LDAP query fails from ASP.NET

[maria.s]

Hi,

I've got a problem with an LDAP query submitted from my ASP.NET application.
Configuration: Windows 2003 Server Standard Ed., the application uses
Windows Integrated Authentication and is configured with <identity
impersonate=â€true†/>

I try to submit the following query:

Dim IdentityName as String = Context.User.Identity.Name
Dim sRoot As String = "LDAP://" + rootDomain

Dim de As New DirectoryServices.DirectoryEntry(sRoot)
de.AuthenticationType = DirectoryServices.AuthenticationTypes.Secure
Or DirectoryServices.AuthenticationTypes.Delegation

Dim filter As String =
String.Format("(&((objectClass=user)(sAMAccountName={0})))",
IdentityName.Split("\"c)(1))
Dim ds As New DirectoryServices.DirectorySearcher(de, filter)

Dim sr As DirectoryServices.SearchResult = ds.FindOne
Dim desr As DirectoryServices.DirectoryEntry = sr.GetDirectoryEntry

This query fails at the last line (sr = Nothing)

If I change the configuration to use Basic authentication, the query succeeds.

If I put a userName and password to the identity tag the query also
succeeds. (but other parts of the program will not work with this
configuration).

I would appriciate any help in this

 

[Paul Clement]

¤ Hi,
¤
¤ I've got a problem with an LDAP query submitted from my ASP.NET application.
¤ Configuration: Windows 2003 Server Standard Ed., the application uses
¤ Windows Integrated Authentication and is configured with <identity
¤ impersonate=”true” />
¤
¤ I try to submit the following query:
¤
¤ Dim IdentityName as String = Context.User.Identity.Name
¤ Dim sRoot As String = "LDAP://" + rootDomain
¤
¤ Dim de As New DirectoryServices.DirectoryEntry(sRoot)
¤ de.AuthenticationType = DirectoryServices.AuthenticationTypes.Secure
¤ Or DirectoryServices.AuthenticationTypes.Delegation
¤
¤ Dim filter As String =
¤ String.Format("(&((objectClass=user)(sAMAccountName={0})))",
¤ IdentityName.Split("\"c)(1))
¤ Dim ds As New DirectoryServices.DirectorySearcher(de, filter)
¤
¤ Dim sr As DirectoryServices.SearchResult = ds.FindOne
¤ Dim desr As DirectoryServices.DirectoryEntry = sr.GetDirectoryEntry
¤
¤ This query fails at the last line (sr = Nothing)
¤
¤ If I change the configuration to use Basic authentication, the query succeeds.
¤
¤ If I put a userName and password to the identity tag the query also
¤ succeeds. (but other parts of the program will not work with this
¤ configuration).
¤
¤ I would appriciate any help in this
¤
¤

Sounds like there might be an issue with the delegation of credentials, however you don't mention
the error that is being generated (access denied?) so I can only make a wild guess.

I don't see the line of code you mentioned in the sample you posted. You may want to add some error
handling (Try...Catch) to your code.


Paul
~~~~
Microsoft MVP (Visual Basic)

 

[maria.s]

The exception is object reference not set to an instance of an object (i
think that means FindOne returns no result)

:

 

[Joe Kaplan \(MVP - ADSI\)]

Yes, this is a delegation issue. If you want to use the security context of
the authenticated user to access AD, you must imperonate the user and have
Kerberos delegation enabled in order to make the additional machine hop.

If you don't need to use the credentials of the current user, then the other
approaches you tried are all viable.

Joe K.