Active Directory LDAP Authentication Fails in IIS 6

[P Webster]

We recently moved a web site that validated user credentials in Active
Directory from IIS 5.1 to IIS 6, and the validation code no longer works.
The web.config file is set to Windows authentication because all we do is
verify the user on the login form so we can redirect them to the appropriate
page based on their group.
The code to authenticate is:
Public Function IsAuthenticated(ByVal domain As String, ByVal username As
String, ByVal pwd As String) As Boolean
Dim domainAndUsername As String = domain & "\" & username
Dim entry As DirectoryEntry = New DirectoryEntry(_path,
domainAndUsername, pwd)
Try
'Bind to the native AdsObject to force authentication.
Dim obj As Object = entry.NativeObject
Dim search As DirectorySearcher = New DirectorySearcher(entry)
search.Filter = "(SAMAccountName=" & username & ")"
search.PropertiesToLoad.Add("cn")
Dim result As SearchResult = search.FindOne()
If (result Is Nothing) Then
Return False
End If
'Update the new path to the user in the directory.
_path = result.Path
_filterAttribute = CType(result.Properties("cn")(0), String)
Catch ex As Exception
Throw New Exception("Error authenticating user. " & ex.Message &
"<BR>" & ex.StackTrace.ToString)
End Try
Return True
End Function

In IIS 6, we have tried all possible combinations of directory security.

When we first moved the site to IIS 6, an error was generated by the above
code stating the parameter was incorrect, so we tried adding
AuthenticationTypes.None and AuthenticationTypes.Anonymous as the final
parameter for DirectoryEntry(... The result was a message returned as
"unknown user name or bad password. The user name and password entered were
correct, so I don't understand why that error was generated.

Any ideas would be greatly appreciated.

Paul

 

[Patrick.O.Ige]

Paul,
It seems you can't Authenticate using the Active Directory thats why you are
getting:
"unknown user name or bad password.
Is the server in the same domain of the Active Directory and again.
Are you sure the IIS can authenticate on the domain?
Is integrated Windows Auth checked in the IIS ?
Patrick

 

[P Webster]

Patrick,
Thanks for the reply.
I actually cross-posted this message in ...aspnet.security and received very
good help from Joe Kaplan.
It turns out we were struggling with this problem in the wrong way. The
original code that worked on the W2K server with IIS 5.1 had a bad
parameter, and it probably shouldn't have been working in the first place.
Here is the final post I made in the other group just in case this problem
happens to someone else.

The DirectoryEntry parameters being sent (and I might mention successfully
in IIS 5.1) were:
entry = New DirectoryEntry("LDAP://biz.xxx.yyy.com/DC=biz, DC=xxx, DC=yyy,
DC=com", "DC=biz\username", "password")
For some reason, the domain\username included "DC=" in front of it and IIS
5.1 must have dropped that off when trying to authenticate the user. When
we removed the "DC=" and just used "biz\username", everything worked as
expected.

We didn't figure it out until we decided to write a test application in
ASP.NET 2.0. When everything worked correctly, we started from scratch and
wrote the entire process in ASP.NET 1.1 without reviewing the existing code.
When it worked, we compared the two and found the mistake. When we found
the sample code used to originally write the AD Authenticatio a couple of
years ago, it included the "DC=" before the user name. Since it has always
functioned properly, we never looked there. We kind of feel stupid now