urgent help on Active Directory Authentication from dotnet

[varkey.mathew]

Dear all,

Bear with me, a poor newbie(atleast in AD)..

I have to authenticate a user ID and password for a user as a valid
Active Directory user or not. I have created the IsAuthenticated
function exactly as outlined in the below link.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT02.asp

However, the code is not running. When I try to validate the user as
per the function, the following message is displayed to me."Logon
failure: unknown user name or bad password". Any help would be
appreciated in deciphering this error message.

Now going through the code, I am not understanding
DirectoryEntry entry = new DirectoryEntry( _path,
domainAndUsername,
pwd);

My understanding was in the above constructor, one would be passing a
userid and password that has access rights to the AD. Is it true that
any valid user credentials from AD can be used for this purpose? Or do
I need to assign some special rights to the user, so as to make this
function not give me the wierd error jotted above.


Any help in the above will be highly appreciated.

Best regards,

Varkey

 

[Steven Cheng[MSFT]]

Hi Varkey,

Welcome to ASPNET newsgroup.
Regarding on the AD authentication validation question you mentioned, here
are some of my understanding and suggestion:

=============
string domainAndUsername = domain + @"\" + username;
DirectoryEntry entry = new DirectoryEntry( _path,
domainAndUsername,
pwd);

try
{
// Bind to the native AdsObject to force authentication.
Object obj = entry.NativeObject;
==============

As mentioned in the article , the above code use the directoryEntry class's
constructor to supply the username/password want to authenticate. and it is
followed by a
Object obj = entry.NativeObject;

statement which force the supplied account(username/password) be
authenticated against AD. Also, to make sure that the specific user is
authenticated, you can explicitly set the AuthenticationType in the
DirectoryEntry's constructor like:

DirectoryEntry entry = new DirectoryEntry(_path,domain\username, password,
AuthenticationTypes.Secure);

Also, since you mentioned that the error message is

."Logon failure: unknown user name or bad password".

that indicate that the account you supplied is not a valid user in the
Active directory space. Have you tried using a valid domain account to see
whether it can pass the query or always get such error info. If you always
get such error info when performing the query through a valid domain user,
I'll suggest you try running the same code in a desktop or console
application or contact your Domain admin to see whether they've blocked any
related read permission for normal user(generally all valid domain user
should have the permission to perform read accessing operation).

In addition, if you meet any further ADSI specific problem, you can post in
the

microsoft.public.adsi and its sub newsgroups.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



--------------------
| From: (e-mail address removed)
| Newsgroups:
microsoft.public.dotnet.framework.aspnet,microsoft.public.windows.server.act
ive_directory
| Subject: urgent help on Active Directory Authentication from dotnet
| Date: 20 Oct 2005 20:59:23 -0700
| Organization: http://groups.google.com
| Lines: 33
| Message-ID: <[email protected]>
| NNTP-Posting-Host: 192.85.50.2
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1129867169 19443 127.0.0.1 (21 Oct 2005
03:59:29 GMT)
| X-Complaints-To: (e-mail address removed)
| NNTP-Posting-Date: Fri, 21 Oct 2005 03:59:29 +0000 (UTC)
| User-Agent: G2/0.2
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET
CLR 1.1.4322),gzip(gfe),gzip(gfe)
| Complaints-To: (e-mail address removed)
| Injection-Info: g49g2000cwa.googlegroups.com; posting-host=192.85.50.2;
| posting-account=h_OJWQ0AAAAMet9J944p1IM9XfLyU1kX
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!news.glorb.com!postnews.google.com!g49g2000cwa.googlegroups.com!not-fo
r-mail
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.active_directory:40452
microsoft.public.dotnet.framework.aspnet:132938
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Dear all,
|
| Bear with me, a poor newbie(atleast in AD)..
|
| I have to authenticate a user ID and password for a user as a valid
| Active Directory user or not. I have created the IsAuthenticated
| function exactly as outlined in the below link.
|
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/SecNetHT02.asp
|
| However, the code is not running. When I try to validate the user as
| per the function, the following message is displayed to me."Logon
| failure: unknown user name or bad password". Any help would be
| appreciated in deciphering this error message.
|
| Now going through the code, I am not understanding
| DirectoryEntry entry = new DirectoryEntry( _path,
| domainAndUsername,
| pwd);
|
| My understanding was in the above constructor, one would be passing a
| userid and password that has access rights to the AD. Is it true that
| any valid user credentials from AD can be used for this purpose? Or do
| I need to assign some special rights to the user, so as to make this
| function not give me the wierd error jotted above.
|
|
| Any help in the above will be highly appreciated.
|
| Best regards,
|
| Varkey
|
|

 

[Patrick.O.Ige]

As Steve adviced it seems you don't have access to the AD.
But with my experience with Authenticating with AD it seems also that IIS
can't authticate
with AD.
Are you sure you have set:-
<identity impersonate="true" />
in your web.config also make sure you select Anonymous Access checkbox in
IIS .
In short make sure your Web App is set for forms Auth
Hope that helps
Patrick

 

[varkey.mathew]

Dear Patrick and Steven,

After a lot of fights, I have managed to resolve the problem that I had
faced. Thanks a tonne for both your assistance. Actually I was needing
the AD Authentication for a Desktop application only.

The userID and password that I was using was valid. However, the issue
was with the Path string that I have used. I was trying with
"LDAP://CN=....,OU=....,DC=...." as was shown in the example I have
quoted, even while working from a remote machine.

When I realised that I need to append the IP Address/Domainname of the
server also in the path, I hit bullseye & the code suddenly came
alive..

So I have changed the syntax to
"LDAP://xxx.xx.xx.xxx/CN=....,OU=....,DC=...." for the LDAP Path and it
worked...

Thanks once again for both your help... You don't know what a great
help it is to have people knowledgeable respond to our queries and
provide a completely different perspective, and more options to try
out, when one is at one's wits end.

Keep up the good work.

Best regards,
Varkey

 

[Joe Kaplan \(MVP - ADSI\)]

This error message means what it says. Either the username or the password
was not understood. Note that other logon failures such as account lockout,
password expiration and account disabled will produce the same general
error.

Sometimes people get the format of the user name wrong though. Perhaps that
is your problem. Can you provide a sample of what your strings look like?

Joe K.

 

[Steven Cheng[MSFT]]

Hi Varkey,

Thanks for your followup. Really glad that you've finally figured out the
problem. Also, if you meet any further questions in your development,
please feel free to post in MSDN newsgroup. Always Welcome !

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| From: (e-mail address removed)
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Subject: Re: urgent help on Active Directory Authentication from dotnet
| Date: 21 Oct 2005 08:35:48 -0700
| Organization: http://groups.google.com
| Lines: 29
| Message-ID: <[email protected]>
| References: <[email protected]>
| <[email protected]>
| <[email protected]>
| NNTP-Posting-Host: 205.156.188.254
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1129908953 11021 127.0.0.1 (21 Oct 2005
15:35:53 GMT)
| X-Complaints-To: (e-mail address removed)
| NNTP-Posting-Date: Fri, 21 Oct 2005 15:35:53 +0000 (UTC)
| User-Agent: G2/0.2
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET
CLR 1.1.4322),gzip(gfe),gzip(gfe)
| Complaints-To: (e-mail address removed)
| Injection-Info: g47g2000cwa.googlegroups.com;
posting-host=205.156.188.254;
| posting-account=h_OJWQ0AAAAMet9J944p1IM9XfLyU1kX
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!nntp.giganews.com!news.glorb.com!postnew
s.google.com!g47g2000cwa.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:133042
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Dear Patrick and Steven,
|
| After a lot of fights, I have managed to resolve the problem that I had
| faced. Thanks a tonne for both your assistance. Actually I was needing
| the AD Authentication for a Desktop application only.
|
| The userID and password that I was using was valid. However, the issue
| was with the Path string that I have used. I was trying with
| "LDAP://CN=....,OU=....,DC=...." as was shown in the example I have
| quoted, even while working from a remote machine.
|
| When I realised that I need to append the IP Address/Domainname of the
| server also in the path, I hit bullseye & the code suddenly came
| alive..
|
| So I have changed the syntax to
| "LDAP://xxx.xx.xx.xxx/CN=....,OU=....,DC=...." for the LDAP Path and it
| worked...
|
| Thanks once again for both your help... You don't know what a great
| help it is to have people knowledgeable respond to our queries and
| provide a completely different perspective, and more options to try
| out, when one is at one's wits end.
|
| Keep up the good work.
|
| Best regards,
| Varkey
|
|

 

[Guest]

No worries varkey.
You are welcome.
Patrick