By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,136 Members | 1,087 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,136 IT Pros & Developers. It's quick & easy.

Authenticate agains several Active Directory Domains

P: n/a
Hi there.

I have the following environment:

Active Directory running on Windows 2000. There is a root domain called
ad.sys and within this root domain there are the following subdomains:

dom1.ad.sys
dom2.ad.sys
dom3.ad.sys

I need to restrict access to a certain part of a ASP.NET page to some
admin user and check their password agains the windows domain.

IIS Authentication doesnt seem to be an option, I cant seem to supply
several domains.

One possilbe way would probably be:
In the database have a list of names which have access to the admin
part. When the login name matches one of that list make an connection to
the domain and check the passwort. Connection could be ldap.

Is this procedure valid? Any other ideas?

If this is a valid way, how do I connect to another domains? If the
webpage runs in one or none of those domains. I tried
System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad ,D
C=sys", "DOM1\ldapuser", "Idontknow");

But when I try to access de.Children I get an error saying

System.Runtime.InteropServices.COMExcpetion ocured in
system.directoryservices.dll

Additional Information: Unknow error (0x80050000)
When I use a ldap client on my workstation which is in neither of these
domains I can connect and get the data.

Anyone knows whats going on or how I should do this?

--
mfg
Marc Eggenberger
Nov 16 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
AD question are best answwer in the
microsoft.public.active.directory.interfaces newsgroup. I am sure the two
Joe's will be able to give you a complete answer.
--
HTH

Ollie Riches
http://www.phoneanalyser.net

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a programmer
helping programmers.

"Marc Eggenberger" <ma**************@remove.itc.alstom.com> wrote in message
news:MP************************@iww.cacti.ch.alsto m.com...
Hi there.

I have the following environment:

Active Directory running on Windows 2000. There is a root domain called
ad.sys and within this root domain there are the following subdomains:

dom1.ad.sys
dom2.ad.sys
dom3.ad.sys

I need to restrict access to a certain part of a ASP.NET page to some
admin user and check their password agains the windows domain.

IIS Authentication doesnt seem to be an option, I cant seem to supply
several domains.

One possilbe way would probably be:
In the database have a list of names which have access to the admin
part. When the login name matches one of that list make an connection to
the domain and check the passwort. Connection could be ldap.

Is this procedure valid? Any other ideas?

If this is a valid way, how do I connect to another domains? If the
webpage runs in one or none of those domains. I tried
System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad ,D
C=sys", "DOM1\ldapuser", "Idontknow");

But when I try to access de.Children I get an error saying

System.Runtime.InteropServices.COMExcpetion ocured in
system.directoryservices.dll

Additional Information: Unknow error (0x80050000)
When I use a ldap client on my workstation which is in neither of these
domains I can connect and get the data.

Anyone knows whats going on or how I should do this?

--
mfg
Marc Eggenberger

Nov 16 '05 #2

P: n/a
Marc,

I'm not an expert on AD, but I think that the reason your call to get
the DirectoryEntry fails is because by default, the ASP.NET process runs
under the local user ASPNET, which doesn't have network permissions. You
can impersonate another user to run under for this operation. Check out the
documentation for the Impersonate method on the WindowsIdentity class to see
how to do this.

You can also impersonate a user for all the pages in a directory by
setting the <identity> tag in the web.config file for the directory, but
that would mean all pages run as that user, which might not be such a good
idea.

Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"Marc Eggenberger" <ma**************@remove.itc.alstom.com> wrote in message
news:MP************************@iww.cacti.ch.alsto m.com...
Hi there.

I have the following environment:

Active Directory running on Windows 2000. There is a root domain called
ad.sys and within this root domain there are the following subdomains:

dom1.ad.sys
dom2.ad.sys
dom3.ad.sys

I need to restrict access to a certain part of a ASP.NET page to some
admin user and check their password agains the windows domain.

IIS Authentication doesnt seem to be an option, I cant seem to supply
several domains.

One possilbe way would probably be:
In the database have a list of names which have access to the admin
part. When the login name matches one of that list make an connection to
the domain and check the passwort. Connection could be ldap.

Is this procedure valid? Any other ideas?

If this is a valid way, how do I connect to another domains? If the
webpage runs in one or none of those domains. I tried
System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad ,D
C=sys", "DOM1\ldapuser", "Idontknow");

But when I try to access de.Children I get an error saying

System.Runtime.InteropServices.COMExcpetion ocured in
system.directoryservices.dll

Additional Information: Unknow error (0x80050000)
When I use a ldap client on my workstation which is in neither of these
domains I can connect and get the data.

Anyone knows whats going on or how I should do this?

--
mfg
Marc Eggenberger

Nov 16 '05 #3

P: n/a

"Marc Eggenberger" <ma**************@remove.itc.alstom.com> wrote in message
news:MP************************@iww.cacti.ch.alsto m.com...
Hi there.

I have the following environment:

Active Directory running on Windows 2000. There is a root domain called
ad.sys and within this root domain there are the following subdomains:

dom1.ad.sys
dom2.ad.sys
dom3.ad.sys

I need to restrict access to a certain part of a ASP.NET page to some
admin user and check their password agains the windows domain.

IIS Authentication doesnt seem to be an option, I cant seem to supply
several domains.

One possilbe way would probably be:
In the database have a list of names which have access to the admin
part. When the login name matches one of that list make an connection to
the domain and check the passwort. Connection could be ldap.

Is this procedure valid? Any other ideas?

If this is a valid way, how do I connect to another domains? If the
webpage runs in one or none of those domains. I tried
System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad ,D
C=sys", "DOM1\ldapuser", "Idontknow");

But when I try to access de.Children I get an error saying

System.Runtime.InteropServices.COMExcpetion ocured in
system.directoryservices.dll

Additional Information: Unknow error (0x80050000)
When I use a ldap client on my workstation which is in neither of these
domains I can connect and get the data.

Anyone knows whats going on or how I should do this?

--
mfg
Marc Eggenberger

If this works from a console program:
System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad ,D
C=sys", "DOM1\ldapuser", "Idontknow");


it should also work from asp.net, using the exact same bind string of
course.
Are you sure it fails when calling de.Children?

Willy.
Nov 16 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.