ansaurus

Question

Answer 1

+3 A:

Did you even try google?

EDIT

Sorry for the hubub and the snarky response. I think the problem you were having is you didn't quite ask the question right -- either here or on google. Anyhow, you don't need a lick of C# code here. You just need to configure your web app to use AD as a membership provider. You'll need a connection string [getting this right was the hardest part]:

<connectionStrings>
    <add name="MyAd"
         connectionString="LDAP://adserver/OU=Users"
         />
</connectionStrings>

And a membership provider:

<membership defaultProvider="AdProvider">
        <providers>
            <add 
                name="AdProvider"
                type="System.Web.Security.ActiveDirectoryMembershipProvider, 
                    System.Web, Version=2.0.0.0, 
                    Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 
                connectionStringName="MyAd"
                applicationName="ItRemoteHelpdesk"
                enablePasswordReset="false"
                 />
        </providers>
    </membership>

Then users can login with their normal username@domain and password.

Wyatt Barnett 2010-10-22 18:11:16

@Shogun, seriously!! you just asked us to build a **solution** for you, not answer a *question*. If all you want is a question answered, then yes, it's possible.

Brad 2010-10-22 18:14:20

@Brad, I did not, I simply asked for code samples and information on what C# Library to use... and the point of asking on SO is to help add to the site and get advice from the users, for example some pitfalls that people might have run into, real time advice... wow, just.. wow..

shogun 2010-10-22 18:26:37

@Shogun, your question is just simply too broad. I wrote an entire Dll to custom-wrap .NET's AD authentication. Would that be suitable to post? Probably not.

Brad 2010-10-22 18:29:49

Thanks Wyatt, do you know if it's possible to have this along side of normal login? Most accounts in the web app will login in directly to the web app using normal username/password lookup in our DB, but some special accounts will be flagged to login VIA their AD.

shogun 2010-10-22 18:47:20

Never tried it, but you've got the same considerations here as you would with any other multi-membership provider application.

Wyatt Barnett 2010-10-22 19:05:32

hmm ok, also the domain information will be stored in the database so that my solution could be used for multiple accounts to different domains, etc, thanks for the input

shogun 2010-10-22 19:07:51

Answer 2

+1 A:

The System.DirectoryServices.AccountManagement is the .NET dll to use for the newer, non-LDAP AD authentication.

Try this website for a good starting point with code examples:

http://www.codeproject.com/KB/system/usingAccountManagement.aspx

Brad 2010-10-22 18:33:42

it has to be Secure LDAP.. so I'm guessing 'non-LDAP' is not using Secure LDAP, right?

shogun 2010-10-22 18:36:43

@Shogun, you can use the `ContextOptions` enum when creating your `Context` (the link to the DC) to specify that you want SSL http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.contextoptions.aspx

Brad 2010-10-22 18:41:33

@Brad, ok thanks.. sorry for being so snappy, it's been a long week..

shogun 2010-10-22 18:49:02

all's well that ends well. :)

Brad 2010-10-22 18:49:47

@Brad, one more question about this link provided, is this actually using the Secure LDAP protocol? Our partner has only allowed for this protocol from a specific IP address on our side.

shogun 2010-10-22 19:18:57

@Shogoun, I cannot help you there. It wasn't required in my implementation.

Brad 2010-10-22 20:55:15

Answer 3

A:

You should definitely check out the .NET 3.5 System.DirectoryServices.AccountManagement namespace as suggested by Brad.

To get a good head start on how to use it, read this MSDN Magazine article: Managing Directory Security Principals in the .NET Framework 3.5

The article does talk several times about how to securely (using SSL) connect to your AD domain, and how to e.g. create users or retrieve user information. I think reading that article closely and trying out the code samples should give you a good idea on how to do what you're looking for.

Update: quite obviously, all those method in S.DS.AM require you to be authenticated against AD. The new classes also provide for pretty simple verification of user credentials (as shown in that article I linked to):

// establish context 
PrincipalContext domain = new PrincipalContext(ContextType.Domain);

// determine whether a user can validate to the directory
bool validated = domain.ValidateCredentials("user1", "Password1");

marc_s 2010-10-22 20:35:10

I'm confused. I am trying to have AD users login with their username and password to a client AD through my web app. This looks like I can just look up any user without a password... How then do I authenticate someone? And how am I gaining access, some admin password? More reading I must do... this seem so... overly complicated!

shogun 2010-10-23 02:15:50

@Shogun: of course, you can only ever look someone up if you're already authenticated. Read that article I'm linking to!! It also shows you how to easily validate credentials against AD, and how to login a given user. Only when **logged in** can he do all the other stuff, of course!!

marc_s 2010-10-23 06:53:47

Oh... the client gave me a test user but no admin account or anything like that, I guess I need to go back and ask for one? Or can I authenticate a normal user? Please clarify, I am very confused here..

shogun 2010-10-25 12:57:39

@Shogun: that depends on the Active Directory configuration, but by default, any domain user can at least from the AD (at least parts of it)

marc_s 2010-10-25 13:12:01

ansaurus

tags:

views:

answers:

Query an AD domain via SSL

related questions