asking info form ASP.NET 2.0 to Windows Active Directory

[lucky]

hi guys,
after long long efforts i got access to the active directory for
"Intigrated windows authentication". now i', suppose to get access the
network resources.

the problem is i'm getting access to the active directory but when i
search for some users into the active directory, it returns none though
there are more then 42 users exists.

the code has been tested with Desktop Application locally. it is
working fine for retriveing data. but when i used "intigrated windows
authentication" and allowe server for "trusted for deligation", i'm not
able to retrive any users list anymore.

the code is :

entry = new
System.DirectoryServices.DirectoryEntry("LDAP://" + Settings.Domain);
mySearcher = new
System.DirectoryServices.DirectorySearcher(entry);
mySearcher.Filter = ("(objectClass=user)");
writer.WriteLine("FindNoExistingUserInPowerLearn : " +
entry.ToString());
writer.WriteLine("Entry : " +
entry.AuthenticationType.ToString());
writer.WriteLine("Entry : " +
entry.Options.SecurityMasks.ToString());
writer.WriteLine("Entry : " +
entry.Properties.Count.ToString());
System.DirectoryServices.SearchResultCollection results =
mySearcher.FindAll();
writer.WriteLine("Result Found : " +
results.Count.ToString());

i've some doubt that. the aspnet a/c used by the aspnet_wp.exe can only
authenticate the users against active directory but can't fetch users
information from the active directory.

if someone has any exp. with such situation, please share with me.

thanks,
Lucky

 

[Joe Kaplan \(MVP - ADSI\)]

I did write a whole book about this that might help you.

It sounds like you are trying to use IWA to authenticate users and use
impersonation in ASP.NET to use the user's security context to access AD.
If this is the case, you must also implement Kerberos delegation in IIS to
allow the ASP.NET service account to delegate the user's credentials to AD.

The details depend a little bit on whether AD is 2003 native or not and
whether you are using IIS6 on Win2K3 or something earlier, but they are
pretty similar. Microsoft has put together some great documentation on MSDN
and TechNet explaining how to set this up and troubleshoot it. I won't
repeat all that.

Joe K.

 

[lucky]

Thanks for your replay,

I've already gone through all MSDN and Technet documentation and
success fully impliment the the Kerberos Deligation.
the scenerio is:
i've a windows 2003 web server with IIS 5.2. and the active directory
resides on windows 2000 server. According to those 2 sites'
documentation, i'ave added the deligations but the problem is still
there. i'm not able to get list of the users from the active directory.
the code i'm using in asp.net 2.0 is working fine when i'm runing on
development computer because it doesn't need kerberos. but when i'm
running from the web server 2003, it returns no users.

can you tell me something on this?

 

[lucky]

What i've seen so far is, in asp.net web application, the
System.DirectoryServices.DirectoryEntry has not implimented any rules
for Security and i think that is the problem. when i'm running it
locally the seurity rules are automatically getting added but when i
run it on production server the rules object returns NULL.

can anyone tell me something about that?

 

[Joe Kaplan \(MVP - ADSI\)]

Ok, with Windows 2000 AD, you can't use protocol transition or constrained
delegation. Thus, you need Kerberos authentication in the web browser (not
NTLM or something else) and your service process account must have rights to
delegate in AD. Typically, in IIS 6 you'll be running your app pool as
Network Service, so the delegation rights will be applied to the computer
account in AD.

In IIS, configure the app for IWA auth only.

In ASP.NET, configure for Windows auth and set impersonation to true.

One thing you might find helpful in .NET 2.0 is the IsMutuallyAuthenticated
property on the Options property of the DirectoryEntry. This will tell you
whether you authenticated with Kerberos to AD (which is required). In your
infrastructure, you will only authenticate to AD with Kerberos if your
browser authenticated to IIS with Kerberos.

My experience as been that getting the browser to authenticate to IIS using
Kerberos is the hardest part. The troubleshooting docs explain how to set
this up and test it though. Make sure the security event log is telling you
that your browsers are using Kerberos, not NTLM.

Joe K.