Use IsInRole method with Domain and Username, but without password

Discussion in 'ASP .Net Security' started by Steve Kallal, Jun 8, 2005.

  1. Steve Kallal

    Steve Kallal Guest

    I am a relative newbie to ASP .NET security. I have an administrivate screen
    to add users to a small database that manages privileges within a Web app.
    The table contains the domain name and username. I want to be able to add a
    user to the table and check to see if the Domain\Username combination is
    valid in an Active Directory role.

    However all of the .NET code samples I find require the domain, username and
    password. I am looking for a way to verify a user is in an Active Directory
    role without passing the password. For example, I can pass my Domain and
    Username to a routine along with a password using the LogonUser API call and
    then verify my membership in a role. But I want to be able to do this for
    other users without knowing their passwords. My hunch is that this is not
    possible. But I am hoping it is.

    Otherwise, I will simply need to wait until the user logs onto the app and
    the windows login fails.

    Thanks in advance,

    Steve Kallal
    Steve Kallal, Jun 8, 2005
    #1
    1. Advertising

  2. June 8, 2005

    You could use LDAP and System.DirectoryServices to query Active
    Directory and find out yourself. Then you won't have to know the password,
    but would require programming on your part. It also might require greater
    privileges than you have right now, but you might want to look into it. I'm
    not familiar with LDAP, so I hope that this will lead you in the right
    direction.

    --
    Joseph Bittman
    Microsoft Certified Application Developer

    Web Site: http://71.35.110.42
    Dynamic IP -- Check here for future changes

    "Steve Kallal" <> wrote in message
    news:...
    >I am a relative newbie to ASP .NET security. I have an administrivate
    >screen
    > to add users to a small database that manages privileges within a Web app.
    > The table contains the domain name and username. I want to be able to add
    > a
    > user to the table and check to see if the Domain\Username combination is
    > valid in an Active Directory role.
    >
    > However all of the .NET code samples I find require the domain, username
    > and
    > password. I am looking for a way to verify a user is in an Active
    > Directory
    > role without passing the password. For example, I can pass my Domain and
    > Username to a routine along with a password using the LogonUser API call
    > and
    > then verify my membership in a role. But I want to be able to do this for
    > other users without knowing their passwords. My hunch is that this is not
    > possible. But I am hoping it is.
    >
    > Otherwise, I will simply need to wait until the user logs onto the app and
    > the windows login fails.
    >
    > Thanks in advance,
    >
    > Steve Kallal
    >
    Joseph Bittman MCAD, Jun 8, 2005
    #2
    1. Advertising

  3. Steve Kallal

    Steve Kallal Guest

    Re: Use IsInRole method with Domain and Username, but without pass

    Thanks Joseph. I was searching the newsgroups and came up with similar ideas.
    Sorry you're not familar with it, but at least I have some direction.

    Steve Kallal
    Steve Kallal, Jun 8, 2005
    #3
  4. The best way to do this is with the "protocol transition" constructor for
    WindowsIdentity which just takes a userPrincipalName as an argument. It
    will use Kerberos S4U to create a WindowsIdentity which can create a
    WindowsPrincipal. This can be used for role checks.

    The downside is that it requires Windows Server 2003 to run on AND Windows
    Server 2003 native mode domain controllers. However, it does work. We use
    it internally to do something very similar in a custom SharePoint
    application and it is great.

    As Joseph mentioned, unwinding groups via S.DS/LDAP is also a possibility,
    but that sucks quite a bit more.

    HTH,

    Joe K.

    "Steve Kallal" <> wrote in message
    news:...
    >I am a relative newbie to ASP .NET security. I have an administrivate
    >screen
    > to add users to a small database that manages privileges within a Web app.
    > The table contains the domain name and username. I want to be able to add
    > a
    > user to the table and check to see if the Domain\Username combination is
    > valid in an Active Directory role.
    >
    > However all of the .NET code samples I find require the domain, username
    > and
    > password. I am looking for a way to verify a user is in an Active
    > Directory
    > role without passing the password. For example, I can pass my Domain and
    > Username to a routine along with a password using the LogonUser API call
    > and
    > then verify my membership in a role. But I want to be able to do this for
    > other users without knowing their passwords. My hunch is that this is not
    > possible. But I am hoping it is.
    >
    > Otherwise, I will simply need to wait until the user logs onto the app and
    > the windows login fails.
    >
    > Thanks in advance,
    >
    > Steve Kallal
    >
    Joe Kaplan \(MVP - ADSI\), Jun 8, 2005
    #4
  5. Steve Kallal

    Steve Kallal Guest

    Re: Use IsInRole method with Domain and Username, but without pass

    Thanks Joe. I had looked at WindowsIdentity constructor earlier today. I
    could not find any real documentation on what string to pass. So I tried
    serveral without any success. I do believe we are using Windows 2003 Server
    here, but as to Native Mode, I will need to research.

    Please elaborate on the userPrincipalName string if you can.

    Thanks,

    Steve Kallal
    Steve Kallal, Jun 9, 2005
    #5
  6. Re: Use IsInRole method with Domain and Username, but without pass

    User principal name (UPN) is the logon name format of . If
    you don't know yours, you can look it up in AD Users and Computers or
    another AD query tool.

    Note also that you can only RUN this code on a 2003 server. The underlying
    API variant is only supported there. Calling it from XP or lower won't
    work, regardless of your AD environment.

    Joe K.

    "Steve Kallal" <> wrote in message
    news:...
    > Thanks Joe. I had looked at WindowsIdentity constructor earlier today. I
    > could not find any real documentation on what string to pass. So I tried
    > serveral without any success. I do believe we are using Windows 2003
    > Server
    > here, but as to Native Mode, I will need to research.
    >
    > Please elaborate on the userPrincipalName string if you can.
    >
    > Thanks,
    >
    > Steve Kallal
    >
    Joe Kaplan \(MVP - ADSI\), Jun 9, 2005
    #6
  7. Steve Kallal

    Steve Kallal Guest

    Re: Use IsInRole method with Domain and Username, but without pass

    Thanks again Joe for the prompt reply. Unfortunately the domain controllers
    are Windows 2000. As for the client machine calling it, I use XP Pro as my
    development desktop. The Web servers that will host the code are Windows
    Server 2003. My DBA tells me we are a Windows 2000 network for now because
    there are still some NT 4 servers lingering.

    I guess this leaves me with Joseph's LDAP solution, which he claims, no
    knowledge. If you know anything about the LDAP solution and the
    System.DirectoryServices namespace, let me know. Otherwise I will repost this
    question accordingly.

    Thanks again,

    Steve Kallal
    Steve Kallal, Jun 9, 2005
    #7
  8. Re: Use IsInRole method with Domain and Username, but without pass

    June 9, 2005

    LOL No, I don't have any knowledge. (Now for the resume line.) But I am
    eager to learn! LOL Okay, but seriously, if Joe knows of a
    System.DirectoryServices book, let me know! I've been looking for one for
    quite a while now and have yet to find one. I would prefer a Microsoft Press
    but just need a book from any source. I'm actually in a beta where LDAP is
    used for one of the features, but I need to find a book to learn LDAP. If
    anybody has suggestions, I would greatly appreciate them! :) :)

    --
    Joseph Bittman
    Microsoft Certified Application Developer

    Web Site: http://71.35.110.42
    Dynamic IP -- Check here for future changes

    "Steve Kallal" <> wrote in message
    news:...
    > Thanks again Joe for the prompt reply. Unfortunately the domain
    > controllers
    > are Windows 2000. As for the client machine calling it, I use XP Pro as my
    > development desktop. The Web servers that will host the code are Windows
    > Server 2003. My DBA tells me we are a Windows 2000 network for now because
    > there are still some NT 4 servers lingering.
    >
    > I guess this leaves me with Joseph's LDAP solution, which he claims, no
    > knowledge. If you know anything about the LDAP solution and the
    > System.DirectoryServices namespace, let me know. Otherwise I will repost
    > this
    > question accordingly.
    >
    > Thanks again,
    >
    > Steve Kallal
    >
    Joseph Bittman MCAD, Jun 9, 2005
    #8
  9. Re: Use IsInRole method with Domain and Username, but without pass

    Start with Ryan's blog posting here:
    http://dunnry.com/blog/archive/2005/03/09/211.aspx

    It explains how to do group membership expansion for a user in AD via LDAP.
    I think his sample may have a bug, but I'm sitting next to him at Tech Ed
    and will ask him to fix it.

    There are a few gotchas when doing LDAP programming in ASP.NET that you have
    to watch out for. This article is a good start.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

    If you get stuck, come back and start a new thread.

    Joe K.

    "Steve Kallal" <> wrote in message
    news:...
    > Thanks again Joe for the prompt reply. Unfortunately the domain
    > controllers
    > are Windows 2000. As for the client machine calling it, I use XP Pro as my
    > development desktop. The Web servers that will host the code are Windows
    > Server 2003. My DBA tells me we are a Windows 2000 network for now because
    > there are still some NT 4 servers lingering.
    >
    > I guess this leaves me with Joseph's LDAP solution, which he claims, no
    > knowledge. If you know anything about the LDAP solution and the
    > System.DirectoryServices namespace, let me know. Otherwise I will repost
    > this
    > question accordingly.
    >
    > Thanks again,
    >
    > Steve Kallal
    >
    Joe Kaplan \(MVP - ADSI\), Jun 9, 2005
    #9
  10. Re: Use IsInRole method with Domain and Username, but without pass

    I'm hoping we have a good answer on a .NET LDAP book around the new year.
    :)

    In the meantime, there is an APress title that is ok, but not great.

    Joe K.

    "Joseph Bittman MCAD" <> wrote in message
    news:...
    > June 9, 2005
    >
    > LOL No, I don't have any knowledge. (Now for the resume line.) But I am
    > eager to learn! LOL Okay, but seriously, if Joe knows of a
    > System.DirectoryServices book, let me know! I've been looking for one for
    > quite a while now and have yet to find one. I would prefer a Microsoft
    > Press but just need a book from any source. I'm actually in a beta where
    > LDAP is used for one of the features, but I need to find a book to learn
    > LDAP. If anybody has suggestions, I would greatly appreciate them! :) :)
    >
    > --
    > Joseph Bittman
    > Microsoft Certified Application Developer
    >
    > Web Site: http://71.35.110.42
    > Dynamic IP -- Check here for future changes
    >
    > "Steve Kallal" <> wrote in message
    > news:...
    >> Thanks again Joe for the prompt reply. Unfortunately the domain
    >> controllers
    >> are Windows 2000. As for the client machine calling it, I use XP Pro as
    >> my
    >> development desktop. The Web servers that will host the code are Windows
    >> Server 2003. My DBA tells me we are a Windows 2000 network for now
    >> because
    >> there are still some NT 4 servers lingering.
    >>
    >> I guess this leaves me with Joseph's LDAP solution, which he claims, no
    >> knowledge. If you know anything about the LDAP solution and the
    >> System.DirectoryServices namespace, let me know. Otherwise I will repost
    >> this
    >> question accordingly.
    >>
    >> Thanks again,
    >>
    >> Steve Kallal
    >>

    >
    >
    Joe Kaplan \(MVP - ADSI\), Jun 9, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Speech Lover
    Replies:
    0
    Views:
    355
    Speech Lover
    May 8, 2007
  2. AAaron123
    Replies:
    2
    Views:
    2,144
    AAaron123
    Jan 16, 2009
  3. AAaron123
    Replies:
    1
    Views:
    1,332
    Oriane
    Jan 16, 2009
  4. Speech Lover
    Replies:
    0
    Views:
    140
    Speech Lover
    May 8, 2007
  5. MWnets78

    Prompted for username, password and domain?

    MWnets78, Sep 7, 2003, in forum: ASP General
    Replies:
    2
    Views:
    104
    Curt_C [MVP]
    Sep 7, 2003
Loading...

Share This Page