How do you figure out the LDAP://? ("Error authenticating. Error authenticating user. The specified

  • Thread starter Thread starter mrwoopey
  • Start date Start date
M

mrwoopey

Hi,

I am using the example "Authenticate against the Active Directory by
Using Forms Authentication and Visual Basic .NET":

http://support.microsoft.com/default.aspx?scid=KB;EN-US;326340

But I am having a problem figuring out the LDAP://

The LDAP:// that I pass looks like this (i substitued generic the
following with generic name):

Dim adPath as String =
LDAP://DC=SomeDomainControllerComputerThatHasActiveDirectory"

But I am receiveing the following message when I try to log in with
the example:
"Error authenticating. Error authenticating user. The specified domain
either does not exist or could not be contacted"

How do I figure out how my "LDAP://" should look like?

Thanks,

Phin
 
Hi Marc,

Thanks for the tip, it worked! The thing that doesn't work now is
trying to find the group that the user is in ("Error obtaining group
names"). So, I commented out the code "adAuth.GetGroups()". Does
anybody know how to get "adAuth.GetGroups()" working from the example:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;326340

Besides that I can log in. Do I really need to check for group name?

Thanks,

Phin
 
That function is probably failing because the SearchRoot used by the
DirectorySearcher needs to be built with a specific server name and login
credentials, much like the bind operation you did to authenticate the user
in the first place.

If you replace the line:

Dim search As DirectorySearcher = New DirectorySearcher(_path)

with:
Dim search As DirectorySearcher = New DirectorySearcher(rootEntry)

Where rootEntry is a DirectoryEntry object built the same way you built the
entry to get the authentication to work, then you should be fine.

That said, in my opinion this example from Microsoft is very flawed and
probably should not be used. Using memberOf does not give you nested group
membership, does not ensure that the groups are security groups and does not
include the user's primary group. A much better solution is to use the
tokenGroups attribute on the current user to get their full transitive
security group membership. The trick is that this attribute returns an
array of SID structures as byte(), so they are a bit harder to resolve back
into names (but certainly not impossible).

Normally, you are interested in the group names if you want to build an
IPrincipal object in order to make role-based authorization decisions. If a
simple authentication (in or out of the site) is adequate for your needs,
then you could easily just skip this whole mess and be done with it.
Normally, you need role-based authorization if certain users are allowed to
perform certain actions that others are not and you need an easy way to
distinguish them at runtime.

I hope that helps,

Joe K.

mrwoopey said:
Hi Marc,

Thanks for the tip, it worked! The thing that doesn't work now is
trying to find the group that the user is in ("Error obtaining group
names"). So, I commented out the code "adAuth.GetGroups()". Does
anybody know how to get "adAuth.GetGroups()" working from the example:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;326340

Besides that I can log in. Do I really need to check for group name?

Thanks,

Phin

"Marc Nivens [MSFT]" <[email protected]> wrote in message
DC= should be followed by a domain DN, not a servername. If you want to
bind to DC1 in domain domain.com, you would use this:

LDAP://DC1/DC=domain,DC=com

If you use serverless binding, you would just use:

LDAP://DC=domain,DC=com

--
Marc Nivens
Enterprise Messaging Support

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Click to expand...
Click to expand...
 
Back
Top