Authentication via AD

[VK]

Hello,

I want to authenitcate my users against the Active Directory. Do I have to
go through the LDAP to do that? We are not using LDAP. I have googled and
found several examples - however they all use LDAP.

Any suggestions?
Thanks

 

[Joe Kaplan \(MVP - ADSI\)]

The preferred method of authenticating against AD is to us the SSPI API with
the negotiate protocol. This is easy to do in .NET 2.0 with the
NegotiateStream class, but requires some significant p/invoke in .NET 1.x.
There are samples online though.

Another good option is to let Windows authenticate for you. Depending on
your application architecture (you don't specify), this may or may not be
possible.

LDAP should be possible if you have AD as it supports LDAP natively.
However, I'd recommend avoiding LDAP authentication unless you have to use
it.

Joe K.

 

[VK]

Thanks Joe for the reply. Can you point me to some URLs which shows how to
use authenticate with AD? Also what do you mean wit:

Another good option is to let Windows authenticate for you. Depending on
your application architecture (you don't specify), this may or may not be
possible.

I am kind of new in authentication. Thanks for any suggestions.

 

[Joe Kaplan \(MVP - ADSI\)]

It really depends on what your application is. You haven't explained at all
what you are building. Is it a normal web application or something else?
Can it use IIS/Windows for authentication or does it need to be forms
authentication?

Joe K.

 

[VK]

Thanks for the response.

Its an intranet application. All users are authenticated with the active
directory and I would like to use that in my asp.net application too. The
goal is to allow certain users with specefic priviliges from the AD to see
special pages and others dont see them. However everybody has to
authenticated via the AD. Ideally I would like to see a windows pop up, which
asks for the UserID and pw.

Thanks

 

[VK]

Forgot to mention. I already can see the popup which asks for the user and
pw, but the title of the window says:

"Connect to SystemName"

Shouldnt it say: "Connect to domainName" ?

I am testing all this locally right now. I dont want to put something on the
server that doesnt work.

Thanks again

 

[Joe Kaplan \(MVP - ADSI\)]

Ok, so you don't want to do any programmatic authentication at all. Just
let Windows, IIS and the browser take care of it for you.

If you configure ASP.NET for Windows authentication in web.config and
configure IIS for Windows auth (uncheck anonymous, check basic/digest or
IWA, depending on what you want), and you should be good to go.

To do role-based authorization in your application, just use the
Context.User object. This contains an IPrincipal object that will be a
WindowsPrincipal. Use it's IsInRole method to check the user's group
membership for your security decisions. You can also use the <allow/> and
<deny/> tags in web.config to configure access to specific pages
declaratively.

HTH,

Joe K.

 

[VK]

Thanks for the help buddy. I am assuming that it will automatically
authenticate via the AD now. I have checked: "Digest authentication..." and
"Integrated Windows Authentication". Furtheremore I disabled "Anonymous
access". Do I have to enter the domain in the "realm" field?

Anyhow my administrator told me that we are not completely on AD yet, we are
in kind of mixed mode with NT4 and therefore I am not sure if that all will
work or not. We are switching next week completely to AD and then I will have
to test this more. I will let you know next week how the test went. I would
like to thank you for all the help.

Regards

 

[Joe Kaplan \(MVP - ADSI\)]

As long as the web server is a member of the domain you want to authenticate
against, you should be able to use IIS to authenticate those members. It
should work if the domain is NT4 or AD. The key is that the IIS box is a
member server.

Whether you use digest, basic or IWA is up to you. There are good and bad
points about each one. I'm not really familiar with Digest, so I'm not sure
how to advise you on the proper use of the realm parameter.

Joe K.

 

[VK]

Well that seems to work. Many many thanks buddy! I have another additional
question.

Can I now get access to the users data from the AD - like Fullname, email
phone etc?

Regards

 

[Joe Kaplan \(MVP - ADSI\)]

That's a different problem entirely.

Once you actually have AD up and running, you would typically do this kind
of stuff via LDAP. LDAP IS the normal query mechanism for AD.

Essentially, you need to find the user in the directory given whatever name
they used for login and query whatever attributes you need. The normal
issues here are what account you want to use to query AD. Do you want to
use the user's security context in a delegation scenario or do you want to
use a fixed service account? There are many many threads on this exact
topic in microsoft.public.adsi.general that you can google for.

Joe K.

 

[VK]

I understand. Well, I will wait till we AD running and then see from there.
Can I also force the user to login only when he requests ONLY page x.aspx ?

 

[Joe Kaplan \(MVP - ADSI\)]

Well, Windows authentication is configured at the IIS level, so you would
need to enabled the settings for that in the IIS metabase first. For
example, different virtual directories in your app can have different IIS
security settings.

It is probably easier just to authenticate the entire application though.

Joe K.

 

[bradbury9]

You can choose the way to access AD. Check the link bellow:

http://www.c-sharpcorner.com/DirectoryServices.asp

As said in another post the best way is confgure IIS autentication to
check for roles. To gather info from the AD you can use
System.DirectoryServices or LDAP API calling.

IMHO I would use the .NET wrapper, (System.DirectoryServices). Seems
easier to me.

"Requirements. System.DirectoryServices is supported on Windows Server
2003. System.DirectoryServices can be redistributed on Windows 98,
Windows 98 SE and Windows NT 4.0, as long as the DS Client is
installed on client machines. It can also be redistributed on Windows
2000 Windows XP."