Webservice IsInRole and LDAP to AD

Discussion in 'ASP .Net Security' started by Harold, Aug 20, 2004.

  1. Harold

    Harold Guest

    Can someone explain to me why IsInRole will work, but using
    DirectorySearcher will not? The code is running in a business object behind
    a webservice. The user's credentials (windows authenication) are being
    passed to the webservice. The webservice is configured for "integrated
    windows authenication" and no "anonymous access".

    The error "An operations error occurred" occurs when FindOne is executed.
    The LDAP information is good as it works when it is not behind the
    webservice.

    If this is because of the double-hop of a token, how can IsInRole use the
    token and not DirectorySearcher?

    Here's the code:

    For using LDAP:

    ID = CType(System.Threading.Thread.CurrentPrincipal.Identity,
    WindowsIdentity)
    ImpersonateContext = ID.Impersonate()
    oLDPA = New DirectoryEntry(LDAP://ServerName/DC=name1,DC=name2,DC=net)
    oSearch = New DirectorySearcher(oLDPA)
    oGroups = New Hashtable
    With oSearch
    .Filter =
    String.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0
    }))", Split(System.Threading.Thread.CurrentPrincipal.Identity.Name, "\")(1))
    .CacheResults = False
    .PropertyNamesOnly = True
    .ReferralChasing = ReferralChasingOption.All
    Dim iSearchResult As SearchResult = .FindOne
    End With

    For using IsInRole:
    If System.Threading.Thread.CurrentPrincipal.IsInRole(sGroup) Then


    Thanks,
    Harold
     
    Harold, Aug 20, 2004
    #1
    1. Advertising

  2. This is probably an issue related to security context. It is explained
    pretty throughly here:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

    Essentially, you are probably either running as a local machine account and
    your bind to AD will end up being anonymous or you are impersonating a
    domain account, but your token can't delegate to another machine, so you
    still end up with an anonymous bind.

    You can verify this is the problem easily by changing the constructor for
    your search root DirectoryEntry to include credentials.

    Also, S.DS questions are usually best asked in the adsi.general group
    (although this is obviously relevant to ASP.NET too).

    Joe K.

    "Harold" <> wrote in message
    news:%...
    > Can someone explain to me why IsInRole will work, but using
    > DirectorySearcher will not? The code is running in a business object

    behind
    > a webservice. The user's credentials (windows authenication) are being
    > passed to the webservice. The webservice is configured for "integrated
    > windows authenication" and no "anonymous access".
    >
    > The error "An operations error occurred" occurs when FindOne is executed.
    > The LDAP information is good as it works when it is not behind the
    > webservice.
    >
    > If this is because of the double-hop of a token, how can IsInRole use the
    > token and not DirectorySearcher?
    >
    > Here's the code:
    >
    > For using LDAP:
    >
    > ID = CType(System.Threading.Thread.CurrentPrincipal.Identity,
    > WindowsIdentity)
    > ImpersonateContext = ID.Impersonate()
    > oLDPA = New DirectoryEntry(LDAP://ServerName/DC=name1,DC=name2,DC=net)
    > oSearch = New DirectorySearcher(oLDPA)
    > oGroups = New Hashtable
    > With oSearch
    > .Filter =
    >

    String.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0
    > }))", Split(System.Threading.Thread.CurrentPrincipal.Identity.Name,

    "\")(1))
    > .CacheResults = False
    > .PropertyNamesOnly = True
    > .ReferralChasing = ReferralChasingOption.All
    > Dim iSearchResult As SearchResult = .FindOne
    > End With
    >
    > For using IsInRole:
    > If System.Threading.Thread.CurrentPrincipal.IsInRole(sGroup) Then
    >
    >
    > Thanks,
    > Harold
    >
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Aug 20, 2004
    #2
    1. Advertising

  3. Harold

    Harold Guest

    Thanks for the article. I understand what is being said about the primary
    token and how to get around it. What I'm having a hard time understanding
    is how can the IsInRole method access the AD information and not the
    DirectorySearcher. Are they not both using the same token?

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > This is probably an issue related to security context. It is explained
    > pretty throughly here:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
    >
    > Essentially, you are probably either running as a local machine account

    and
    > your bind to AD will end up being anonymous or you are impersonating a
    > domain account, but your token can't delegate to another machine, so you
    > still end up with an anonymous bind.
    >
    > You can verify this is the problem easily by changing the constructor for
    > your search root DirectoryEntry to include credentials.
    >
    > Also, S.DS questions are usually best asked in the adsi.general group
    > (although this is obviously relevant to ASP.NET too).
    >
    > Joe K.
    >
    > "Harold" <> wrote in message
    > news:%...
    > > Can someone explain to me why IsInRole will work, but using
    > > DirectorySearcher will not? The code is running in a business object

    > behind
    > > a webservice. The user's credentials (windows authenication) are being
    > > passed to the webservice. The webservice is configured for "integrated
    > > windows authenication" and no "anonymous access".
    > >
    > > The error "An operations error occurred" occurs when FindOne is

    executed.
    > > The LDAP information is good as it works when it is not behind the
    > > webservice.
    > >
    > > If this is because of the double-hop of a token, how can IsInRole use

    the
    > > token and not DirectorySearcher?
    > >
    > > Here's the code:
    > >
    > > For using LDAP:
    > >
    > > ID = CType(System.Threading.Thread.CurrentPrincipal.Identity,
    > > WindowsIdentity)
    > > ImpersonateContext = ID.Impersonate()
    > > oLDPA = New DirectoryEntry(LDAP://ServerName/DC=name1,DC=name2,DC=net)
    > > oSearch = New DirectorySearcher(oLDPA)
    > > oGroups = New Hashtable
    > > With oSearch
    > > .Filter =
    > >

    >

    String.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0
    > > }))", Split(System.Threading.Thread.CurrentPrincipal.Identity.Name,

    > "\")(1))
    > > .CacheResults = False
    > > .PropertyNamesOnly = True
    > > .ReferralChasing = ReferralChasingOption.All
    > > Dim iSearchResult As SearchResult = .FindOne
    > > End With
    > >
    > > For using IsInRole:
    > > If System.Threading.Thread.CurrentPrincipal.IsInRole(sGroup) Then
    > >
    > >
    > > Thanks,
    > > Harold
    > >
    > >
    > >

    >
    >
     
    Harold, Aug 20, 2004
    #3
  4. WindowsPrincipal.IsInRole isn't using LDAP to talk to AD. Windows
    authentication uses RPC to authenticate and communicate with the domain
    controller.

    They also may not be using the same token. Windows authentication happens
    down in the lower levels of IIS directly, not in the ASP.NET stack.
    Inetinfo.exe will pass the user's token to the aspnet_wp.exe process or your
    app pool worker process on IIS 6, and they almost never use the same process
    token.

    Joe K.

    "Harold" <> wrote in message
    news:...
    > Thanks for the article. I understand what is being said about the primary
    > token and how to get around it. What I'm having a hard time understanding
    > is how can the IsInRole method access the AD information and not the
    > DirectorySearcher. Are they not both using the same token?
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    > > This is probably an issue related to security context. It is explained
    > > pretty throughly here:
    > >
    > > http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
    > >
    > > Essentially, you are probably either running as a local machine account

    > and
    > > your bind to AD will end up being anonymous or you are impersonating a
    > > domain account, but your token can't delegate to another machine, so you
    > > still end up with an anonymous bind.
    > >
    > > You can verify this is the problem easily by changing the constructor

    for
    > > your search root DirectoryEntry to include credentials.
    > >
    > > Also, S.DS questions are usually best asked in the adsi.general group
    > > (although this is obviously relevant to ASP.NET too).
    > >
    > > Joe K.
    > >
    > > "Harold" <> wrote in message
    > > news:%...
    > > > Can someone explain to me why IsInRole will work, but using
    > > > DirectorySearcher will not? The code is running in a business object

    > > behind
    > > > a webservice. The user's credentials (windows authenication) are

    being
    > > > passed to the webservice. The webservice is configured for

    "integrated
    > > > windows authenication" and no "anonymous access".
    > > >
    > > > The error "An operations error occurred" occurs when FindOne is

    > executed.
    > > > The LDAP information is good as it works when it is not behind the
    > > > webservice.
    > > >
    > > > If this is because of the double-hop of a token, how can IsInRole use

    > the
    > > > token and not DirectorySearcher?
    > > >
    > > > Here's the code:
    > > >
    > > > For using LDAP:
    > > >
    > > > ID = CType(System.Threading.Thread.CurrentPrincipal.Identity,
    > > > WindowsIdentity)
    > > > ImpersonateContext = ID.Impersonate()
    > > > oLDPA = New DirectoryEntry(LDAP://ServerName/DC=name1,DC=name2,DC=net)
    > > > oSearch = New DirectorySearcher(oLDPA)
    > > > oGroups = New Hashtable
    > > > With oSearch
    > > > .Filter =
    > > >

    > >

    >

    String.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0
    > > > }))", Split(System.Threading.Thread.CurrentPrincipal.Identity.Name,

    > > "\")(1))
    > > > .CacheResults = False
    > > > .PropertyNamesOnly = True
    > > > .ReferralChasing = ReferralChasingOption.All
    > > > Dim iSearchResult As SearchResult = .FindOne
    > > > End With
    > > >
    > > > For using IsInRole:
    > > > If System.Threading.Thread.CurrentPrincipal.IsInRole(sGroup) Then
    > > >
    > > >
    > > > Thanks,
    > > > Harold
    > > >
    > > >
    > > >

    > >
    > >

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Aug 20, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    555
    Raymond DeCampo
    Feb 21, 2006
  2. rcmn
    Replies:
    1
    Views:
    375
    =?ISO-8859-1?Q?Michael_Str=F6der?=
    Nov 6, 2006
  3. Jason Wold

    using LDAP Controls in ruby-ldap

    Jason Wold, Nov 4, 2004, in forum: Ruby
    Replies:
    5
    Views:
    281
  4. Ian Macdonald
    Replies:
    0
    Views:
    239
    Ian Macdonald
    Mar 15, 2005
  5. James Hughes
    Replies:
    4
    Views:
    351
    James Hughes
    Dec 13, 2005
Loading...

Share This Page