tags:

views:

508

answers:

2
+1  Q: 

What are the security permissions required to enumerate users on active directory

System Specs:

  • Infopath 2007 with c# code-behind
  • Webservices
  • Active Directory

I need to get the users name (First Name and Last Name) from active directory but the user appears to not have permissions to read the active directory listings.

What permissions do I need to give the user in order for them to search AD

I am using code like this

 SearchResult result;
 using (DirectoryEntry de = new DirectoryEntry("LDAP://DC=contoso,DC=com,DC=au"))
 {
     DirectorySearcher search = new DirectorySearcher(de, (string.Format("(&(objectClass=user)(mailNickname={0}))",this.Application.User.UserName)));
     result = search.FindOne();
 }

I have considered creating a webservice that gets the information required but that seems like overkill but would get around having to make sure every possible user of the form is required to have the correct permissions

EDIT:
The code that I am trying to execute is infopath code behind. The form itself connects to webservices to retrieve some of its data. as such it is under infopath's security model. The form is fully trusted so it should be fine to execute under the current user context.
My fault for not adding the extra detail.

A: 

Any user of the AD should have permissions to browse the AD by default.

You probably just need to change your directory entry to point to the user container like so:

new DirectoryEntry("LDAP://CN=users,DC=contoso,DC=com,DC=au")

Your user container could be another name.

If that does not solve the problem it may be that the application is not actually running as the user. For example, an ASP.NET website would need to be using impersonation in order to query the AD.

jellomonkey  2009-11-10 05:27:44
the problem could come from the infopath security model. It's basically like Internet Explorer in that it is very restrictive in the type of information that it can get access to. Is it sandboxed.
Nathan Fisher  2009-11-10 05:58:07
A: 

When you create a new DirectoryEntry without specifying a username and password you're connecting to Active Directory using the credentials of the executing user - in your case probably the local IUSR_...-account on the web server which is the default account used when a new web site is set up in IIS. Because that's a local account you won't be able to access Active Directory.

You have two options:

  • Create a service account in Active Directory and use that account explicitly, ie DirectoryEntry de = new DirectoryEntry("LDAP://DC=contoso,DC=com,DC=au", "sa-username", "sa-password", AuthenticationTypes.Secure). Of course, passwords in clear text in the code is not a good idea so find a way to encrypt the password.

or

  • Configure the IIS application pool for your web site (IIS 6+) to run under a domain user account - that way that account is used when connecting to Active Directory.
Per Noalt  2009-11-10 09:45:03
@Per Thanks fot that. I may be able to use your first option on the infopath end. I have edited the question to say that the code is executing on the infopath end at this point. It was a consideration to move the code calling AD to a webservice in which case your second option may come in to play.
Nathan Fisher  2009-11-18 21:46:50

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?