We want to give permissions (in .Net Application) to everyone in AD but could not find the group that contains everyone. Tried with “NT Authority\Authenticated Users” but getting "user not found". Please provide any pointers to achieve this functionality.Below is sample code snippet.
DirectorySearcher user = new DirectorySearcher(connString);
user.Filter = String.Format("(sAMAccountName={0})", alias);
var result = user.FindOne();
Note: we can give permissions to all the users in SharePoint using “All Authenticated Users” but the same option is not working in .Net Application.
Regards,
Parveen
In a domain, everyone means all the Domain users, so in order to give permission to all domain users you need to use this: DOMAIN\Domain Users
Related
I have two domains, MINE and THEIRS. MINE is my local domain and has a one way trust with THEIRS (using LDAPS port 636), so that MINE trusts THEIRS but THEIRS does not trust MINE. I can add users from THEIRS to groups in MINE, and have users from THEIR log into machines and applications on the MINE network. The trust appears to be working properly.
I am writing a little .Net application (not ASP.Net) to test connectivity over the WAN. We have one app that isn't seeing users from THEIRS in groups in MINE. Other apps, like SharePoint, work fine.
I tried using ASP.Net 4 option with System.DirectoryServices.AccountManagement objects, like PrincipalContext, UserPrincipal, GroupPrincipal, etc. Quick code snippet
PrincipalContext domainContext = GetDomainContext(DomainName, ConnectionPort,
UseSpecifiedCredentials, Credentials);
GroupPrincipal theGroup = GroupPrincipal.FindByIdentity(domainContext,
IdentityType.SamAccountName, GroupName);
PrincipalCollection theUsers = theGroup.Members;
var users = from u in theUsers
select u.Name;
return users.ToArray();
It all works GREAT when I connect directly to MINE. The issue comes in with connecting to THEIRS. Either the 1 way trust of the LDAPS traffic is returning the error:
System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
So I switch to .Net 2 variations using DirectoryEntry, DirectorySearcher, etc. This actually works against THEIRS domain.
List<string> userNames = new List<string>();
string searchString = string.Format("(sAMAccountName={0})", GroupName);
SearchResult result = SearchAD(DomainName, ConnectionPort, searchString);
I can connect directly to the THEIRS domain, using some impersonation in the code.
When I query the groups in MINE, I get back the SID for the users from THEIRS, not a user account.
The following users are a member of testGroup:
CN=S-1-5-21-....,CN=ForeignSecurityPrincipals,DC=MINE,DC=local
CN=S-1-5-21-....,CN=ForeignSecurityPrincipals,DC=MINE,DC=local
I tried the impersonation on this as well, running it as a user from THEIRS but no luck.
How can I get user info from THEIRS when the user is in MINE? Do I have to take the above CN/SID and query THEIRS domain? What am I missing in the .Net 4 stuff?
I assume you have your ASP.NET machine running in MINE.
Your System.DirectoryServices.AccountManagement approach should just work if you make sure you use a domain user account from THEIR domain to run the application. In normal one-way trust configuration (unless you are doing selective authentication trust), the domain user account from THEIR should have permissions to read from both MINE and THEIR.
To make sure you use a domain user from THEIR domain, you can simply set the AppPool identity. Of course, you can use impersonation to do it too.
I need to find out all AD groups SIDs that current user belongs to inside my Sharepoint (2007) webpart.
I wanted to use System.DirectoryServices.AccountManagement namespace:
using (var context = new PrincipalContext( ContextType.Domain ))
{
using (var user = UserPrincipal.FindByIdentity( context, accountName ))
{
var groups = user.GetAuthorizationGroups();
...
}
}
, but I get the following error:
Event ID: 10016
Through the permission settings (application specific) is the SID (S-1-5-20) for user NT AUTHORITY \ NETWORK SERVICE of address localhost (Using LRPC) is not authorized to activate (Local) for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
This might be fixed with this http://support.microsoft.com/kb/899965
but this approach requires changing registry values (the ownership of the application, so you can change apps values at dcomcnfg) and later User Permissions at dcomcnfg's COM security, which isn't an option for me.
Is there another way to access Current user's groups SIDs inside Sharepoint?
I really hoped I can find these values in SPContext.Current.Web.CurrentUser.Groups, but apparently not.
You need to go the SharePoint way here and not use System assemblies, but the SharePoint ones.
The SID of each user is in the SPUser.Sid Property. As you want to look for AD groups only you can check the .IsDomainGroup Property of SPUser.
Now all you need to do is check the current user: ´SPContext.Current.Web.CurrentUser(aSPUser` object).
To answer your question how to get all groups a user belongs to, you actually will need to use System.DirectoryServices. A solution for your problem is shown in the following stackoverflow posts:
In C#, how to access Active Directory to get the list of groups that a certain user belongs to?
Querying AD for finding all groups of a user - Missing one group
So in short: SPUser object as well as querying the Active Directory via DirectoryServices
I'm developing an intranet application. The application is working on an IIS on a windows server 2008. I'm using C# for coding the ASP.NET.
So, I only want to allow the domain users who are member of the OU ICT.
I don't want a login form, just an automatic authentication.
Sql Server Reporting Services works like this. Users don't have to login and the security is based on the AD. -> exactly what I'm looking for.
I have tried several ways, like with WidowsImpersonationContext I hit a dead-end on the OU.
If there would be anyone who can help me, I would be very thankful.
Solved the part where I check if the user is in the group/ou.
But I can't get the windows user from the client machine without logging in.
Greetings, Jeff
I´m not to sure about the mixture between OU´s and Groups here, but maybe the following will help you:
Reference System.DirectoryServices.AccountManagement,
var pc = new PrincipalContext(ContextType.Domain);
var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName,"DOMAIN\\USER");
var g = System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(pc, IdentityType.DistinguishedName, "Everyone");
var check = user.IsMemberOf(g);
HTH
Dominik
I have some code in asp.net ( kindly given by someone else ) to query AD to get user name and email etc.
using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;
using ActiveDs;
DirectorySearcher search = new DirectorySearcher(new DirectoryEntry(), string.Format("(samaccountname={0})", id));
if (search == null)
return id;
if (search.FindOne() == null)
return id;
DirectoryEntry usr = search.FindOne().GetDirectoryEntry();
IADsUser oUsr = (IADsUser)usr.NativeObject;
return string.Format("{0} {1}", usr.Properties["givenname"].Value, usr.Properties["sn"].Value);
However this requires impersonation with an id that's required to be changed every 2 weeks and then updated in the web.config which is often forgotten
Is there any non impersonation code to achieve the same result ?
UPDATE - it's a config tool and it looks up name, email id etc.
I like the service a/c idea
Q - How is it possible to run ( impersonate ) just the AD code with a "service" a/c ? any samples/code ?
how do you impersona
For your particular purpose, a ServiceAccount shall be added to AD;
If you ASP.NET application is for a LAN in your organization, you could simply forget about providing Username and Password and only provide the root domain. This way, Active directory will search for Windows authenticated user instead of using impersonnation (this assumes that the user accessing your application has the rights to perform the tasks provided by your application).
What exactly does your application need to do?
If your application manages user accounts, groups and OU, then you need to use impersonnation only if the user doing these tasks through the application has no rights of managing the AD with her/his regular user account. This, should not happen. So, event for this, if the user has the proper rights, omitting your credentials will only allow AD to search for the current logged on user.
We usually request IT to give us a domain service account. You still need to impersonate, but with a service account, the password will not have to be changed every 2 weeks, and is granted specific rights for the particular function you need it for, so it would mean very low maintenance for you.
I don't think so, because you need to bind to the domain with valid credentials in order to read from active directory.
Think of the username/password as part of a connection string to a database. I'd request a complex username and password from your domain administrator and request that they give it limited login permissions and set the password to never expire. Then store and use those in your Web.config file.
System Specs:
Infopath 2007 with c# code-behind
Webservices
Active Directory
I need to get the users name (First Name and Last Name) from active directory but the user appears to not have permissions to read the active directory listings.
What permissions do I need to give the user in order for them to search AD
I am using code like this
SearchResult result;
using (DirectoryEntry de = new DirectoryEntry("LDAP://DC=contoso,DC=com,DC=au"))
{
DirectorySearcher search = new DirectorySearcher(de, (string.Format("(&(objectClass=user)(mailNickname={0}))",this.Application.User.UserName)));
result = search.FindOne();
}
I have considered creating a webservice that gets the information required but that seems like overkill but would get around having to make sure every possible user of the form is required to have the correct permissions
EDIT:
The code that I am trying to execute is infopath code behind. The form itself connects to webservices to retrieve some of its data. as such it is under infopath's security model. The form is fully trusted so it should be fine to execute under the current user context.
My fault for not adding the extra detail.
When you create a new DirectoryEntry without specifying a username and password you're connecting to Active Directory using the credentials of the executing user - in your case probably the local IUSR_...-account on the web server which is the default account used when a new web site is set up in IIS. Because that's a local account you won't be able to access Active Directory.
You have two options:
Create a service account in Active Directory and use that account explicitly, ie DirectoryEntry de = new DirectoryEntry("LDAP://DC=contoso,DC=com,DC=au", "sa-username", "sa-password", AuthenticationTypes.Secure). Of course, passwords in clear text in the code is not a good idea so find a way to encrypt the password.
or
Configure the IIS application pool for your web site (IIS 6+) to run under a domain user account - that way that account is used when connecting to Active Directory.
Any user of the AD should have permissions to browse the AD by default.
You probably just need to change your directory entry to point to the user container like so:
new DirectoryEntry("LDAP://CN=users,DC=contoso,DC=com,DC=au")
Your user container could be another name.
If that does not solve the problem it may be that the application is not actually running as the user. For example, an ASP.NET website would need to be using impersonation in order to query the AD.