I have this code that run on PowerShell against AD and it works properly, it returns the user
$de = New-Object -TypeName System.DirectoryServices.DirectoryEntry -
ArgumentList "LDAP://DC=organizationname,DC=com", "username", "password",
"Secure"
$ds = New-Object -TypeName System.DirectoryServices.DirectorySearcher -
ArgumentList $de, "(&(objectClass=user)(anr=myusername))",
#("sAMAccountName", "mail", "displayName"), "Subtree"
$ds.FindAll()
But when I run same code on asp.net mvc using DirectorySearcher it returns empty result always.
What could be the issue ? How do I debug that ?
string username = ConfigurationManager.AppSettings["ADUsername"];
string password = ConfigurationManager.AppSettings["ADPassword"];
string displayName = ConfigurationManager.AppSettings["ADDisplayName"];
using (var de = new DirectoryEntry(adUsersContainer, username, password, AuthenticationTypes.Secure))
{
IList<User> items = new List<User>();
string[] props = { "sAMAccountName", "mail", displayName };
using (var ds = new DirectorySearcher(de, "(&(objectClass=user)(anr=" + anr + "))", props, SearchScope.Subtree))
{
ds.PageSize = 1000;
IEnumerable<SearchResult> results = SafeFindAll(ds);
foreach (SearchResult result in results)
{
var user = new User
{
Username = GetPropertyValue(result.Properties, "sAMAccountName"),//;//[0].ToString(),
Email = GetPropertyValue(result.Properties, "mail"),
DisplayName = GetPropertyValue(result.Properties, displayName)
};
if (!string.IsNullOrWhiteSpace(user.Email))
{
items.Add(user);
}
}
}
return items;
}
This is an intranet app, hosted and should work with Windows authentication, so basically logged in users to their machine should be able to hit website without login but :
they keep getting login prompt
and when we try to pull user from AD (we are able to get user from Identity - see below -) but still it returns empty results.
Code:
string identityName = User.Identity.Name;
int index = identityName.LastIndexOf('\\');
string username = index >= 0 ? identityName.Substring(index + 1) : identityName;
Thoughts ?
Related
I am new to LDAP related coding and today I am asked to develop a code to check the users authentication against LDAP.
The tutorials I have found online are so simple but our company's Directory is so complicated that I don't know how to write a code for that. Here is the info of the LDAP . I have changed the company name to hide the name.
uri = ldaps://ABC.ad.XYZ.com:636
user_filter = memberOf=CN=TENXAIRFLOWPROD,OU=Security Groups,OU=Normal Users and Groups,OU=Account Management Services,OU=AD Master OU,DC=ABC,DC=ad,DC=XYZ,DC=com
user_name_attr = sAMAccountName
superuser_filter = memberOf=CN=TENXAIRFLOWPROD_ADM,OU=Security Groups,OU=Normal Users and Groups,OU=Account Management Services,OU=AD Master OU,DC=ABC,DC=ad,DC=XYZ,DC=com
bind_user = SCGLOBAL\twiki
bind_password_cmd = python /bns/tenx/airflow/ldap_password.py
basedn = DC=ABC,DC=ad,DC=XYZ,DC=com
search_scope = SUBTREE
Here is a code I have developed but it gives me error:
string username = "myUserName";
string domain = "ldaps://ABC.ad.XYZ.com:636";
string pwd = "myPasword";
try
{
DirectoryEntry entry = new DirectoryEntry(domain, username, pwd);
//Bind to the native AdsObject to force authentication.
object obj = entry.NativeObject;
lblError.Text=("Login Successful");
//search some info of this user if any
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + username + ")";
SearchResult result = search.FindOne();
}
catch (Exception ex)
{
lblError.Text=("Login failed: " + ex.ToString());
}
Could anybody help plz?
Comment: According to the admin , I have been assigned to the group in AD. But how can I make sure I can access it?
It seems like Active Directory. If so, you could just use PrincipalContext.
public bool ValidateCredentials(string domain, string username, string password)
{
using (var context = new PrincipalContext(ContextType.Domain, domain))
{
return context.ValidateCredentials(username, password);
}
}
public bool IsUserInAdGroup(string domain, string username, string adGroupName)
{
bool result = false;
using (var context = new PrincipalContext(ContextType.Domain, domain))
{
var user = UserPrincipal.FindByIdentity(context, username);
if (user != null)
{
var group = GroupPrincipal.FindByIdentity(context, adGroupName);
if (group != null && user.IsMemberOf(group))
result = true;
}
}
return result;
}
Please make sure to reference System.DirectoryServices.AccountManagement.
I am trying to get the name and role of the user who is currently accessing the web application but the code I have written fetches the server user name.
Could you please review the below code that I have written and tell a solution to this problem.
string userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
string[] stringSeparators = new string[] { "\\" };
string[] uname = userName.Split(stringSeparators, StringSplitOptions.None);
userName = uname[1];
List<string> userRoles = new List<string>();
userRoles = getUserRole(userName);
public List<string> getUserRole(string userName)
{
List<string> userNestedMembership = new List<string>();
DirectoryEntry domainConnection = new DirectoryEntry(); // Use this to query the default domain
DirectorySearcher samSearcher = new DirectorySearcher();
samSearcher.SearchRoot = domainConnection;
samSearcher.Filter = "(samAccountName=" + userName + ")";
samSearcher.PropertiesToLoad.Add("displayName");
SearchResult samResult = samSearcher.FindOne();
if (samResult != null)
{
DirectoryEntry theUser = samResult.GetDirectoryEntry();
theUser.RefreshCache(new string[] { "tokenGroups" });
foreach (byte[] resultBytes in theUser.Properties["tokenGroups"])
{
System.Security.Principal.SecurityIdentifier mySID = new System.Security.Principal.SecurityIdentifier(resultBytes, 0);
DirectorySearcher sidSearcher = new DirectorySearcher();
sidSearcher.SearchRoot = domainConnection;
sidSearcher.Filter = "(objectSid=" + mySID.Value + ")";
sidSearcher.PropertiesToLoad.Add("distinguishedName");
SearchResult sidResult = sidSearcher.FindOne();
if (sidResult != null)
{
string role = (string)sidResult.Properties["distinguishedName"][0];
role = role.Substring(3, role.Length - 3);
string[] roles = role.Split(',');
userNestedMembership.Add(roles[0]);
}
}
}
}
I have not done any changes in web config.
userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
That is getting you the wndows user name, which is likely the apppool name.
Have you set thr web config and IIS to know thet you want to use windows auth?
(or if you are not, try using the HTTP Context
HttpContext.Current.User.Identity.Name
Hope this helps, or at least gives you a steer in the right direction
The issue probably doesn't lie in the code, but in environment configuration. There are specific requirements to be met, to make System.Security.Principal.WindowsIdentity.GetCurrent().Name work as you want, as it gets the user on the server side. Here is nice post describing what could be done to make IIS work under user account (with Windows Authentication).
I'm using DirectorySearcher to search for a user entry in LDAP server.
DirectoryEntry de = new DirectoryEntry();
de.Path = "LDAP://myserver/OU=People,O=mycompany";
de.AuthenticationType = AuthenticationTypes.None;
DirectorySearcher deSearch = new DirectorySearcher();
deSearch.SearchRoot = de;
deSearch.Filter = "(uid=" + model.UserName + ")";
SearchResult result = deSearch.FindOne();
I'm able to get th intended output in result variable.
However If I try to authenticate the same user by providing password in directory entry, I always get following error.
"The user name or password is incorrect."
DirectoryEntry entry = new DirectoryEntry("LDAP://myserver/OU=People,O=mycompany", username, password);
DirectorySearcher search = new DirectorySearcher(
entry,
"(uid=" + username + ")",
new string[] { "uid" }
);
search.SearchScope = System.DirectoryServices.SearchScope.Subtree;
SearchResult found = search.FindOne(); ->>>>>this is where I get wrong credential error.
The username and password are for the user I want to authenticate.
Can anyone tell me what I'm doing wrong here or how to debug this.
This username, password within this line:
DirectoryEntry("LDAP://myserver/OU=People,O=mycompany", username, password);
should be for an account that has permission for directory lookup. It could be a service account or testing purpose try with your own. This shouldn't be the user/pass of someone who you are trying to authenticate.
If you want to authenticate, you can use following steps using PrincipalContext:
using(var context = new PrincipalContext(ContextType.Domain, "mydomain", "mydomain\serviceAcct", "serviceAcctPass")) {
//Username and password for authentication.
return context.ValidateCredentials(username, password);
}
"serviceAcct" = an account within domain users that has permission for directory lookup.
"serviceAcctPass" = password for that service account.
As I said, for testing you can try with your own user/pass context.
Also, make sure supplied username has either "domain\username" or "username#domain" formatting.
Here we are getting the active directory user details and we can use DomainName and UserRole from web.config file
bool isAdmin = false;
RegisterInput model = new RegisterInput();
NewUserInput usr = new NewUserInput();
SearchResultCollection results;
string mobileNumber = string.Empty;
using (DirectoryEntry domainEntry = new DirectoryEntry("LDAP://" + AppSettings.DomainName))
{
using (DirectorySearcher searcher = new DirectorySearcher(domainEntry, "userPrincipalName=" + userName + "#" + AppSettings.DomainName) { Filter = string.Format("(&(objectClass=user)(samaccountname={0}))", userName) })
{
results = searcher.FindAll();
if (results.Count > 0)
{
usr.FirstName = results[0].GetDirectoryEntry().Properties["givenName"].Value.ToString();
usr.LastName = results[0].GetDirectoryEntry().Properties["sn"].Value?.ToString();
usr.EmailAddress = results[0].GetDirectoryEntry().Properties["mail"].Value?.ToString();
mobileNumber = results[0].GetDirectoryEntry().Properties["mobile"]?.Value?.ToString();
dynamic userRoleList = results[0].GetDirectoryEntry().Properties["memberOf"];
if (userRoleList != null)
{
foreach (var role in userRoleList)
{
string[] split = role.ToString().Split(new string[] { "," }, StringSplitOptions.RemoveEmptyEntries);
bool result = split.Any(x => x.ToLowerInvariant() == AppSettings.UserRole.ToLowerInvariant());
if (result)
{
isAdmin = true;
break;
}
}
}
}
}
}
model.NewUser = usr;
I'm trying to add a local user account on a non-domain joined machine. I have tried just about everything I can think of. I have this working on machines in the same domain, but not on off-domain machines. I can ping and TS to this server, but can't seem to add an admin.
Is it possible to use DirectoryEntry to do this?
Here's the code I currently have (slightly altered for readability):
private string AddLocalAdmin_NonDomain(string ComputerName)
{
StartImpersonation(); //Uses advapi32.dll->LogonUser()
string ErrMsg = "";
const int ADS_UF_DONT_EXPIRE_PASSWD = 0x10000;
DirectoryEntry AD = new DirectoryEntry("WinNT://" + ComputerName + ",computer", ComputerName + "\\" + UserCredentials.Username, UserCredentials.Password);
object n = AD.NativeObject;
DirectoryEntry NewUser = AD.Children.Add(Username, "user");
NewUser.Invoke("SetPassword", new object[] { Password });
if (!PasswordExpires)
{
int val = ADS_UF_DONT_EXPIRE_PASSWD;
NewUser.InvokeSet("userFlags", new object[] { val });
}
NewUser.CommitChanges();
DirectoryEntry grp;
grp = AD.Children.Find("Administrators", "group");
if (grp != null) { grp.Invoke("Add", new object[] { NewUser.Path.ToString() }); }
EndImpersonation(); //Ends the impersonation
return ErrMsg; //returns "Access Denied"
}
You can use
System.DirectoryServices.AccountManagement
and to achive that here is the code
PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Machine);
//Create New User
UserPrincipal oUserPrincipal = new UserPrincipal(oPrincipalContext, "Your UserName", "Your Password", true /*Enabled or not*/);
oUserPrincipal.UserPrincipalName = "Your UserName";
oUserPrincipal.GivenName = "Given Name";
oUserPrincipal.Surname = "Surname";
oUserPrincipal.Save();
//Add User to Group
GroupPrincipal oGroupPrincipal = GroupPrincipal.FindByIdentity(oPrincipalContext, "Your Group Name");
oGroupPrincipal.Members.Add(oUserPrincipal);
oGroupPrincipal.Save();
for a full implementation go here http://anyrest.wordpress.com/2010/06/28/active-directory-c/
I am receiving an unusual behaviour in my asp.net application. I have code that uses Directory Services to find the AD groups for a given, authenticated user. The code goes something like ...
string username = "user";
string domain = "LDAP://DC=domain,DC=com";
DirectorySearcher search = new DirectorySearcher(domain);
search.Filter = "(SAMAccountName=" + username + ")";
And then I query and get the list of groups for the given user. The problem is that the code was receiving the list of groups as a list of strings. With our latest release of the software, we are starting to receive the list of groups as a byte[].
The system will return string, suddenly return byte[] and then with a reboot it returns string again.
Anyone have any ideas?
(marc_s) Added code sample:
DirectoryEntry dirEntry = new DirectoryEntry("LDAP://" + ldapSearchBase);
DirectorySearcher userSearcher = new DirectorySearcher(dirEntry)
{ SearchScope = SearchScope.Subtree,
CacheResults = false,
Filter = ("(" + txtLdapSearchNameFilter.Text + "=" + userName + ")")
};
userResult = userSearcher.FindOne();
ResultPropertyValueCollection valCol = userResult.Properties["memberOf"];
foreach (object val in valCol)
{
if (val is string)
{
distName = val.ToString();
}
else
{
distName = enc.GetString((Byte[])val);
}
}