Ok, in the delegated model, you don't do much from either the DsCrackNames
(IADsNameTranslate) or the DirectorySearcher perspective. I'll just talk
about the DirectorySearcher example, as DsCrackNames would depend a lot on
how you are setting up the wrapper.
The security context and domain identification info for a DirectorySearcher
object is determined by the DirectoryEntry object that is used as the
SearchRoot property. When you want to use the credentials of the currently
security context (in this case, the thread in ASP.NET that is impersonating
the logged on user), you just specify "null" for the username and password
and specify AuthenticationTypes.Secure:
DirectoryEntry searchRoot = new DirectoryEntry(path, null, null,
AuthenticationTypes.Secure);
To answer your question, let's say you wanted to query AD with a fixed
service account (trusted subsystem) instead of the authenticated user's
credentials. In this case, you could simply disable impersonation in
ASP.NET and then the current security context would be that of the process,
not of the user. If you are using IIS 6, then this is the app pool
identity. That is NETWORK SERVICE by default and it uses the credentials of
the machine account on the network, so the credentials would appear to AD as
the machine account for the web server. It would need the permissions to
execute whatever query you want to do (which it probably has by default).
The path is a composite piece of information and determines the protocol to
use (LDAP or GC, which uses LDAP to search the global catalog for the forest
on the GC port 3268), the domain or server to use and the path into the AD
store that will be used as the search base:
<protocol>://<server or domain>/<store path>
Note that the server or domain part is optional in some cases, as Windows
knows how to infer a server to use from the security context of the current
thread. This is called a "serverless" bind and looks like this:
<protocol>://<store path>
You'll see a lot of examples that look like that. In your case, you should
be able to do a serverless bind since presumably the current security
context is that of a domain user, so Windows should be able to discover
their domain and then infer a DC to query from that.
Ok, all that said now, the real problem you are going to have in the
delegated model is flowing the user's credentials from the browser to the
web server to the AD. Since you are using IWA auth, you will have what is
called a "double hop" in distributed authentication lingo. The bottom line
is that these don't work unless you have Kerberos delegation enabled.
Kerberos delegation is a can of worms to get working, but it can definitely
be done successfully.
There have been MANY newsgroup posts and kbase articles written that discuss
Kerberos delegation in detail, so I'd suggest you do some searches first and
come back with questions.
If you don't want to have to get Kerberos delegation working, then an option
is to switch to the trusted subsystem model and query using the process
account.
We also discuss all of this stuff in MUCH more detail in Ch 3 and 8 of our
book.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Arthur" <skchbs@yahoo.comwrote in message
news:1161709331.026520.222260@k70g2000cwa.googlegr oups.com...
Quote:
Thanks Joe, that cleared things quite a bit.
>
I would prefer to go with the delegated (assuming you mean the logged
on user & not the account under which the .net app is running ? )..can
you please point me to some code?
>
Going back to your previous post, I have disabled anonymous access &
enabled Integrated windows authentication.
>
I greatly appreciate all the help as I have been going back and forth
with this for almost a week now.
>
Thanks,
Arthur
>
>
>
>
Joe Kaplan wrote:
Quote:
>This is done frequently. There are really two ways to skin the cat:
>>
> - Do an LDAP query using the DirectorySearcher
> - Use the DsCrackNames API (or IADsNameTranslate, which is the same
>thing)
>>
>Both of these things will work fine, although DsCrackNames has a more
>limited set of naming attributes it can return. The DirectorySearcher
>can
>issue any LDAP query, so it is more flexible.
>>
>Both have different network requirements, as LDAP goes over port 389 (or
>636) and DsCrackNames is an RPC call.
>>
>They both have similar but different context requirements, in that they
>need
>to know what domain to contact and what credentials to use to perform the
>query. There are a bunch of options for how this stuff may be specified
>and
>the credentials part is the thing that usually trips people up in the
>context of a web application since there are so many options in ASP.NET
>with
>impersonation and all the different ways the process model can be
>configured.
>>
>From my perspective, the most important thing to decide first is what
>security architecture do you want to use, trusted subsystem or delegated.
>With trusted subsystem, you use a fixed service account to perform the
>query. With delegated, you use the credentials of the authenticated user
>for querying the directory. Both are perfectly valid approaches and both
>can be made to work. This is really no different than when designing a
>SQL
>Server backend and picking the connection string to use based on the
>security model that you'll use in SQL Server.
>>
>I actually wrote a whole book about this which you might find useful,
>although I'm perfectly happy to answer your questions here.
>>
>Joe K.
>>
>--
>Joe Kaplan-MS MVP Directory Services Programming
>Co-author of "The .NET Developer's Guide to Directory Services
>Programming"
>
http://www.directoryprogramming.net
>--
>"Arthur" <skchbs@yahoo.comwrote in message
>news:1161705752.823548.130360@f16g2000cwb.googleg roups.com...
Quote:
Thanks Joe for your inputs. I am actually not that familiar with active
directory or its corresponding objects in .net, this is sort of my
first look into it and hence your comments seem a little detailed. Can
I assume that the code/approach I am using for my scenario will not get
me the desired results? I am guessing that what I am trying to do (get
the full name of users trying to access a web application from the
windows logon name/networkID) is a pretty common requirement, is there
anyone out there who has successfully tried this out?
>
Please help.
Thanks,
Arthur
>
>
>
Joe Kaplan wrote:
>That error in that particular place is a result of failing to bind to
>the
>directory and then attempting a search as an anonyous user. This
>happens
>a
>LOT in web applications when you are using IWA auth and impersonating
>or
>you
>are not impersonating and the current process account isn't a valid
>domain
>account.
>>
>Also, for the record, IADsNameTranslate is actually an ADSI wrapper
>around
>the DsCrackNames API. It doesn't use the directorysearcher under the
>hood.
>I'm pretty sure my coauthor has a nice C# wrapper around DsCrackNames
>in
>the
>full samples of the downloadable code from our book's website if you
>are
>interested.
>>
>As others have suggested, you can also call IADsNameTranslate via COM
>Interop.
>>
>Joe K.
>>
>--
>Joe Kaplan-MS MVP Directory Services Programming
>Co-author of "The .NET Developer's Guide to Directory Services
>Programming"
>
http://www.directoryprogramming.net
>--
>"Arthur" <skchbs@yahoo.comwrote in message
>news:1161644879.140128.258110@e3g2000cwe.googlegr oups.com...
This is the error it throws.
>
COMException (0x80072020): An operations error occurred]
System.DirectoryServices.DirectoryEntry.Bind(Boole an throwIfFail)
+704
System.DirectoryServices.DirectoryEntry.Bind() +10
System.DirectoryServices.DirectoryEntry.get_AdsObj ect() +10
System.DirectoryServices.DirectorySearcher.FindAll (Boolean
findMoreThanOne) +199
System.DirectoryServices.DirectorySearcher.FindOne () +31
>
The networkID i am passing to the function is value from
Request.ServerVariables["LOGON_USER"].ToString()
>
Is the SAMAccountName different from this?
>
Thanks,
Arthur
>
>
Mark Rae wrote:
>"Arthur" <skchbs@yahoo.comwrote in message
>news:1161637435.265301.81910@b28g2000cwb.googlegr oups.com...
>>
Thank you all for you postings. However I am not able to get any
value
(code is exactly the same.
I am passing the networkID for the first param & "displayName"
for
the
second param.
>>
>I presume you're referring to my GetObjectProperty function...?
>>
Is there something I am missing ?
>>
>Almost impossible to tell from here...
>>
>When you say the "networkID", is that actually the SAMAccountName?
>>
>The code uses exception handling to exit "cleanly" - i.e. if it
>can't
>return
>the property being requested, it will return an empty string. When
>you
>step
>through it, what exception is it catching...?
>
>
>
