We have a website running on a different AD domian then we need to authenticate with. For reasons I will not go into, we can not allow a trust between them.
So we have:
Rackspace.Domain
SuperDuperEnterpriseDomain
The website is running at rackspace under their domain and we need to be sure they are authenticated on
Is there a way to in C# to check to see if a user exists on another domain? If so how?
Assuming that you are getting a SuperDuperEnterpriseDomain's username and password, use DsBindWithCred. Note that this function fails with Access Denied even when the credentials are technically valid, such as the account being locked out. Since you are not joined to the target domain, you won't be able to call LogonUser to get finer details on why the credentials are invalid.
For code, see my answer to another question. You can replace the SecureString's with regular strings if you don't mind the security implications.
Related
I want to try and avoid forcing users to logon to use my applications, so I am wondering if there is a secure was I can use a Windows authenticated user?
I can't see this working, personally, because at some point my application is going to have to send the users login username and grab the permissions.
Assuming this connection is encrypted...I'm guessing a malicious user could still decompile my application, change the code to impersonate a user and recompile. Even if I obfuscated the code, I am sure there must exist methods around this.
Any ideas?
Could anyone please share any thought on authenticating Active Directory users using the AuthType.Kerberos method.
Ideally, I would like to pass the Username and Password to validate the user credentials using the AuthType.Kerberos method
This type of validation uses LDAP connection (LdapConnection)
Any comments or feedback will be very appreciated.
Cheers! :)
Kerberos doesnt use a username and password in the sense you are talking about here, it uses a ticket based auth system with a central server. Kerberos is quite complicated to implement and is normally only used in cases where you want to do double hop authentication with the logged in user. This means the application wants to use the credentials of the user who has logged in to access a secondry system. For example if you have a SharePoint site which pulls data from exchange server you may want to pass the currently logged in users details from sharepoint to exchange. This is normally done with Kerberos and Constrained Delegation.
In reality what you probably want for your application is Windows authentication (NTLM) which allows the application to authenticate domain users, (However again in the common case this doesnt use a username and password at your application level either).
===EDIT===
To implement kerberos with a .Net webapp you will need to do the following
Enable Constrained delegation for the app pool http://blogs.msdn.com/b/dotnetremoting/archive/2006/07/06/662599.aspx
Setup SPN's for your site http://support.microsoft.com/kb/929650
Setup your code to use kerberos when you call the remote service, this is basically just setting the protocol. You dont need to actually send the username or password
This article has some good advice around how to troubleshoot problems with the system
http://blogs.technet.com/b/askds/archive/2008/05/29/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx
My application needs to access files on a remote machine that requires a username and password for accessing it.
I'm trying to find out if a directory exists (using Directory.Exists) to verify I can make the 'connection.
Is there a way to supply the username and password when working with remote directories? Currently Exists returns false.
Cheers,
Unfortunately not. You will need to wrap your code using extra code to handle impersonation of a user that does have access.
This article explains how to do it in code further down the page.
Check out this thread on MSDN Forums.
It has code sample for using impersonation, and also explains a bit about using NetUseAdd in order to gain access if the machines are on different domains or non domains.
Use the LogonUser api to login as a specific user and get a token and then use that token with WindowsIdentity.Impersonate.
Link with a sample. (do read the whole post to see it's security problems etc though).
I'm working on an ldap project in C# and all I'm doing is doing searches for users and pulling data that we need to be able to see on the fly. I'm creating an asp.net page for this. Right now I have it to where I have hard coded my own ldap username/password into my ldap search class but what I want is to be able to make it so anyone can login and then be able to search under there own credentials.
Where are some good starting guides or maybe some advice on how I can have them bind to ldap, and have it store that username/password somewhere safely so when they do the search, and ldap makes that connection it'll know to use their username/password.
This really depends on how the page will be executed. If you want a consistent login, then provide the username/password in the connection. Otherwise it will be implicitly passed by IIS for the web application. If you set up impersonate rights, it will pass the currently authenticated user's credentials when making the connection. If you do not set impersonate, then it will use the IIS account that's running the application. So it will need to be an account that has network access, as well as access to the directory on the IIS machine.
The thing to be aware of is that no matter what direction you choose, make sure it is an account that can traverse your LDAP store and can retrieve all the information you're looking to display. If you have the standard end users using their credentials, they generally can only pull back their own information, and not much else.
I need to impersonate a user using C#.
I use the LogonUser Win32 API.
This works fine when impersonating users from the same domain as the currently logged-in user.
However I get "false" as response when I try to impersonate users from other domains.
What can cause this?
As Joel says you need trust between the domains.
You also need to be carefull with respect to the security context of the process doing the delegation, and which domain the machine you are running on is in.
Both the machine and the user account of the process must be trusted for delegation, by the domain that you are trying to access.
This means that your code should be running on the domain that you are trying to access.
Hope this helps
Shiraz
You should try calling GetLastError right after LogonUser fail to see if any error information is given.
http://msdn.microsoft.com/en-us/library/ms679360(VS.85).aspx
There may be some issue with calling GetLastError from c#.
Look here for more information on this : http://blogs.msdn.com/adam_nathan/archive/2003/04/25/56643.aspx
Is there a trust between your two domains? If not, LogonUser will fail.