I'm developing an intranet application. The application is working on an IIS on a windows server 2008. I'm using C# for coding the ASP.NET.
So, I only want to allow the domain users who are member of the OU ICT.
I don't want a login form, just an automatic authentication.
Sql Server Reporting Services works like this. Users don't have to login and the security is based on the AD. -> exactly what I'm looking for.
I have tried several ways, like with WidowsImpersonationContext I hit a dead-end on the OU.
If there would be anyone who can help me, I would be very thankful.
Solved the part where I check if the user is in the group/ou.
But I can't get the windows user from the client machine without logging in.
Greetings, Jeff
I´m not to sure about the mixture between OU´s and Groups here, but maybe the following will help you:
Reference System.DirectoryServices.AccountManagement,
var pc = new PrincipalContext(ContextType.Domain);
var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName,"DOMAIN\\USER");
var g = System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(pc, IdentityType.DistinguishedName, "Everyone");
var check = user.IsMemberOf(g);
HTH
Dominik
Related
We want to give permissions (in .Net Application) to everyone in AD but could not find the group that contains everyone. Tried with “NT Authority\Authenticated Users” but getting "user not found". Please provide any pointers to achieve this functionality.Below is sample code snippet.
DirectorySearcher user = new DirectorySearcher(connString);
user.Filter = String.Format("(sAMAccountName={0})", alias);
var result = user.FindOne();
Note: we can give permissions to all the users in SharePoint using “All Authenticated Users” but the same option is not working in .Net Application.
Regards,
Parveen
In a domain, everyone means all the Domain users, so in order to give permission to all domain users you need to use this: DOMAIN\Domain Users
I have a web site from where I fire a mail to members in my offices
This mail have a yes no button.
on click of yes/no button I call a web service, my yes no link looks somewhat like this
yes
Now users i.e. my office staff will login their system open their outlook find this mail and then click it.
After they click, takevotingOpt method in my web service will be called. In this method I want to know, from which user this call has came.
so that I can maintain record in database like xyz user has voted yes/no
say for e.g. their are two members in my organisation A and B
A's windows loginId is "AaLoginId" and
B's windows loginId is "BbLoginId"
both A and B receives the mail with the above mentioned link in it. when A click the yes/no link my web method should give me A's login Id i.e "AaLoginId". After I get this I make an entry in my database as A has voted yes.
I have tried below thing in my web service to get the user name but of no use please help.
tried this things to get windows login username.
//string userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
//Uri uri = new Uri("http://tempuri.org/");
//ICredentials credentials = CredentialCache.DefaultCredentials;
//NetworkCredential credential = credentials.GetCredential(uri, "Ntlm");
////userName = credential.UserName;
//userName = User.Identity.Name;
//userName= System.Threading.Thread.CurrentPrincipal.Identity.Name;
//userName = Context.Request.ServerVariables["LOGON_USER"].ToString();
//userName = HttpContext.Current.User.Identity.Name.ToString();
I went to authentication in my inetmgr and enabled windows authentication for my hosted web service now it does what I want (userName = User.Identity.Name;) but it opens a browser window and ask for windows userid and password I dont want that It should pick up without login window.
Please help or suggest any other approach to achieve this.
You need to turn on windows authentication for the webservice and in IIS, then you should be able to look at Request object to get the user
Use Environment.UserName
Here's the MSDN docs.
http://msdn.microsoft.com/en-us/library/system.environment.username.aspx
Edit - To retrieve all users logged into the current system, check out this Question/Answer - Logoff interactive users in Windows from a service
It shows a way to use WMI and through system DLLs to retrieve a list of logged in users on the current system (which may or may not include service accounts, I haven't tried it myself).
Edit - Using Integrated Security would work for what you're trying to achieve, but can be a bit tricky to setup in large corporations. To get rid of the login prompt, Internet Explorer auto-authenticates to sites in the "Intranet Zone", but does not auto-authenticate to sites in the "Internet Zone". Make sure your web service URL is Intranet based, i.e. http://myserver/ and not Internet based i.e http://myserver.mycorp.com/, unless the user's are within the same domain. If they are not, have the users add "*.mycorp.com" to the Intranet Zone. FireFox has a similar configuration, where specific sites must be "trusted" in order to auto-authenticate.
I am working on a password reset application, which works on Google domains. I used .net provisioning API. I goggled and tried everything but didn't find any way to change password.
Following link is used https://developers.google.com/google-apps/provisioning/#updating_a_user_account
I found a very easy way
AppsService service = new AppsService("domain", "adminusername", "adminpassword");
UserEntry user = service.RetrieveUser("viresh1");
user.Login.Password = "newpassword";
service.UpdateUser(user);
I have two domains, MINE and THEIRS. MINE is my local domain and has a one way trust with THEIRS (using LDAPS port 636), so that MINE trusts THEIRS but THEIRS does not trust MINE. I can add users from THEIRS to groups in MINE, and have users from THEIR log into machines and applications on the MINE network. The trust appears to be working properly.
I am writing a little .Net application (not ASP.Net) to test connectivity over the WAN. We have one app that isn't seeing users from THEIRS in groups in MINE. Other apps, like SharePoint, work fine.
I tried using ASP.Net 4 option with System.DirectoryServices.AccountManagement objects, like PrincipalContext, UserPrincipal, GroupPrincipal, etc. Quick code snippet
PrincipalContext domainContext = GetDomainContext(DomainName, ConnectionPort,
UseSpecifiedCredentials, Credentials);
GroupPrincipal theGroup = GroupPrincipal.FindByIdentity(domainContext,
IdentityType.SamAccountName, GroupName);
PrincipalCollection theUsers = theGroup.Members;
var users = from u in theUsers
select u.Name;
return users.ToArray();
It all works GREAT when I connect directly to MINE. The issue comes in with connecting to THEIRS. Either the 1 way trust of the LDAPS traffic is returning the error:
System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
So I switch to .Net 2 variations using DirectoryEntry, DirectorySearcher, etc. This actually works against THEIRS domain.
List<string> userNames = new List<string>();
string searchString = string.Format("(sAMAccountName={0})", GroupName);
SearchResult result = SearchAD(DomainName, ConnectionPort, searchString);
I can connect directly to the THEIRS domain, using some impersonation in the code.
When I query the groups in MINE, I get back the SID for the users from THEIRS, not a user account.
The following users are a member of testGroup:
CN=S-1-5-21-....,CN=ForeignSecurityPrincipals,DC=MINE,DC=local
CN=S-1-5-21-....,CN=ForeignSecurityPrincipals,DC=MINE,DC=local
I tried the impersonation on this as well, running it as a user from THEIRS but no luck.
How can I get user info from THEIRS when the user is in MINE? Do I have to take the above CN/SID and query THEIRS domain? What am I missing in the .Net 4 stuff?
I assume you have your ASP.NET machine running in MINE.
Your System.DirectoryServices.AccountManagement approach should just work if you make sure you use a domain user account from THEIR domain to run the application. In normal one-way trust configuration (unless you are doing selective authentication trust), the domain user account from THEIR should have permissions to read from both MINE and THEIR.
To make sure you use a domain user from THEIR domain, you can simply set the AppPool identity. Of course, you can use impersonation to do it too.
Thanks for reading and for your thoughts; this is a hairy problem, so I thought I'd share to see if it is actually a fair challenge for more seasoned developers than ourselves.
We're developing a web application for a corporate Microsoft Active Directory environment, and we use Windows Authentication provided by IIS to authenticate users for single-sign-on, alongside Forms Authentication. I know IIS complains when both are enabled, but it works very well, and every site we've deployed at has had no weird quirks to work around - until now.
The new site has "shared" machines, logged in permanently with a generic account that has read-only access to the applications they need to use. This means that we can't differentiate between users who should have different permissions to the application; we need some way of prompting the user for authentication details.
First try was some serious googling; nobody else in the world seemed to have our problem except for a few misguided souls who had asked questions into the ether and received no response.
After a bit of brainstorming and nutting out the way IIS's authentication works, it seemed that the most straightforward way to approach the problem was to issue a 401 Unauthorized in response to a user known to be a shared account. Initial tests here seemed fruitful, yielding successful changes of username inside the browser, however a prototype at the site did not prompt for credentials, and the browser kept the same account details. We also hit on the IE-specific javascript
document.execCommand("ClearAuthenticationCache")
which, again, worked in the lab but not onsite. Further experiments with IE security settings onsite revealed that the browser would automatically reauthenticate if the webapp site was excluded from the Intranet Zone, regardless of the method used to trick the browser into prompting the user for new account details.
Now we're stuck. We've got workaround options for getting it going on time, but they're definitely not the "right" answers:
require users to log out of the shared account before logging into our app (...yuck)
exclude our webapp from Intranet Zone on all machines
provide a non-SSO login service for users
I'm convinced that there's a canonical way to do this - a known pattern, a common base problem that's already been solved, something like that - and I'm very interested to hear what sort of inventive methods there are to solve this sort of problem, and if anyone else has actually ever experienced anything remotely like it.
We ended up settling on a solution that submits a query to the LDAP directory the server knows about. It means having to accept the user's password, but no other solution was solid enough to run in a production environment.
Hopefully this helps someone. .NET Framework 3.5+ required.
using System.DirectoryServices.AccountManagement;
private static bool IsLdapAuthenticated(string username, string password)
{
PrincipalContext context;
UserPrincipal principal;
try
{
context = new PrincipalContext(ContextType.Domain);
principal = Principal.FindByIdentity(context, IdentityType.SamAccountName, username) as UserPrincipal;
}
catch (Exception ex)
{
// handle server failure / user not found / etc
}
return context.ValidateCredentials(principal.UserPrincipalName, password);
}
Could you not create a page to which the shared accounts are denied access. Then do a redirect to that page, with a return URL encoded in the query string, at any point where you need the user to reauthenticate with a non-shared account? This should trigger the browser to put up the usual login dialog.
After the user reauthenticates, the new page should just redirect back to the return URL in the query string.