I'm writing a web service that checks if the user exists in Active Directory and if the user account is enabled. Once it checks that, I then go ahead validate their user account. Once they successfully enter username and password, I would like to get the GUID or NativeGuid for the person I'm authenticating. I would like to use GUID or NativeGUID to build a relationship inside SQL Server database.
Here's the approach I'm taking:
public string isAuthenticated (string serverName, string userName, string pwd)
{
string _serverName, _userName, _pwd;
_serverName = serverName;
_userName = userName;
_pwd = pwd;
string message;
if (DoesUserExist (_userName) == true)
{
if (isActive(userName) == true)
{
try
{
DirectoryEntry entry = new DirectoryEntry(_serverName, _userName, _pwd);
object nativeObject = entry.NativeObject;
//issue is here
string GUID = entry.Guid.ToString();
string GUIDID = entry.NativeGuid;
//end of issue
message = "Successfully authenticated";
}
catch(DirectoryServicesCOMException ex)
{
message = ex.Message;
}
}
else
{
message = "Account is disabled";
}
}
else
{
message = "There's an issue with your account.";
}
return message;
}
When I try to get the GUID or NativeGUID it's returning me the same ID every single time for different users.
Is there a different approach I can take to get a UNIQUE ID for different objects in Active Directory?
Thanks
If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:
Managing Directory Security Principals in the .NET Framework 3.5
MSDN docs on System.DirectoryServices.AccountManagement
Basically, you can define a domain context and easily find users and/or groups in AD:
// set up domain context
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, _userName);
if(user != null)
{
// get the GUID
var objectGuid = user.Guid;
}
}
The new S.DS.AM makes it really easy to play around with users and groups in AD! I don't have an AD lying around right now to test - but I hope this will indeed give you the user object's objectGuid property value.
Related
I deployed a test web app to virtual Windows server 2008 std. IIS does not have certificates features assigned to this app nor to any apps deployed on this server so none of the solutions I've found relate to my issue. All other apps on same server work fine which leads me to conclusion the problem must be with the code I am using to authenticate in the global.asax file.
I've checked gpedit.msc and Network access: Do not allow storage of credentials is already disabled. This posting is closest to my issue that I've been able to find but no solution was accepted. I've checked MMC but there is nothing in it but an empty Console Root node so there is nothing to delete and reinstall as some have suggested here and here. I cannot access blog sites from work-there were some that sounded promising but I can't read them. I added Full Trust to web.config it made no difference and noted that .NET Trust Levels in IIS were set at Full (internal) already.
The complete error message is:
System.Security.SecurityException: A specified logon session does not exist. It may already have been terminated.
at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn)
at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type)
at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName)
at EPRSystem.Global.IsInADGroup(String user, String group)
at EPRSystem.Global.Application_AuthenticateRequest(Object sender, EventArgs e)
The Zone of the assembly that failed was:
MyComputer
Any ideas for me?
Here's my global code:
public Boolean IsAdmin;
public Boolean IsManager;
public Boolean IsDeveloper;
string UserName;
public String GetUserName()
{
WindowsIdentity wiCurrentUser;
wiCurrentUser = WindowsIdentity.GetCurrent();
String strUserName = wiCurrentUser.Name;
String[] strParts = strUserName.Split('\\');
strUserName = strParts[1];
return strUserName;
}
public Boolean IsInADGroup(string user, string group)
{
using (var identity = new WindowsIdentity(user))
{
var principal = new WindowsPrincipal(identity);
return principal.IsInRole(group);
}
}
protected void Session_Start(object sender, EventArgs e)
{
//Write method: Get current user's username
UserName = HttpContext.Current.User.Identity.Name; //get AD name of user
HttpContext.Current.Session["UserName"] = GetUserName();
HttpContext.Current.Session["IsAdmin"] = IsInADGroup(HttpContext.Current.Session["UserName"].ToString(), "group1");
HttpContext.Current.Session["IsManager"] = IsInADGroup(HttpContext.Current.Session["UserName"].ToString(), "group2");
HttpContext.Current.Session["IsDeveloper"] = IsInADGroup(HttpContext.Current.Session["UserName"].ToString(), "group3");
}
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
//Write method: Identity/Authenticate current user
DAL.ErrorLog oErrorLog = new DAL.ErrorLog();
try
{
String strUser = GetUserName();
IsAdmin = IsInADGroup(strUser, "group1");
IsManager = IsInADGroup(strUser, "group2");
IsDeveloper = IsInADGroup(strUser, "group3");
}
catch (System.Security.SecurityException ex)
{
oErrorLog.WriteErrorLog(ex.ToString());
}
}
I read this article by Shawn Farkas, focusing on his comment "1.Determine what permissions are being demanded that are causing your application to throw, and try to modify your application to not require these permissions any more. The SecurityException that is being thrown should tell you which demand
failed.
I removed the authorization code from Global.asax entirely, moving it to Default.aspx.cs. I replaced IsInADGroup(x,y) method which is where the error originated, with a mixture of code suggested by marc_s in a new method called CheckGroupMembership(). I instantiated a global array variable groupName[] containing the three AD groups I wanted to check membership for and ultimately these values IsMember[]are passed to Session variable so they can be used on another page. The heart of the solution is this method: requires namespace System.DirectoryServices.AccountManagement
public void CheckGroupMembership()
{
// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "XXX");
// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, GetUserName());
for (int i = 0; i < 3; i++)
{
// find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, groupName[i]);
if (user != null)
{
// check if user is member of that group
if (user.IsMemberOf(group))
{
IsMember[i] = true;
}
else
{
IsMember[i] = false;
}
}
}
}
I'm trying this code:
public bool isTravelAdmin(string srvr, string usr, string password)
{
System.Diagnostics.Debug.WriteLine("I'm in isTravelAdmin!");
PrincipalContext domainctx = new PrincipalContext(ContextType.Domain, srvr);
UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(domainctx, IdentityType.SamAccountName, usr);
bool isMember = userPrincipal.IsMemberOf(domainctx, IdentityType.Name, "traveladmin");
if (isMember)
{
System.Diagnostics.Debug.WriteLine("This user is INDEED a member of that group");
return true;
}
else
{
System.Diagnostics.Debug.WriteLine("This user is *NOT* member of that group");
return false;
}
}
Which is supposed to check if a user belongs to a certain group ("traveladmin"), but I'm getting
System.DirectoryServices.AccountManagement.PrincipalServerDownException
Any idea why and how to solve? by the way:
srvr = "LDAP://192.168.56.101/CN=Users,DC=estagioit,DC=local"
PS: I'm using the same srvr on another method and it's working and connecting.
PSS: If this is not the best way to go about this I'm open to suggestions.
The problem is how the "Principal Context" is written... it should be:
PrincipalContext thisPrincipalContext = new PrincipalContext(ContextType.Domain, "DCESTAGIO");
in this case.
If you look at the documentation for the PrincipalContext constructors, it should be quite clear:
public PrincipalContext(ContextType contextType, string name)
or
public PrincipalContext(ContextType contextType, string name, string container)
So you basically need:
your context type (here: ContextType.Domain)
the domain name (try just the "Netbios" name, e.g. "YOURDOMAIN" -
or leave NULL for "default" domain)
optionally a container (as an LDAP path - a "distinguished" name,
full path but without any LDAP:// prefix)
as seen in this answer.
In your case just change your srvr to:
srvr = "DCESTAGIO"
I have a C# script I am trying to use to connect to an Oracle Directory Server Enterprise Edition
So far i have had very little success.
I am receiving a Unknown error (0x80005000) error message
Can somebody tell me what I am doing wrong. I have been researching the web and most online boards say that this error message is because the LDAP in the path needs to be in uppercase letters.
As you can see I have done that but still no luck.
Below is my code
private static readonly string PATH = "LDAP://LDAPDEV.example.com:389/o=example.com";
private static readonly string USERNAME = uid=SERVICE_USR,ou=ApplicationIDs,o=example.com";
private static readonly string PASSWORD = "test1234";
string DN = "";
// connect to determine proper distinguishedname
DirectoryEntry Entry = new DirectoryEntry(Path, USERNAME, PASSWORD, AuthenticationTypes.None);
try
{
// Bind to the native AdsObject to force authentication.
Object obj = Entry.NativeObject;
DirectorySearcher Search = new DirectorySearcher(Entry);
Search.ReferralChasing = ReferralChasingOption.All
}
catch (Exception ex)
{
throw new Exception("Error looking up distinguishedname. ", ex);
}
finally
{
anonymousEntry.Close();
}
return DN;
}
string sDomain="LDAPDEV.example.com:389";
string sDefaultOU = #"o=example.com";
string sServiceUser = #"uid=user,ou=ApplicationIDs,o=example.com";
string sServicePassword = "password";
try
{
PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomain, sDefaultOU, ontextOptions.SimpleBind, sServiceUser,sServicePassword);
}
catch (Exception ex)
{
ex.Message;
}
Here is something that you can use to get some information by using PrincipalContext look at this working example and replace the values with your domain name values.
// if you are doing this via web application if not you can replace
// the Request/ServerVariables["LOGON_USER"]
// with Environment.UserName; this will return your user name like msmith for example so var userName = Environvironment.UserName;
var userName = Request.ServerVariables["LOGON_USER"].Split(new string[] {"\\"}, StringSplitOptions.RemoveEmptyEntries);
var pc = new PrincipalContext(ContextType.Domain,"yourdomain.com",null, null);
var userFind = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, userName);
this is basically all you need to see the information like email address SamAccountName ect.. use the debugger to inspect all the property values available in the pc variable and userFind variable
This should be really easy but for some reason it doesn't seem to be. I want to ask AD if the current machine is a member of a particular group. Direct membership is fine.
Group only contains 8 PC's and is extremely unlikely to grow beyond 30.
C# code examples appreciated!
Here's an example method using the System.DirectoryServices namespace:
public bool BelongsToGroup(string computerName, string groupName, string domain)
{
PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, domain);
ComputerPrincipal computer = ComputerPrincipal.FindByIdentity(domainContext, computerName);
foreach (Principal result in computer.GetGroups())
{
if (result.Name == groupName)
{
return true;
}
}
return false;
}
So you could call it like this:
string computerName = Environment.MachineName;
string groupName = "Group Name";
string domainName = "Domain Name";
bool test = BelongsToGroup(computerName, groupName, domainName);
The User.Identity.Name property returns the domain login id.
Which class/property exposes the actual user name?
For user "John Doe" who logs into the web application supplying my_domain\jdoe
**User.Identity.Name -**
Returns : *my_domain\jdoe*
**System.Environment.UserName**
Returns: *jdoe*
Which class/property returns? ... "John Doe"
If you are thinking Active Directory, you'll need to find the UserPrincipal that corresponds to the given samAccountName and get the DisplayName property from it. Note that it may not be set.
string fullName = null;
using (PrincipalContext context = new PrincipalContext( ContextType.Domain ))
{
using (UserPrincipal user
= UserPrincipal.FindByIdentity( context,
User.Identity.Name ))
{
if (user != null)
{
fullName = user.DisplayName;
}
}
}
Sounds like instead of the login name, you are after the display name of an Active Directory user account. What you might want to do is to do an AD search (DirectorySearcher) and get the display name from the search result property.
I'm assuming that you are in an AD environment, since you tagged the question adsi.
Note: If you are working with .NET 3.5, you might want to look at tvanfosson's post.
The IIdentity interface is that which provides the Name property on User.Identity. The IIdentity interface can be implemented on any number of classes which know how to lookup users from a data-store (SQL Server, Active Directory, etc).
There is no property of the IIdentity interface which provides "John Doe". If that information is located in your data-store then you'll need to use the tools specific to that data-store to access it.
That said, its entirely possible that the object which is returned by User.Identity has a property which contains "John Doe" that you might be able to access through some other interface besides IIdentity (our custom IIdentity implementation does this, for example).
using System.DirectoryServices;
public static string GetFullName(string strLogin)
{
string str = "";
string strDomain;
string strName;
// Parse the string to check if domain name is present.
int idx = strLogin.IndexOf('\\');
if (idx == -1)
{
idx = strLogin.IndexOf('#');
}
if (idx != -1)
{
strDomain = strLogin.Substring(0, idx);
strName = strLogin.Substring(idx + 1);
}
else
{
strDomain = Environment.MachineName;
strName = strLogin;
}
DirectoryEntry obDirEntry = null;
try
{
obDirEntry = new DirectoryEntry("WinNT://" + strDomain + "/" + strName);
System.DirectoryServices.PropertyCollection coll = obDirEntry.Properties;
object obVal = coll["FullName"].Value;
str = obVal.ToString();
}
catch (Exception ex)
{
str = ex.Message;
}
return str;
}
and the you can just call
var strJonDoeName = GetFullName(User.Identity.Name)
code mock it from here
Maybe I have made a mistake somewhere, but WinNT://... hasn't worked for domain accounts for me. Additionally, if the user isn't in the same domain as the machine, than PrincipalContext may not find the wanted element (as it searches in the current context, if used as above).
The following should translate the "friendly domain name" as provided by User.Identity.Name to an ldap compliant domain. Using the distinguishName of the domain delivers the needed ldap path information (which has solved my cross domain problem):
(VB.NET, sorry)
Imports System.DirectoryServices
Imports System.DirectoryServices.AccountManagement
Imports System.DirectoryServices.ActiveDirectory
...
Dim strUserName As String
Dim objDirContext As DirectoryContext
Dim objContext As PrincipalContext
Dim objPrincipal As Principal
Dim strLDAPDomainPath As String
...
// User.Identity.Name delivers domain\account or account#domain
// Split User.Identity.Name in domain and account as specified above
strDomain = "my_domain"
strAccount = "jdoe"
// Get LDAP domain relative path (distinguishName) from short domain name (e.g. my_domain -> us.my_domain.com -> DC=us,DC=my_domain,DC=com)
Try
objDirContext = New DirectoryContext(DirectoryContextType.Domain, strDomain)
strLDAPDomainPath = Domain.GetDomain(objDirContext).GetDirectoryEntry.Properties("distinguishedName").Value.ToString
Catch objException As DirectoryServicesCOMException
Throw New Exception("Couldn't get LDAP domain: " & objException.Message)
End Try
// Find user in LDAP
// Nothing results in using current domain controller
Try
objContext = New PrincipalContext(ContextType.Domain, Nothing, strLDAPDomainPath)
objPrincipal = Principal.FindByIdentity(objContext, IdentityType.Name, strAccount)
If Not IsNothing(objPrincipal) Then
strUserName = objPrincipal.DisplayName
End If
Catch objException As Exception
Throw New Exception("Couldn't get user display name: " & objException.Message)
End Try
// strUserName should now contain the wanted full name