Retrieving User's Groups from Active Directory using ASP.NET

L

L Magarian

I'm using forms based authentication and LDAP to authenticate a user against
Active Directory. This is working fine.

The point where I'm stuck is retireving the groups this user is assigned.

My web server and active directory servers are different machines. When I
test by deploying the web app on the active directory machine it does work.
However, I will not be able to employ this work around in the production
setting.

Can anyone advise me as to how retrieve these user groups?

Are there special settings for searching the Active Directory when running a
web app off a different server?

Many Thanks!
 
P

Paul Clement

¤ I'm using forms based authentication and LDAP to authenticate a user against
¤ Active Directory. This is working fine.
¤
¤ The point where I'm stuck is retireving the groups this user is assigned.
¤
¤ My web server and active directory servers are different machines. When I
¤ test by deploying the web app on the active directory machine it does work.
¤ However, I will not be able to employ this work around in the production
¤ setting.
¤
¤ Can anyone advise me as to how retrieve these user groups?
¤
¤ Are there special settings for searching the Active Directory when running a
¤ web app off a different server?

Could you indicate what type of error you are receiving and identify the line of code where it
occurs?


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)
 
L

L Magarian

The error is: "The specified domain either does not exist or could not be
contacted ", and is thrown by the FindOne() method.
The path I'm using looks like LDAP://company.com/CN=My Name,OU=User
Accounts,OU=Accounts,DC=company,DC=com

This is the method I'm using to get the user's groups:

public string GetGroups()
{
DirectorySearcher search = new DirectorySearcher(_path);
search.Filter = "(cn=" + _filterAttribute + ")";
search.PropertiesToLoad.Add("memberOf");
StringBuilder groupNames = new StringBuilder();

SearchResult result = search.FindOne();
int propertyCount = result.Properties["memberOf"].Count;
int equalsIndex, commaIndex;

for( int i = 0; i < propertyCount; i++)
{
String dn = (String)result.Properties["memberOf"];

equalsIndex = dn.IndexOf("=", 1);
commaIndex = dn.IndexOf(",", 1);
if (-1 == equalsIndex)
{
return null;
}
groupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex - equalsIndex)
- 1));
groupNames.Append("|");
}
return groupNames.ToString();
}
 
J

Joe Kaplan \(MVP - ADSI\)

This is a security context problem that is very common in ASP.NET. It can
be rectified a number of ways, including using specific domains and
credentials in your DirectoryEntry objects or changing the identity that
ASP.NET is running under. There are more details here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

Additionally, this is very bad approach for discovering a user's group
membership for security purposes. I know it is based on published MS
samples, but they are still bad. MemberOf includes non-security groups and
doesn't included nested group membership or the primary group.
Additionally, you shouldn't use the CN of the group name for security
purposes as a group with that name may exist in multiples containers.
Instead, you should use a domain unique security name such as the
samAccountName of the group.

The better approach is to look up group membership using tokenGroups. There
are numerous samples posted on the web and newsgroups that show how to do
this. A Google search will find them easily.

Joe K.

L Magarian said:
The error is: "The specified domain either does not exist or could not be
contacted ", and is thrown by the FindOne() method.
The path I'm using looks like LDAP://company.com/CN=My Name,OU=User
Accounts,OU=Accounts,DC=company,DC=com

This is the method I'm using to get the user's groups:

public string GetGroups()
{
DirectorySearcher search = new DirectorySearcher(_path);
search.Filter = "(cn=" + _filterAttribute + ")";
search.PropertiesToLoad.Add("memberOf");
StringBuilder groupNames = new StringBuilder();

SearchResult result = search.FindOne();
int propertyCount = result.Properties["memberOf"].Count;
int equalsIndex, commaIndex;

for( int i = 0; i < propertyCount; i++)
{
String dn = (String)result.Properties["memberOf"];

equalsIndex = dn.IndexOf("=", 1);
commaIndex = dn.IndexOf(",", 1);
if (-1 == equalsIndex)
{
return null;
}
groupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex -
equalsIndex)
- 1));
groupNames.Append("|");
}
return groupNames.ToString();
}



Paul Clement said:
On Tue, 28 Sep 2004 01:51:03 -0700, "L Magarian"

¤ I'm using forms based authentication and LDAP to authenticate a user
against
¤ Active Directory. This is working fine.
¤
¤ The point where I'm stuck is retireving the groups this user is
assigned.
¤
¤ My web server and active directory servers are different machines.
When I
¤ test by deploying the web app on the active directory machine it does
work.
¤ However, I will not be able to employ this work around in the
production
¤ setting.
¤
¤ Can anyone advise me as to how retrieve these user groups?
¤
¤ Are there special settings for searching the Active Directory when
running a
¤ web app off a different server?

Could you indicate what type of error you are receiving and identify the
line of code where it
occurs?


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,731
Messages
2,569,432
Members
44,832
Latest member
GlennSmall

Latest Threads

Top