The User.Identity.Name property returns the domain login id.
Which class/property exposes the actual user name?
For user "John Doe" who logs into the web application supplying my_domain\jdoe
**User.Identity.Name -**
Returns : *my_domain\jdoe*
**System.Environment.UserName**
Returns: *jdoe*
Which class/property returns? ... "John Doe"
If you are thinking Active Directory, you'll need to find the UserPrincipal that corresponds to the given samAccountName and get the DisplayName property from it. Note that it may not be set.
string fullName = null;
using (PrincipalContext context = new PrincipalContext( ContextType.Domain ))
{
using (UserPrincipal user
= UserPrincipal.FindByIdentity( context,
User.Identity.Name ))
{
if (user != null)
{
fullName = user.DisplayName;
}
}
}
Sounds like instead of the login name, you are after the display name of an Active Directory user account. What you might want to do is to do an AD search (DirectorySearcher) and get the display name from the search result property.
I'm assuming that you are in an AD environment, since you tagged the question adsi.
Note: If you are working with .NET 3.5, you might want to look at tvanfosson's post.
The IIdentity interface is that which provides the Name property on User.Identity. The IIdentity interface can be implemented on any number of classes which know how to lookup users from a data-store (SQL Server, Active Directory, etc).
There is no property of the IIdentity interface which provides "John Doe". If that information is located in your data-store then you'll need to use the tools specific to that data-store to access it.
That said, its entirely possible that the object which is returned by User.Identity has a property which contains "John Doe" that you might be able to access through some other interface besides IIdentity (our custom IIdentity implementation does this, for example).
using System.DirectoryServices;
public static string GetFullName(string strLogin)
{
string str = "";
string strDomain;
string strName;
// Parse the string to check if domain name is present.
int idx = strLogin.IndexOf('\\');
if (idx == -1)
{
idx = strLogin.IndexOf('#');
}
if (idx != -1)
{
strDomain = strLogin.Substring(0, idx);
strName = strLogin.Substring(idx + 1);
}
else
{
strDomain = Environment.MachineName;
strName = strLogin;
}
DirectoryEntry obDirEntry = null;
try
{
obDirEntry = new DirectoryEntry("WinNT://" + strDomain + "/" + strName);
System.DirectoryServices.PropertyCollection coll = obDirEntry.Properties;
object obVal = coll["FullName"].Value;
str = obVal.ToString();
}
catch (Exception ex)
{
str = ex.Message;
}
return str;
}
and the you can just call
var strJonDoeName = GetFullName(User.Identity.Name)
code mock it from here
Maybe I have made a mistake somewhere, but WinNT://... hasn't worked for domain accounts for me. Additionally, if the user isn't in the same domain as the machine, than PrincipalContext may not find the wanted element (as it searches in the current context, if used as above).
The following should translate the "friendly domain name" as provided by User.Identity.Name to an ldap compliant domain. Using the distinguishName of the domain delivers the needed ldap path information (which has solved my cross domain problem):
(VB.NET, sorry)
Imports System.DirectoryServices
Imports System.DirectoryServices.AccountManagement
Imports System.DirectoryServices.ActiveDirectory
...
Dim strUserName As String
Dim objDirContext As DirectoryContext
Dim objContext As PrincipalContext
Dim objPrincipal As Principal
Dim strLDAPDomainPath As String
...
// User.Identity.Name delivers domain\account or account#domain
// Split User.Identity.Name in domain and account as specified above
strDomain = "my_domain"
strAccount = "jdoe"
// Get LDAP domain relative path (distinguishName) from short domain name (e.g. my_domain -> us.my_domain.com -> DC=us,DC=my_domain,DC=com)
Try
objDirContext = New DirectoryContext(DirectoryContextType.Domain, strDomain)
strLDAPDomainPath = Domain.GetDomain(objDirContext).GetDirectoryEntry.Properties("distinguishedName").Value.ToString
Catch objException As DirectoryServicesCOMException
Throw New Exception("Couldn't get LDAP domain: " & objException.Message)
End Try
// Find user in LDAP
// Nothing results in using current domain controller
Try
objContext = New PrincipalContext(ContextType.Domain, Nothing, strLDAPDomainPath)
objPrincipal = Principal.FindByIdentity(objContext, IdentityType.Name, strAccount)
If Not IsNothing(objPrincipal) Then
strUserName = objPrincipal.DisplayName
End If
Catch objException As Exception
Throw New Exception("Couldn't get user display name: " & objException.Message)
End Try
// strUserName should now contain the wanted full name
Related
I'm having issues creating computers via LDAP in C#:
The following is my code:
C#
string connectionPrefix = "LDAP://" + ldapPath;
DirectoryEntry dirEntry = new DirectoryEntry(connectionPrefix, GlobalVar.adUser, GlobalVar.adUserPassword);
DirectoryEntry newComputer = dirEntry.Children.Add("CN=" + computerName, "computer");
newComputer.Properties["samaccountname"].Value = computerName;
newComputer.Properties["dnshostname"].Value = computerName + ".[privacy].[domain].[here]";
newComputer.Properties["description"].Value = GlobalVar.adUser;
newComputer.Properties["location"].Value = "IT";
This works flawlessly with one exception: the computer is created in the correct folder. However the primary group is "Domain Users" instead of "Domain computers" when I create a computer directly in AD, the computer is automatically assigned the primary group "Domain Computers"
The result is that I cannot add the computer to the domain without editing it manually in ad.
Any solutions?
Best Regards,
Julian
I would use System.DirectoryServices.AccountManagement to do this...
LDAPusername = username with permissions to edit LDAP.
Pass the computername once it's created, then pass the group.
Sorry if this isn't perfect, this is my vb.net code I converted.
//The following code changes the principal group of an existing computer
PrincipalContext pc1 = new PrincipalContext(
ContextType.Domain,
"subdomain.domain.com",
LDAPusername,
LDAPpassword
);
dynamic cp = ComputerPrincipal.FindByIdentity(pc1, "computername");
dynamic computer = (DirectoryEntry)cp.GetUnderlyingObject();
// distinguishedname = "CN=Domain Users,CN=Users,DC=domain,DC=com"
string #group = "groupdistinguishedname";
DirectoryEntry groupdirentry = new DirectoryEntry(
"LDAP://" + #group,
LDAPusername,
LDAPpassword
);
groupdirentry.Invoke("Add", new object[] { computer.Path });
groupdirentry.CommitChanges();
groupdirentry.Invoke(
"GetInfoEx",
new object[] {
new object[] { "primaryGroupToken" },
0
}
);
object primaryGroupToken = groupdirentry.Invoke(
"Get",
new object[] { "primaryGroupToken" }
);
computer.Invoke(
"Put",
new object[] {"primaryGroupID",primaryGroupToken}
);
computer.CommitChanges();
You need to set the primaryGroupId to 515 I believe (Domain Computers)
newComputer.Properties["primaryGroupId"].Value = 515
I was having the same issue and was brought here initially after searching the web. Found the solution here.
To get a "valid" computer object, you have to set the attribute userAccountControl to 0x1020 = (PASSWD_NOTREQD | WORKSTATION_TRUST_ACCOUNT) and it's also recommended to set the sAMAccountName to the computername (in uppercase) followed by a '$' (same as if you create the object from the Management Console).
newComputer.Properties["userAccountControl"].Value = 0x1020;
This resolved the issue for me.
I'm trying this code:
public bool isTravelAdmin(string srvr, string usr, string password)
{
System.Diagnostics.Debug.WriteLine("I'm in isTravelAdmin!");
PrincipalContext domainctx = new PrincipalContext(ContextType.Domain, srvr);
UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(domainctx, IdentityType.SamAccountName, usr);
bool isMember = userPrincipal.IsMemberOf(domainctx, IdentityType.Name, "traveladmin");
if (isMember)
{
System.Diagnostics.Debug.WriteLine("This user is INDEED a member of that group");
return true;
}
else
{
System.Diagnostics.Debug.WriteLine("This user is *NOT* member of that group");
return false;
}
}
Which is supposed to check if a user belongs to a certain group ("traveladmin"), but I'm getting
System.DirectoryServices.AccountManagement.PrincipalServerDownException
Any idea why and how to solve? by the way:
srvr = "LDAP://192.168.56.101/CN=Users,DC=estagioit,DC=local"
PS: I'm using the same srvr on another method and it's working and connecting.
PSS: If this is not the best way to go about this I'm open to suggestions.
The problem is how the "Principal Context" is written... it should be:
PrincipalContext thisPrincipalContext = new PrincipalContext(ContextType.Domain, "DCESTAGIO");
in this case.
If you look at the documentation for the PrincipalContext constructors, it should be quite clear:
public PrincipalContext(ContextType contextType, string name)
or
public PrincipalContext(ContextType contextType, string name, string container)
So you basically need:
your context type (here: ContextType.Domain)
the domain name (try just the "Netbios" name, e.g. "YOURDOMAIN" -
or leave NULL for "default" domain)
optionally a container (as an LDAP path - a "distinguished" name,
full path but without any LDAP:// prefix)
as seen in this answer.
In your case just change your srvr to:
srvr = "DCESTAGIO"
I'm writing a web service that checks if the user exists in Active Directory and if the user account is enabled. Once it checks that, I then go ahead validate their user account. Once they successfully enter username and password, I would like to get the GUID or NativeGuid for the person I'm authenticating. I would like to use GUID or NativeGUID to build a relationship inside SQL Server database.
Here's the approach I'm taking:
public string isAuthenticated (string serverName, string userName, string pwd)
{
string _serverName, _userName, _pwd;
_serverName = serverName;
_userName = userName;
_pwd = pwd;
string message;
if (DoesUserExist (_userName) == true)
{
if (isActive(userName) == true)
{
try
{
DirectoryEntry entry = new DirectoryEntry(_serverName, _userName, _pwd);
object nativeObject = entry.NativeObject;
//issue is here
string GUID = entry.Guid.ToString();
string GUIDID = entry.NativeGuid;
//end of issue
message = "Successfully authenticated";
}
catch(DirectoryServicesCOMException ex)
{
message = ex.Message;
}
}
else
{
message = "Account is disabled";
}
}
else
{
message = "There's an issue with your account.";
}
return message;
}
When I try to get the GUID or NativeGUID it's returning me the same ID every single time for different users.
Is there a different approach I can take to get a UNIQUE ID for different objects in Active Directory?
Thanks
If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:
Managing Directory Security Principals in the .NET Framework 3.5
MSDN docs on System.DirectoryServices.AccountManagement
Basically, you can define a domain context and easily find users and/or groups in AD:
// set up domain context
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, _userName);
if(user != null)
{
// get the GUID
var objectGuid = user.Guid;
}
}
The new S.DS.AM makes it really easy to play around with users and groups in AD! I don't have an AD lying around right now to test - but I hope this will indeed give you the user object's objectGuid property value.
I want to connect to our local Active Directory with C#.
I've found this good documentation.
But I really don't get how to connect via LDAP.
Can somebody of you explain how to use the asked parameters?
Sample Code:
static DirectoryEntry createDirectoryEntry()
{
// create and return new LDAP connection with desired settings
DirectoryEntry ldapConnection = new DirectoryEntry("rizzo.leeds-art.ac.uk");
ldapConnection.Path = "LDAP://OU=staffusers,DC=leeds-art,DC=ac,DC=uk";
ldapConnection.AuthenticationType = AuthenticationTypes.Secure;
return ldapConnection;
}
I just have the Hostname and the IP Address of our Active Directory Server. What does DC=xxx,DC=xx and so on mean?
DC is your domain. If you want to connect to the domain example.com than your dc's are: DC=example,DC=com
You actually don't need any hostname or ip address of your domain controller (There could be plenty of them).
Just imagine that you're connecting to the domain itself. So for connecting to the domain example.com you can simply write
DirectoryEntry directoryEntry = new DirectoryEntry("LDAP://example.com");
And you're done.
You can also specify a user and a password used to connect:
DirectoryEntry directoryEntry = new DirectoryEntry("LDAP://example.com", "username", "password");
Also be sure to always write LDAP in upper case. I had some trouble and strange exceptions until I read somewhere that I should try to write it in upper case and that solved my problems.
The directoryEntry.Path Property allows you to dive deeper into your domain. So if you want to search a user in a specific OU (Organizational Unit) you can set it there.
DirectoryEntry directoryEntry = new DirectoryEntry("LDAP://example.com");
directoryEntry.Path = "LDAP://OU=Specific Users,OU=All Users,OU=Users,DC=example,DC=com";
This would match the following AD hierarchy:
com
example
Users
All Users
Specific Users
Simply write the hierarchy from deepest to highest.
Now you can do plenty of things
For example search a user by account name and get the user's surname:
DirectoryEntry directoryEntry = new DirectoryEntry("LDAP://example.com");
DirectorySearcher searcher = new DirectorySearcher(directoryEntry) {
PageSize = int.MaxValue,
Filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=AnAccountName))"
};
searcher.PropertiesToLoad.Add("sn");
var result = searcher.FindOne();
if (result == null) {
return; // Or whatever you need to do in this case
}
string surname;
if (result.Properties.Contains("sn")) {
surname = result.Properties["sn"][0].ToString();
}
ldapConnection is the server adres: ldap.example.com
Ldap.Connection.Path is the path inside the ADS that you like to use insert in LDAP format.
OU=Your_OU,OU=other_ou,dc=example,dc=com
You start at the deepest OU working back to the root of the AD, then add dc=X for every domain section until you have everything including the top level domain
Now i miss a parameter to authenticate, this works the same as the path for the username
CN=username,OU=users,DC=example,DC=com
Introduction to LDAP
If your email address is 'myname#mydomain.com', try changing the createDirectoryEntry() as below.
XYZ is an optional parameter if it exists in mydomain directory
static DirectoryEntry createDirectoryEntry()
{
// create and return new LDAP connection with desired settings
DirectoryEntry ldapConnection = new DirectoryEntry("myname.mydomain.com");
ldapConnection.Path = "LDAP://OU=Users, OU=XYZ,DC=mydomain,DC=com";
ldapConnection.AuthenticationType = AuthenticationTypes.Secure;
return ldapConnection;
}
This will basically check for com -> mydomain -> XYZ -> Users -> abcd
The main function looks as below:
try
{
username = "Firstname LastName"
DirectoryEntry myLdapConnection = createDirectoryEntry();
DirectorySearcher search = new DirectorySearcher(myLdapConnection);
search.Filter = "(cn=" + username + ")";
....
How can I get the Windows user and domain from an Active Directory DirectoryEntry (SchemaClassName="user") object?
The user name is in the sAMAccountName property but where can I look up the domain name?
(I can't assume a fixed domain name because the users are from various subdomains.)
This assumes that results is a SearchResultCollection obtained from a DirectorySearcher, but you should be able to get the objectsid from a DirectoryEntry directly.
SearchResult result = results[0];
var propertyValues = result.Properties["objectsid"];
var objectsid = (byte[])propertyValues[0];
var sid = new SecurityIdentifier(objectsid, 0);
var account = sid.Translate(typeof(NTAccount));
account.ToString(); // This give the DOMAIN\User format for the account
You won't find what you're looking for in the DirectoryEntry, unfortunately.
You have the sAMAccountName which typically is something like myuser (without the domain). You have the distinguishedName which is something like LDAP://cn=joe myuser,cn=Users,dc=yourCompany,dc=com. You also have a userPrincipalName but that's usually a name in the format of joeUser#mycompany.com.
But you won't find any attribute that has the domain\MyUser in it, unfortunately. You'll have to put that together from your information about the domain name, and the sAMAccountName of the DirectoryEntry.
For more information and some excellent Excel sheets on all the LDAP and WinNT properties in System.DirectoryServices, check out the Hilltop Lab website by ADSI MVP Richard Mueller.
Marc
To get the DirectoryEntry domain name you can use recursion on
directoryEntry.Parent.
And then if directoryEntry.SchemaClassName == "domainDNS"
you can get the domain name like this:
directoryEntry.Properties["Name"].Value
I found a partitions container in CN=Partitions,CN=Configuration that contains all domains.
When you match the user to the partion you can read the real domain name from the nETBIOSName+"\"+sAMAccountName property.
public static string GetDomainNameUserNameFromUPN(string strUPN)
{
try
{
WindowsIdentity wi = new WindowsIdentity(strUPN);
WindowsPrincipal wp = new WindowsPrincipal(wi);
return wp.Identity.Name;
}
catch (Exception ex)
{
}
return "";
}
If you are using the System.DirectoryServices libraries, you should have a SearchResultsCollection from a DirectorySearcher.
Within each SearchResult's Properties collection, there is a "distinguishedname" property. That will contain all the DC parts that make up the domain your directory entry belongs to.
I'm extending a previous answer by #laktak to provide the details of what he meant.
There is a partitions container in CN=Partitions,CN=Configuration that contains all domains which gives you the cn which is the Netbios domain name and the nCName property that contains the distinguishedName prefix a user will have if they are in this domain.
So start by searching ldap for (objectClass=*) in CN=Partitions,CN=Configuration and store the (cn, nCName) pairs of each result to a map.
Next you query ldap using (sAMAccountName=USERIDHERE) and get the distinguishedName from the user. Now go through the (cn, nCName) pairs and find the nCName that prefixes the distinguishedName from the user, and the corresponding cn is your desired Domain name.
I wrote this pieces of code for my own usage (in VB.net, easy translation) :
<System.Runtime.CompilerServices.Extension()>
Public Function GetDomainFQDN(ByVal Entry As DirectoryServices.DirectoryEntry) As String
Try
While Entry.SchemaClassName <> "domainDNS"
Entry = Entry.Parent
End While
Dim DN As String = Entry.Properties("DistinguishedName").Value
Return DN.Replace("DC=", "").Replace(",", ".")
Catch ex As Exception
Debug.WriteLine(ex.ToString)
Return String.Empty
End Try
End Function
<System.Runtime.CompilerServices.Extension()>
Public Function GetDomainNetbiosName(ByVal Entry As DirectoryServices.DirectoryEntry) As String
Try
While Entry.SchemaClassName <> "domainDNS"
Entry = Entry.Parent
End While
Return Entry.Properties("Name").Value
Catch ex As Exception
Debug.WriteLine(ex.ToString)
Return String.Empty
End Try
End Function
I feel obligated to add my answer which was inspired from Nicholas DiPiazza's answer here. Hope this PowerShell code helps someone!
$hash = #{} //this contains the map of CN and nCNAME
$Filter = '(nETBIOSName=*)'
$RootOU = "CN=Partitions,CN=Configuration,DC=DOMAIN,DC=LOCAL" //Change this to your org's domain
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchScope = "subtree"
$Searcher.Filter = $Filter
$Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($RootOU)")
$Searcher.FindAll()|sort | foreach { $hash[($_.Properties.ncname).Trim()] = ($_.Properties.cn).Trim() }
$hash.GetEnumerator() | sort -Property Value
If the user details are available in $userDetails, then the you can get the correct domain with this:
$hash[[regex]::Match($userDetails.DistinguishedName, 'DC=.*').Value]
and the final username would look like this:
$hash[[regex]::Match($userDetails.DistinguishedName, 'DC=.*').Value] + "\" + $userDetails.SamAccountName
1) You can get the userPrincipalName from the DirectoryEntry.
2) Then, split the UPN up between the Username and Domain Name.
3) Then call GetNetBIOSName() on it.
public static DirectoryEntry GetDirectoryObject(string strPath)
{
if (strPath == "")
{
strPath = ConfigurationManager.AppSettings["LDAPPath"]; //YOUR DEFAULT LDAP PATH ie. LDAP://YourDomainServer
}
string username = ConfigurationManager.AppSettings["LDAPAccount"];
string password = ConfigurationManager.AppSettings["LDAPPassword"];
//You can encrypt and decrypt your password settings in web.config, but for the sake of simplicity, I've excluded the encryption code from this listing.
}
catch (Exception ex)
{
HttpContext.Current.Response.Write("user: " + username + ", LDAPAccount: "+ ConfigurationManager.AppSettings["LDAPAccount"] + ".<br /> "+ ex.Message +"<br />");
if (HttpContext.Current.User.Identity != null)
{
HttpContext.Current.Response.Write("HttpContext.Current.User.Identity: " + HttpContext.Current.User.Identity.Name + ", " + HttpContext.Current.User.Identity.IsAuthenticated.ToString() + "<br />");
HttpContext.Current.Response.Write("Windows Identity: " + WindowsIdentity.GetCurrent().Name + ", " + HttpContext.Current.User.Identity.IsAuthenticated.ToString());
}
else
{
HttpContext.Current.Response.Write("User.Identity is null.");
}
HttpContext.Current.Response.End();
}
DirectoryEntry oDE = new DirectoryEntry(strPath, username, password, AuthenticationTypes.Secure);
return oDE;
}
public static string GetNetBIOSName(string DomainName)
{
string netBIOSName = "";
DirectoryEntry rootDSE =GetDirectoryObject(
"LDAP://"+DomainName+"/rootDSE");
string domain = (string)rootDSE.Properties[
"defaultNamingContext"][0];
// netBIOSName += "Naming Context: " + domain + "<br />";
if (!String.IsNullOrEmpty(domain))
{
//This code assumes you have a directory entry at the /CN=Partitions, CN=Configuration
//It will not work if you do not have this entry.
DirectoryEntry parts = GetDirectoryObject(
"LDAP://"+DomainName+"/CN=Partitions, CN=Configuration," + domain);
foreach (DirectoryEntry part in parts.Children)
{
if ((string)part.Properties[
"nCName"][0] == domain)
{
netBIOSName += (string)part.Properties[
"NetBIOSName"][0];
break;
}
}
}
return netBIOSName;
}
public static string GetDomainUsernameFromUPN(string strUPN)
{
string DomainName;
string UserName;
if (strUPN.Contains("#"))
{
string[] ud = strUPN.Split('#');
strUPN= ud[0];
DomainName = ud[1];
DomainName=LDAPToolKit.GetNetBIOSName(DomainName);
UserName= DomainName + "\\" + strUPN;
}
else
{
UserName= strUPN;
}
return UserName;
}