Use IsInRole method with Domain and Username, but without password

[Steve Kallal]

I am a relative newbie to ASP .NET security. I have an administrivate screen
to add users to a small database that manages privileges within a Web app.
The table contains the domain name and username. I want to be able to add a
user to the table and check to see if the Domain\Username combination is
valid in an Active Directory role.

However all of the .NET code samples I find require the domain, username and
password. I am looking for a way to verify a user is in an Active Directory
role without passing the password. For example, I can pass my Domain and
Username to a routine along with a password using the LogonUser API call and
then verify my membership in a role. But I want to be able to do this for
other users without knowing their passwords. My hunch is that this is not
possible. But I am hoping it is.

Otherwise, I will simply need to wait until the user logs onto the app and
the windows login fails.

Thanks in advance,

Steve Kallal

 

[Joseph Bittman MCAD]

June 8, 2005

You could use LDAP and System.DirectoryServices to query Active
Directory and find out yourself. Then you won't have to know the password,
but would require programming on your part. It also might require greater
privileges than you have right now, but you might want to look into it. I'm
not familiar with LDAP, so I hope that this will lead you in the right
direction.

--
Joseph Bittman
Microsoft Certified Application Developer

Web Site: http://71.35.110.42
Dynamic IP -- Check here for future changes

 

[Steve Kallal]

Thanks Joseph. I was searching the newsgroups and came up with similar ideas.
Sorry you're not familar with it, but at least I have some direction.

Steve Kallal

 

[Joe Kaplan \(MVP - ADSI\)]

The best way to do this is with the "protocol transition" constructor for
WindowsIdentity which just takes a userPrincipalName as an argument. It
will use Kerberos S4U to create a WindowsIdentity which can create a
WindowsPrincipal. This can be used for role checks.

The downside is that it requires Windows Server 2003 to run on AND Windows
Server 2003 native mode domain controllers. However, it does work. We use
it internally to do something very similar in a custom SharePoint
application and it is great.

As Joseph mentioned, unwinding groups via S.DS/LDAP is also a possibility,
but that sucks quite a bit more.

HTH,

Joe K.

 

[Steve Kallal]

Thanks Joe. I had looked at WindowsIdentity constructor earlier today. I
could not find any real documentation on what string to pass. So I tried
serveral without any success. I do believe we are using Windows 2003 Server
here, but as to Native Mode, I will need to research.

Please elaborate on the userPrincipalName string if you can.

Thanks,

Steve Kallal

 

[Joe Kaplan \(MVP - ADSI\)]

User principal name (UPN) is the logon name format of (e-mail address removed). If
you don't know yours, you can look it up in AD Users and Computers or
another AD query tool.

Note also that you can only RUN this code on a 2003 server. The underlying
API variant is only supported there. Calling it from XP or lower won't
work, regardless of your AD environment.

Joe K.

 

[Steve Kallal]

Thanks again Joe for the prompt reply. Unfortunately the domain controllers
are Windows 2000. As for the client machine calling it, I use XP Pro as my
development desktop. The Web servers that will host the code are Windows
Server 2003. My DBA tells me we are a Windows 2000 network for now because
there are still some NT 4 servers lingering.

I guess this leaves me with Joseph's LDAP solution, which he claims, no
knowledge. If you know anything about the LDAP solution and the
System.DirectoryServices namespace, let me know. Otherwise I will repost this
question accordingly.

Thanks again,

Steve Kallal

 

[Joseph Bittman MCAD]

June 9, 2005

LOL No, I don't have any knowledge. (Now for the resume line.) But I am
eager to learn! LOL Okay, but seriously, if Joe knows of a
System.DirectoryServices book, let me know! I've been looking for one for
quite a while now and have yet to find one. I would prefer a Microsoft Press
but just need a book from any source. I'm actually in a beta where LDAP is
used for one of the features, but I need to find a book to learn LDAP. If
anybody has suggestions, I would greatly appreciate them!

--
Joseph Bittman
Microsoft Certified Application Developer

Web Site: http://71.35.110.42
Dynamic IP -- Check here for future changes

 

[Joe Kaplan \(MVP - ADSI\)]

Start with Ryan's blog posting here:
http://dunnry.com/blog/archive/2005/03/09/211.aspx

It explains how to do group membership expansion for a user in AD via LDAP.
I think his sample may have a bug, but I'm sitting next to him at Tech Ed
and will ask him to fix it.

There are a few gotchas when doing LDAP programming in ASP.NET that you have
to watch out for. This article is a good start.

http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

If you get stuck, come back and start a new thread.

Joe K.

 

[Joe Kaplan \(MVP - ADSI\)]

I'm hoping we have a good answer on a .NET LDAP book around the new year.


In the meantime, there is an APress title that is ok, but not great.

Joe K.