ASP .NET 2.0
    >
    > I am developing an intranet application for my company. I want to use LDAP
    > to get the existing users of the company and allow them access according
    > to
    > their roles. I have set identity impersonation = true and authentication
    > mode
    > = "Windows" in the Web.config file of the application.
    >
    > I get an COMException whenever I try to access LDAP objects using the
    > DirectoryEntry class. It only happens when I use it through IIS. it works
    > fine with ASP .NET Development Server. Please note that I am using
    > Serverless
    > binding.
    > The exception message is like the following:
    > System.Runtime.InteropServices.COMException (0x8007054B): The specified
    > domain either does not exist or could not be contacted.
    >
    >
    Code:
    > DirectoryEntry de = new DirectoryEntry();
    > string domainName = de.Name; //This line generates exception
    > 
    >
    > I have also tried to assign a domain account as the Anonymous account for
    > the Virtual Direcotry, but it didn't help either.
    > Can anyone of you please let me know that what should I do to get it
    > working. Should I always provide the domain name, username and password to
    > access the LDAP objects, can't it be used via anonymous access?
    Joe Kaplan \(MVP - ADSI\), Jun 23, 2006
    #2
    1. Advertising

  3. Hello Joe,
    Thanks for replying. Please note that I am facing difficultly in accessing
    LDAP object only on Application startup (i.e. when I try to access it in
    Application.Start event). It works fine if I access it via any aspx page.
    --
    Maqsood Ahmed
    MCAD .NET [Windows/Web]
    Senior Software Developer/Analyst
    Kolachi Advanced Technologies
    http://www.kolachi.net


    "Joe Kaplan (MVP - ADSI)" wrote:

    > We cover this type of stuff in great detail in our book, but here are a few
    > pointers.
    >
    > First, you may not need to use LDAP at all to get the user's groups. If you
    > are using Windows auth in IIS (IWA, Basic or Digest), then ASP.NET already
    > "knows" the users group via the WindowsIdentity and WindowsPrincipal objects
    > in Context.User. Just call IsInRole to access the Groups property.
    >
    > If you really do need to access AD using the authenticated user's
    > credentials and you are using IWA for authentication, then you'll need to
    > enable Kerberos delegation. You also may need to provide a domain hint in
    > your path as serverless binding may not work the way you want to. Simply
    > put the DNS domain name in your path:
    >
    > LDAP://yourdomain.com/DC=yourdomain,DC=com
    >
    > instead of
    >
    > LDAP://DC=yourdomain,DC=com
    >
    > Getting Kerberos delegation working will likely be the more tricky part.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Maqsood Ahmed [MCAD .NET]" <Maqsood Ahmed [MCAD
    > ..NET]@discussions.microsoft.com> wrote in message
    > news:...
    > > Environment:
    > > Windows XP, .NET/ASP .NET 2.0
    > >
    > > I am developing an intranet application for my company. I want to use LDAP
    > > to get the existing users of the company and allow them access according
    > > to
    > > their roles. I have set identity impersonation = true and authentication
    > > mode
    > > = "Windows" in the Web.config file of the application.
    > >
    > > I get an COMException whenever I try to access LDAP objects using the
    > > DirectoryEntry class. It only happens when I use it through IIS. it works
    > > fine with ASP .NET Development Server. Please note that I am using
    > > Serverless
    > > binding.
    > > The exception message is like the following:
    > > System.Runtime.InteropServices.COMException (0x8007054B): The specified
    > > domain either does not exist or could not be contacted.
    > >
    > >
    Code:
    > > DirectoryEntry de = new DirectoryEntry();
    > > string domainName = de.Name; //This line generates exception
    > > 
    > >
    > > I have also tried to assign a domain account as the Anonymous account for
    > > the Virtual Direcotry, but it didn't help either.
    > > Can anyone of you please let me know that what should I do to get it
    > > working. Should I always provide the domain name, username and password to
    > > access the LDAP objects, can't it be used via anonymous access?

    >
    >
    >
    Maqsood Ahmed, Jun 26, 2006
    #3
  4. Perhaps the security context is different here then. What is the value of
    System.Security.Principal.WindowsIdentity.GetCurrent().Name in each case?

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Maqsood Ahmed" <> wrote in message
    news:...
    > Hello Joe,
    > Thanks for replying. Please note that I am facing difficultly in
    > accessing
    > LDAP object only on Application startup (i.e. when I try to access it in
    > Application.Start event). It works fine if I access it via any aspx page.
    > --
    > Maqsood Ahmed
    > MCAD .NET [Windows/Web]
    > Senior Software Developer/Analyst
    > Kolachi Advanced Technologies
    > http://www.kolachi.net
    >
    >
    Joe Kaplan \(MVP - ADSI\), Jun 26, 2006
    #4
  5. Hello,
    Yes, that is what I wanted to say earlier. That the security context is
    different for both.
    It is using ASPNET local account in Application.Start event handler, while
    it is using my Logged On Domain account context when I access LDAP using an
    aspx page.

    How can I access LDAP in Application.Start event handler?
    --
    Maqsood Ahmed
    MCAD .NET [Windows/Web]
    Senior Software Developer/Analyst
    Kolachi Advanced Technologies
    http://www.kolachi.net


    "Joe Kaplan (MVP - ADSI)" wrote:

    > Perhaps the security context is different here then. What is the value of
    > System.Security.Principal.WindowsIdentity.GetCurrent().Name in each case?
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Maqsood Ahmed" <> wrote in message
    > news:...
    > > Hello Joe,
    > > Thanks for replying. Please note that I am facing difficultly in
    > > accessing
    > > LDAP object only on Application startup (i.e. when I try to access it in
    > > Application.Start event). It works fine if I access it via any aspx page.
    > > --
    > > Maqsood Ahmed
    > > MCAD .NET [Windows/Web]
    > > Senior Software Developer/Analyst
    > > Kolachi Advanced Technologies
    > > http://www.kolachi.net
    > >
    > >

    >
    >
    >
    Maqsood Ahmed, Jun 27, 2006
    #5
  6. I'm guessing you are running under XP or Win2K then, right? In this case,
    you either need to programmatically impersonate a service account or
    (probably better), change the process account to a valid domain account that
    can access AD. In XP and 2K, you do this by changing the processModel
    configuration in machine.config.

    If you were using IIS 6/Win2K3, you just change the app pool identity as
    required.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Maqsood Ahmed" <> wrote in message
    news:...
    > Hello,
    > Yes, that is what I wanted to say earlier. That the security context is
    > different for both.
    > It is using ASPNET local account in Application.Start event handler, while
    > it is using my Logged On Domain account context when I access LDAP using
    > an
    > aspx page.
    >
    > How can I access LDAP in Application.Start event handler?
    > --
    > Maqsood Ahmed
    > MCAD .NET [Windows/Web]
    > Senior Software Developer/Analyst
    > Kolachi Advanced Technologies
    > http://www.kolachi.net
    >
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> Perhaps the security context is different here then. What is the value
    >> of
    >> System.Security.Principal.WindowsIdentity.GetCurrent().Name in each case?
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Maqsood Ahmed" <> wrote in message
    >> news:...
    >> > Hello Joe,
    >> > Thanks for replying. Please note that I am facing difficultly in
    >> > accessing
    >> > LDAP object only on Application startup (i.e. when I try to access it
    >> > in
    >> > Application.Start event). It works fine if I access it via any aspx
    >> > page.
    >> > --
    >> > Maqsood Ahmed
    >> > MCAD .NET [Windows/Web]
    >> > Senior Software Developer/Analyst
    >> > Kolachi Advanced Technologies
    >> > http://www.kolachi.net
    >> >
    >> >

    >>
    >>
    >>
    Joe Kaplan \(MVP - ADSI\), Jun 27, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Remco Bosman

    Accessing Active Directory

    Remco Bosman, Nov 21, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    2,580
    Cammie
    Dec 5, 2003
  2. Jeremy Chapman
    Replies:
    0
    Views:
    377
    Jeremy Chapman
    Dec 1, 2003
  3. Toufani

    Accessing objects in active directory via asp.net

    Toufani, Aug 31, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    133
    Joe Kaplan \(MVP - ADSI\)
    Aug 31, 2004
  4. hina awan via .NET 247

    accessing active directory using asp.net

    hina awan via .NET 247, Jun 1, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    119
    hina awan via .NET 247
    Jun 1, 2005
  5. Maqsood Ahmed

    Problem while accessing Active Directory

    Maqsood Ahmed, Nov 3, 2006, in forum: ASP .Net Security
    Replies:
    1
    Views:
    133
    Joe Kaplan
    Nov 3, 2006
Loading...

Share This Page