accessing users' email from Active Directory

tMan · Mar 22, 2006

// ASP.NET 2.0, VS.NET 2005: (authentication mode = Windows) //
i'm trying to access/display current users' email from AD. works fine when i
run it in debug mode. however, when i publish the website and access the
page, i get a "The specified domain either does not exist or could not be
contacted" error. anyone know the cause for this error?

Thanks
-tMan

code:
------
Dim de as new DirectoryEntry()
Dim userIdentity As System.Security.Principal.WindowsIdentity = _
CType(HttpContext.Current.User.Identity, _
System.Security.Principal.WindowsIdentity)
de.Path = "LDAP://<SID=" + userIdentity.User.Value + ">"
'de.Path = "LDAP://" + ctx.UserDn
statusLabel.Text = de.Properties("mail").Value.ToString()

Joe Kaplan \(MVP - ADSI\) · Mar 22, 2006

Your code uses "serverless binding", in that it does not supply a server or
domain name in the binding string. You have LDAP://<SID=xxxx>. A path with
a server name might look like LDAP://domain.com/<SID=xxxx>.

Serverless binding is cool, but it only works if the current security
context (WindowsIdentity.GetCurrent().Name) is a domain account. If it is a
local machine account, it fails. Anytime you supply a domain name hint or a
full domain controller name, you can work around this.

The other issue though is that you also need a domain security context to
access the directory if you don't supply credentials. If the current
security is a local machine account, it is not very likely that it will be
able to log into AD.

You can always use the current user's security context to access AD (since
you have their WindowsIdentity) by enabling impersonation, but if they were
authenticated in IIS via IWA, you'll also need to implement Kerberos
delegation when the browser is on a different machine than the web server
and the domain controller is on a different server from the web server
(which I hope it is!).

Joe K.

tMan · Mar 23, 2006

thanks Joe.

Joe Kaplan (MVP - ADSI) said:
Your code uses "serverless binding", in that it does not supply a server or
domain name in the binding string. You have LDAP://<SID=xxxx>. A path with
a server name might look like LDAP://domain.com/<SID=xxxx>.

Serverless binding is cool, but it only works if the current security
context (WindowsIdentity.GetCurrent().Name) is a domain account. If it is a
local machine account, it fails. Anytime you supply a domain name hint or a
full domain controller name, you can work around this.

The other issue though is that you also need a domain security context to
access the directory if you don't supply credentials. If the current
security is a local machine account, it is not very likely that it will be
able to log into AD.

You can always use the current user's security context to access AD (since
you have their WindowsIdentity) by enabling impersonation, but if they were
authenticated in IIS via IWA, you'll also need to implement Kerberos
delegation when the browser is on a different machine than the web server
and the domain controller is on a different server from the web server
(which I hope it is!).

Joe K.

Problem in Accessing Active Directory from ASP.net	5	Jun 23, 2006
connecting problem in vb.net with ldap to active directory	1	Sep 26, 2016
active directory authentication using ldap	1	Nov 9, 2007
Active Directory Access from a Web App	1	Aug 28, 2006
Trouble Accessing Active Directory Domain Controller	3	Mar 17, 2005
Accessing Active Directory and Storing Passwords	1	Jun 13, 2007
Sitemap trimming with Forms auth (Active Directory)	4	May 9, 2007
Problem while accessing Active Directory	1	Nov 3, 2006

accessing users' email from Active Directory

tMan

Joe Kaplan \(MVP - ADSI\)

tMan

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads