Active Directory

[Ernest Griffin]

I am trying to determine if the logged in user belongs to an Active
Directory Group. I have started with these code snippets:

WindowsIdentity id = WindowsIdentity.GetCurrent();
IdentityReferenceCollection irc = id.Groups;

This only returns the ID of the groups, I need the AD Group Name.

string adPath = "LDAP://MyDom.com";
DirectoryEntry entry = new DirectoryEntry(adPath);
string userName = HttpContext.Current.User.Identity.Name.ToString();
string name = userName.Substring(userName.IndexOf(@"\") + 1);
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = "(cn=" + name + ")";
mySearcher.PropertiesToLoad.Add("memberOf");
mySearcher.PropertiesToLoad.Add("cn");
StringBuilder groupNames = new StringBuilder();
SearchResult result = mySearcher.FindOne();
DirectoryEntry userEntry = result.GetDirectoryEntry();
int propertyCount = result.Properties["memberOf"].Count;

The propertyCount comes back as 0.

What am I doing wrong? Any help greatly appreciated.

 

[Darren Kopp]

Is your application running with full trust? The PropertiesToLoad
property requires full trust. Check out this link, at the bottom it
has the security requirements.

http://msdn.microsoft.com/library/d...rectorysearcherclasspropertiestoloadtopic.asp

HTH,
Darren Kopp
http://blog.secudocs.com/

 

[Ernest Griffin]

I am running this in my local test environment. How do I set up full trust?

 

[Ernest Griffin]

I am running IIS6 and VS2005

 

[Darren Kopp]

Check out these links, they have good descriptions of what you need to
do (both in code and framework configuration).

http://cyberforge.com/weblog/aniltj/archive/2004/04/27/486.aspx
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000017.asp
(asp.net 2.0)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000020.asp
(asp.net 2.0)
http://support.microsoft.com/default.aspx?scid=kb;en-us;815164

I'm not positive that is your problem, though it may be suspect. I
would think it would throw a security exception or something, but
documentation says that it may just "not work correctly".

HTH,
Darren Kopp
http://blog.secudocs.com/

 

[Ernest Griffin]

I set the Trust to Full for the System.DirectoryServices.DLL to no avail.

I kinda agree, that if that was the issue, I would see a security issue.

To test that, I set the web app to "High" vs. "Full" and received a security
error

 

[Erik Funkenbusch]

I am trying to determine if the logged in user belongs to an Active
Directory Group.

You're going to have to provide a little more information. When you say
"logged in user", what do you mean?

Do you mean the user logged in to their local machine accessing your web
page?

Do you mean the user is logged in to the web page using the ASP.NET 2.0
Login Controls?

Do you mean the user is logged in to the web page using some custom code
you (or someone else) wrote?

I have started with these code snippets:

WindowsIdentity id = WindowsIdentity.GetCurrent();
IdentityReferenceCollection irc = id.Groups;

This only returns the ID of the groups, I need the AD Group Name.

I assume you're using ASP.NET 2.0, since Groups is a new property added in
2.0 on WindowsIdentity.

Why not just use the role provider methods used by ASP.NET, set the role
provider to use WindowsTokenRoleProvider, then you can just do
Role.GetRolesForUser()?

 

[Ernest Griffin]

This is running in an internal web site.
External Users will be challenged with windows authentication.
The users will be loggin into the local domain.
The users will browse to pages.
I will determine who they are (I can do that successfully)
I will query the LDAP to see what groups they are in.
Depending on the result, I will show different items.
I am using IIS6
I am using .NET 2.0 and 1.1
I am using VS2005
I am using SQL2000
This is within a WSS Web part.

 

[Ernest Griffin]

Here is the code that worked From Start to Finish

WindowsIdentity id = WindowsIdentity.GetCurrent();
IdentityReferenceCollection irc = WindowsIdentity.GetCurrent().Groups;
string[] strArray = new string[irc.Count];
int t = 0;
foreach(IdentityReference ir in irc)
{
IdentityReference account = ir.Translate(typeof(NTAccount));
strArray[t] = account.Value;
t++;
}

 

[Erik Funkenbusch]

This is running in an internal web site.
External Users will be challenged with windows authentication.

I assume what you mean is you will use basic authentication for external
users. Be aware that this sends passwords in clear text. Hopefully,
you're using SSL.

The users will be loggin into the local domain.

External users will have to use a domain qualifier, and this can be
annoying to many users. For example, they may have to type
"DOMAIN\username" rather than just "username". There is no reliable method
to avoid this other than using Forms Authentication, and then you don't get
the automatic WindowsIdentity.

I see below that you already have a solution that works for you. Just be
aware that there are several gotcha's when dealing with Windows Identities
when using external (non-domain attached) computers.