473,320 Members | 2,020 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

DirectoryEntry authentication server different than bind?

I have a vb.net dll that has two functions: one allows a user to change
their password in AD, the second allows the user to view their
distinguishedname (based on their samaccountname). Both bind via an
SSL connection and appear to work well.

I am implementing the dll through an asp interface on the DC that holds
the fsmo role of PDC in a domain with several DCs with a replication
delay of up to an hour between the DCs.

The issue I am seeing is that after a user successfully changes their
password they are able to successfully query AD for their distinguished
name with their OLD password for awhile (I am assuming until
replication notifies whichever server they are authenticating against
that their password has changed - at which point the dll throws an
"unknown username or bad password" error). The problem is that I am
pointing to the PDC emulator (the server that the asp/dll runs on) to
make the change - so would ASSUME that this same box authenticates the
username and password... ??

Any thoughts would be welcome.

Code snippet below:
Private iRtnCodeVal As Int32 = 1
Private sDirRoot As String = "dc=mydomain,dc=com"
Private sServer As String = "PDCEmulatorDC/"
Private sDomain As String = "MyDomain"

Public Function ChangePW(ByVal uName As String, ByVal oldPass As
String, ByVal newPass As String) As Boolean

Dim uDN As String = GetDN(uName, sDomain & "\" & uName,
oldPass)
If iRtnCodeVal <> 0 Then
ChangePW = False
Exit Function
End If

Dim uDE As New DirectoryEntry("LDAP://" & sServer & uDN)
uDE.AuthenticationType = AuthenticationTypes.SecureSocketsLayer
uDE.Username = sDomain & "\" & uName
uDE.Password = oldPass

Dim iPWChgRtn As Integer
Try
iPWChgRtn = uDE.Invoke("ChangePassword", New Object()
{oldPass, newPass})
Catch ex As Exception
iRtnCodeVal = Err.Number()
ChangePW = False
uDE.Close()
Exit Function
End Try
If iPWChgRtn = 0 Then
iRtnCodeVal = 0
ChangePW = True
Else
ChangePW = False
End If
uDE.Close()
End Function
'------------------
Public Function GetDN(ByVal nameToFind As String, ByVal authU As
String, ByVal authPW As String, Optional ByVal useSSL As Boolean =
True) As String

If InStr(authU, "\") = 0 Then 'Will come in WITH <domain>\
from ChangePW
authU = sDomain & "\" & authU
End If

Dim theEntry As New DirectoryEntry("LDAP://" & sServer &
sDirRoot)
If useSSL Then theEntry.AuthenticationType =
AuthenticationTypes.SecureSocketsLayer
theEntry.Username = authU
theEntry.Password = authPW

Dim theSearcher As New DirectorySearcher(theEntry)
theSearcher.SearchScope = SearchScope.Subtree
theSearcher.Filter = "(&(samaccountname=" & nameToFind & "))"
theSearcher.PropertiesToLoad.Add("distinguishednam e")

Try
Dim Rslt As SearchResult = theSearcher.FindOne

If Rslt Is Nothing = False Then
Dim prop As Object
Dim outTxt As String
For Each prop In Rslt.Properties("distinguishedname")
outTxt = prop.ToString
Next
GetDN = outTxt
iRtnCodeVal = 0
Else
iRtnCodeVal = 2
End If
Catch ex As Exception
GetDN = ""
iRtnCodeVal = Err.Number()
End Try
theEntry.Close()
End Function

Nov 22 '05 #1
5 4974
On that IIS machine, did you do anything with the cache?
It sounds like a user token caching issue from what you described. It's
also possible there have been some GPO changes that would affect this.

Some questions to help narrow this:
Can you test and see exactly how long that window is?
Can you provide more about the architecture? I.e. is the DC running IIS? Is
IIS running on another server and the dll is loaded on the DC?
What is the replication topology?
What client is the user using that allows them to use the old password after
changing it here?

Al

"ABSMunkee" <ut********@hotmail.com> wrote in message
news:11**********************@o13g2000cwo.googlegr oups.com...
I have a vb.net dll that has two functions: one allows a user to change
their password in AD, the second allows the user to view their
distinguishedname (based on their samaccountname). Both bind via an
SSL connection and appear to work well.

I am implementing the dll through an asp interface on the DC that holds
the fsmo role of PDC in a domain with several DCs with a replication
delay of up to an hour between the DCs.

The issue I am seeing is that after a user successfully changes their
password they are able to successfully query AD for their distinguished
name with their OLD password for awhile (I am assuming until
replication notifies whichever server they are authenticating against
that their password has changed - at which point the dll throws an
"unknown username or bad password" error). The problem is that I am
pointing to the PDC emulator (the server that the asp/dll runs on) to
make the change - so would ASSUME that this same box authenticates the
username and password... ??

Any thoughts would be welcome.

Code snippet below:
Private iRtnCodeVal As Int32 = 1
Private sDirRoot As String = "dc=mydomain,dc=com"
Private sServer As String = "PDCEmulatorDC/"
Private sDomain As String = "MyDomain"

Public Function ChangePW(ByVal uName As String, ByVal oldPass As
String, ByVal newPass As String) As Boolean

Dim uDN As String = GetDN(uName, sDomain & "\" & uName,
oldPass)
If iRtnCodeVal <> 0 Then
ChangePW = False
Exit Function
End If

Dim uDE As New DirectoryEntry("LDAP://" & sServer & uDN)
uDE.AuthenticationType = AuthenticationTypes.SecureSocketsLayer
uDE.Username = sDomain & "\" & uName
uDE.Password = oldPass

Dim iPWChgRtn As Integer
Try
iPWChgRtn = uDE.Invoke("ChangePassword", New Object()
{oldPass, newPass})
Catch ex As Exception
iRtnCodeVal = Err.Number()
ChangePW = False
uDE.Close()
Exit Function
End Try
If iPWChgRtn = 0 Then
iRtnCodeVal = 0
ChangePW = True
Else
ChangePW = False
End If
uDE.Close()
End Function
'------------------
Public Function GetDN(ByVal nameToFind As String, ByVal authU As
String, ByVal authPW As String, Optional ByVal useSSL As Boolean =
True) As String

If InStr(authU, "\") = 0 Then 'Will come in WITH <domain>\
from ChangePW
authU = sDomain & "\" & authU
End If

Dim theEntry As New DirectoryEntry("LDAP://" & sServer &
sDirRoot)
If useSSL Then theEntry.AuthenticationType =
AuthenticationTypes.SecureSocketsLayer
theEntry.Username = authU
theEntry.Password = authPW

Dim theSearcher As New DirectorySearcher(theEntry)
theSearcher.SearchScope = SearchScope.Subtree
theSearcher.Filter = "(&(samaccountname=" & nameToFind & "))"
theSearcher.PropertiesToLoad.Add("distinguishednam e")

Try
Dim Rslt As SearchResult = theSearcher.FindOne

If Rslt Is Nothing = False Then
Dim prop As Object
Dim outTxt As String
For Each prop In Rslt.Properties("distinguishedname")
outTxt = prop.ToString
Next
GetDN = outTxt
iRtnCodeVal = 0
Else
iRtnCodeVal = 2
End If
Catch ex As Exception
GetDN = ""
iRtnCodeVal = Err.Number()
End Try
theEntry.Close()
End Function

Nov 22 '05 #2
Thanks for the response.
The IIS server is on the DC itself - in my test environment - it is the
PDC. And it calls the DLL local to IIS.

The only thing that allows me to use the old password is the query
function (GetDN) through the same web interface/dll - and only until
replication takes place (set to 15 minutes between DCs).

Nov 22 '05 #3
What have you done to date regarding the caching?
IIRC, IIS will cache the user's credentials. I assume you're saying that
the user can see the directory objects with the old credentials via the same
web interface? If not, correct me as it may be something else.

Al

"ABSMunkee" <ut********@hotmail.com> wrote in message
news:11*********************@g14g2000cwa.googlegro ups.com...
Thanks for the response.
The IIS server is on the DC itself - in my test environment - it is the
PDC. And it calls the DLL local to IIS.

The only thing that allows me to use the old password is the query
function (GetDN) through the same web interface/dll - and only until
replication takes place (set to 15 minutes between DCs).

Nov 22 '05 #4
I haven't really looked at caching - as the only way to query the
directory through the web interface is via this DLL - which accepts the
username/password from the form and theoretically makes a new bind via
SSL LDAP each time.
I am not relying on IIS for authentication at all. Should I be worried
about the cache in this case?

Nov 22 '05 #5
Theoretically?
I don't honestly have enough information to know for sure if the cache would
be involved in this. Your code and architecture are your own. But it seems
logical that you're running into a caching of credential information based
on the symptoms and IIS is known to do that. It seems a decent theory but
one I can't prove/disprove in this medium. It's best for you to have a look
at your code step by step during the error condition and see if you can spot
the issue. It might also help to drop a note to the ADSI newsgroups and
possible the .net newsgroups to see if anyone has had this issue already and
solved it (hopefully).

Al

"ABSMunkee" <ut********@hotmail.com> wrote in message
news:11**********************@g43g2000cwa.googlegr oups.com...
I haven't really looked at caching - as the only way to query the
directory through the web interface is via this DLL - which accepts the
username/password from the form and theoretically makes a new bind via
SSL LDAP each time.
I am not relying on IIS for authentication at all. Should I be worried
about the cache in this case?

Nov 23 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: MyaTix | last post by:
Hi, Can someone tell me how I create a login page which authenticates users against the servers user manager. I want the login to be a form in my website not a pop up window! I would be...
0
by: ABSMunkee | last post by:
I have a vb.net dll that has two functions: one allows a user to change their password in AD, the second allows the user to view their distinguishedname (based on their samaccountname). Both bind...
2
by: Jessica | last post by:
When I create a single LDAP ActiveDirectory user and use DirectoryEntry.Invoke("SetPassword"...), the user is created and the password is set with no problems. However, when I try to add more...
6
by: huzz | last post by:
How do i create a directory entry to access a user's details such as their email address. Here are the object structure. domain.co.uk | |Computer Services - Type (OU) | |Cliff Saran - Type...
1
by: Joanne | last post by:
I'm wondering if anyone has come across this problem before - it's got me stumped (but then again, I don't know a great deal about AD!!) In a specific set of circumstances, we get a really useful...
18
by: troywalker | last post by:
I am new to LDAP and Directory Services, and I have a project that requires me to authenticate users against a Sun Java System Directory Server in order to access the application. I have found...
40
by: webrod | last post by:
Dear All, let's say I have a web service. I would like to authenticate users who try to access it. I am on a winnt server so I will have to use NTLM but I don't want to use IIS settings. Is...
0
by: Kashgarinn | last post by:
Greetings. I'm in a bit of a pickle.. at the company where I recently started work, I discovered that the knowledge base we use sucks, and sucks bad (oh Lotus Notes, how I loathe thee, let me...
1
by: Magnus R | last post by:
In VB.Net I'm trying to find out the names of what Administrative Groups exist by querying Active Directory. The problem is when I try and query the children of the key LDAP://CN=Administrative...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.