Problem in Accessing Active Directory from ASP.net

[Maqsood Ahmed [MCAD .NET]]

Environment:
Windows XP, .NET/ASP .NET 2.0

I am developing an intranet application for my company. I want to use LDAP
to get the existing users of the company and allow them access according to
their roles. I have set identity impersonation = true and authentication mode
= "Windows" in the Web.config file of the application.

I get an COMException whenever I try to access LDAP objects using the
DirectoryEntry class. It only happens when I use it through IIS. it works
fine with ASP .NET Development Server. Please note that I am using Serverless
binding.
The exception message is like the following:
System.Runtime.InteropServices.COMException (0x8007054B): The specified
domain either does not exist or could not be contacted.

DirectoryEntry de = new DirectoryEntry();
string domainName = de.Name; //This line generates exception

I have also tried to assign a domain account as the Anonymous account for
the Virtual Direcotry, but it didn't help either.
Can anyone of you please let me know that what should I do to get it
working. Should I always provide the domain name, username and password to
access the LDAP objects, can't it be used via anonymous access?

 

[Joe Kaplan \(MVP - ADSI\)]

We cover this type of stuff in great detail in our book, but here are a few
pointers.

First, you may not need to use LDAP at all to get the user's groups. If you
are using Windows auth in IIS (IWA, Basic or Digest), then ASP.NET already
"knows" the users group via the WindowsIdentity and WindowsPrincipal objects
in Context.User. Just call IsInRole to access the Groups property.

If you really do need to access AD using the authenticated user's
credentials and you are using IWA for authentication, then you'll need to
enable Kerberos delegation. You also may need to provide a domain hint in
your path as serverless binding may not work the way you want to. Simply
put the DNS domain name in your path:

LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of

LDAP://DC=yourdomain,DC=com

Getting Kerberos delegation working will likely be the more tricky part.

Joe K.

 

[Maqsood Ahmed]

Hello Joe,
Thanks for replying. Please note that I am facing difficultly in accessing
LDAP object only on Application startup (i.e. when I try to access it in
Application.Start event). It works fine if I access it via any aspx page.
--
Maqsood Ahmed
MCAD .NET [Windows/Web]
Senior Software Developer/Analyst
Kolachi Advanced Technologies
http://www.kolachi.net

We cover this type of stuff in great detail in our book, but here are a few
pointers.

First, you may not need to use LDAP at all to get the user's groups. If you
are using Windows auth in IIS (IWA, Basic or Digest), then ASP.NET already
"knows" the users group via the WindowsIdentity and WindowsPrincipal objects
in Context.User. Just call IsInRole to access the Groups property.

If you really do need to access AD using the authenticated user's
credentials and you are using IWA for authentication, then you'll need to
enable Kerberos delegation. You also may need to provide a domain hint in
your path as serverless binding may not work the way you want to. Simply
put the DNS domain name in your path:

LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of

LDAP://DC=yourdomain,DC=com

Getting Kerberos delegation working will likely be the more tricky part.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Maqsood Ahmed [MCAD .NET]" <Maqsood Ahmed [MCAD
..NET]@discussions.microsoft.com> wrote in message

Environment:
Windows XP, .NET/ASP .NET 2.0

I am developing an intranet application for my company. I want to use LDAP
to get the existing users of the company and allow them access according
to
their roles. I have set identity impersonation = true and authentication
mode
= "Windows" in the Web.config file of the application.

I get an COMException whenever I try to access LDAP objects using the
DirectoryEntry class. It only happens when I use it through IIS. it works
fine with ASP .NET Development Server. Please note that I am using
Serverless
binding.
The exception message is like the following:
System.Runtime.InteropServices.COMException (0x8007054B): The specified
domain either does not exist or could not be contacted.

DirectoryEntry de = new DirectoryEntry();
string domainName = de.Name; //This line generates exception

I have also tried to assign a domain account as the Anonymous account for
the Virtual Direcotry, but it didn't help either.
Can anyone of you please let me know that what should I do to get it
working. Should I always provide the domain name, username and password to
access the LDAP objects, can't it be used via anonymous access?

 

[Joe Kaplan \(MVP - ADSI\)]

Perhaps the security context is different here then. What is the value of
System.Security.Principal.WindowsIdentity.GetCurrent().Name in each case?

Joe K.

 

[Maqsood Ahmed]

Hello,
Yes, that is what I wanted to say earlier. That the security context is
different for both.
It is using ASPNET local account in Application.Start event handler, while
it is using my Logged On Domain account context when I access LDAP using an
aspx page.

How can I access LDAP in Application.Start event handler?
--
Maqsood Ahmed
MCAD .NET [Windows/Web]
Senior Software Developer/Analyst
Kolachi Advanced Technologies
http://www.kolachi.net

Perhaps the security context is different here then. What is the value of
System.Security.Principal.WindowsIdentity.GetCurrent().Name in each case?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

Hello Joe,
Thanks for replying. Please note that I am facing difficultly in
accessing
LDAP object only on Application startup (i.e. when I try to access it in
Application.Start event). It works fine if I access it via any aspx page.
--
Maqsood Ahmed
MCAD .NET [Windows/Web]
Senior Software Developer/Analyst
Kolachi Advanced Technologies
http://www.kolachi.net

 

[Joe Kaplan \(MVP - ADSI\)]

I'm guessing you are running under XP or Win2K then, right? In this case,
you either need to programmatically impersonate a service account or
(probably better), change the process account to a valid domain account that
can access AD. In XP and 2K, you do this by changing the processModel
configuration in machine.config.

If you were using IIS 6/Win2K3, you just change the app pool identity as
required.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

Hello,
Yes, that is what I wanted to say earlier. That the security context is
different for both.
It is using ASPNET local account in Application.Start event handler, while
it is using my Logged On Domain account context when I access LDAP using
an
aspx page.

How can I access LDAP in Application.Start event handler?
--
Maqsood Ahmed
MCAD .NET [Windows/Web]
Senior Software Developer/Analyst
Kolachi Advanced Technologies
http://www.kolachi.net

Perhaps the security context is different here then. What is the value
of
System.Security.Principal.WindowsIdentity.GetCurrent().Name in each case?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--

Hello Joe,
Thanks for replying. Please note that I am facing difficultly in
accessing
LDAP object only on Application startup (i.e. when I try to access it
in
Application.Start event). It works fine if I access it via any aspx
page.
--
Maqsood Ahmed
MCAD .NET [Windows/Web]
Senior Software Developer/Analyst
Kolachi Advanced Technologies
http://www.kolachi.net