WindowsPrincipal is incorrect after AD account rename

[lgalusha]

Our environment is - we use Visual Studio 2005, Dotnet 2.0, VB to create a
web application which we run on IIS 6.

Our Web.config file has the following set:

<authentication mode="Windows" />
<identity impersonate="true"/>


We are using

MyPrincipal = New WindowsPrincipal(Current.User.Identity)

to obtain the name of the currently logged on user.

This is working until we are forced to rename a user's account in Active
Directory. For example, Mary Smith (domain\marys) gets married and becomes
Mary Jones (domain\maryj). We rename the account in Active Directory Users
and Computers and the rename appears to be fine. However from this point on
when we look at WindowsPrincipal(Current.User.Identity) it returns
domain\marys rather than her new name of domain\maryj.

What are we missing?

 

[Luke Zhang [MSFT]]

Hello,

What is the result if you check "Current.User.Identity.Name", is it
"domain\marys" or 'domain\maryj"? Will a IIS reset fix the problem? Also,
you may have the user clear her local IE cache and cookie to see if this
will help.

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[lgalusha]

I have included more of our code as I don't think I gave you enough
information in my first post. Also an IISRest and clearing the IE cache do
not resolve the problem.

First we call setUser to get the identity of the logged on user. Then we
call getUserInfo to find the AD account so that we can display information
about the user (display name, supervisor, etc.) on the screen in our web
app. When a user's name changes we get the wrong name in setUser so when we
call getUserInfo we do not get a match.

Is there a better way to do this or are we missed something when we do our
AD rename.

=====================================================

Public Sub setUser()

Try 'to get the current user's identity

Dim s As Integer '*** Holds the position of the slash in user
Dim l As Integer '*** Holds the length of the user characters

'*** Get the user's Window's information

MyPrincipal = New WindowsPrincipal(Current.User.Identity)
myUser = MyPrincipal.Identity.Name

'*** Parse out the domain and user
s = myUser.IndexOf("\")
l = myUser.Length
If l > 0 Then
userDomain = myUser.Substring(0, s)
userName = myUser.Substring(s + 1, l - (s + 1))
End If

Catch exp As Exception

myErrMsg = "Exception: " + exp.Message

End Try 'to get the current user's identity

End Sub 'setUser

=====================================================

Public Sub getUserInfo()

Dim x As Integer '*** Holds the position of the CN= in manager
Dim y As Integer '*** Holds the position of the , in manager
(first one)
Dim mgrsupr As String 'hold string for manager/supervisor

'*** Set the properties of the directory entry
myDEntry.Path = dePath
myDEntry.Username = deUsername
myDEntry.Password = dePassword
myDEntry.AuthenticationType = AuthenticationTypes.Secure

'*** Set the properties of the searcher
myFilter = "(&(anr=" & userName &
")(objectclass=user)(objectcategory=person))"
mySearch = New DirectorySearcher(myDEntry)
mySearch.Filter = myFilter
mySearch.SearchScope = SearchScope.Subtree

Try 'searching for the Active Directory Entry for the current
windows identity

src = mySearch.FindAll

For Each sr In src
'*** Get the search result's Active Directory Account name
'*** we have to initially check to make sure that
sAMAccountName is a valid
'*** property that was loaded

If sr.Properties.Contains("sAMAccountName") Then
If sr.Properties("sAMAccountName")(0) <> Nothing Then
myAN = CType(sr.Properties("sAMAccountName")(0),
String)
Else
myAN = "Unknown"
End If
Else
myAN = "Unknown"
myErrMsg = "Exception: Active Directory Account Not
Found"
Exit Sub
End If

'*** First check to see if this search result is the one we
want by
'*** matching the Active Directory Account Name to the
Domain User Name
If myAN.ToLower = userName.ToLower Then

'*** Get the user's Common Name
If sr.Properties.Contains("CN") Then
If sr.Properties("CN")(0) <> Nothing Then
FullEmployeeName = CType(sr.Properties("CN")(0),
String)
Else
FullEmployeeName = "Unknown"
End If
Else
FullEmployeeName = "Unknown"
End If

'*** Get the user's Display Name
If sr.Properties.Contains("displayName") Then
If sr.Properties("DisplayName")(0) <> Nothing Then
EmployeeShortName =
CType(sr.Properties("DisplayName")(0), String)
Else
EmployeeShortName = "Unknown"
End If
Else
EmployeeShortName = "Unknown"
End If

'*** Get the user's department
If sr.Properties.Contains("department") Then
If sr.Properties("department")(0) <> Nothing Then
DepartmentName =
CType(sr.Properties("department")(0), String)
Else
DepartmentName = "Unknown"
End If
Else
DepartmentName = "Unknown"
End If

'*** Get the user's phone extension
If sr.Properties.Contains("telephoneNumber") Then
If sr.Properties("telephoneNumber")(0) <> Nothing
Then
EmployeeExtension =
CType(sr.Properties("telephoneNumber")(0), String)
Else
EmployeeExtension = "???"
End If
Else
EmployeeExtension = "???"
End If

'*** Get the users employee number
If sr.Properties.Contains("otherTelephone") Then
If sr.Properties("otherTelephone")(0) <> Nothing
Then
EmployeeIDNumber =
CType(sr.Properties("otherTelephone")(0), String)
Else
EmployeeIDNumber = "????"
End If
Else
EmployeeIDNumber = "???"
End If

'*** Get the user's internet email address
If sr.Properties.Contains("mail") Then
'If sr.Properties("mail")(0) <> Nothing Then
'If InStr(1, CType(sr.Properties("mail")(0),
String), "@", CompareMethod.Text) > 0 Then
If CType(sr.Properties("mail")(0), String) Like
"*@*" Then
EmployeeEmailAddress =
CType(sr.Properties("mail")(0), String)
Else
EmployeeEmailAddress = "Unknown"
End If
Else
EmployeeEmailAddress = "Unknown"
End If

'*** Get the user's internet email address - alternate
If sr.Properties.Contains("ipphone") Then
'If sr.Properties("ipphone")(0) <> Nothing Then
'If InStr(1, CType(sr.Properties("ipphone")(0),
String), "@", CompareMethod.Text) > 0 Then
If CType(sr.Properties("ipphone")(0), String) Like
"*@*" Then
EmployeeAlternateEmailAddress =
CType(sr.Properties("ipphone")(0), String)
Else
EmployeeAlternateEmailAddress = "Unknown"
End If
Else
EmployeeAlternateEmailAddress = "Unknown"
End If

'*** Get the user's title
If sr.Properties.Contains("title") Then
If sr.Properties("title")(0) <> Nothing Then
EmployeeTitle = CType(sr.Properties("title")(0),
String)
Else
EmployeeTitle = "Unknown"
End If
Else
EmployeeTitle = "Unknown"
End If

'*** Get the user's manager
If sr.Properties.Contains("manager") Then
If sr.Properties("manager")(0) <> Nothing Then
mgrsupr = CType(sr.Properties("manager")(0),
String)

'*** Parse out the manager/supervisor name
x = mgrsupr.IndexOf("CN=")
y = mgrsupr.IndexOf(",")
If y > 0 Then
EmployeeSupervisorManager =
mgrsupr.Substring(x + 3, y - (x + 3))
getUserInfoforMgr(EmployeeSupervisorManager)
Else
EmployeeSupervisorManager = "Unknown"
EmployeeMgrEmailAddress = "Unknown"
EmployeeMgrAlternateEmailAddress = "Unknown"
End If
Else
EmployeeSupervisorManager = "Unknown"
EmployeeMgrEmailAddress = "Unknown"
EmployeeMgrAlternateEmailAddress = "Unknown"
End If
Else
EmployeeSupervisorManager = "Unknown"
EmployeeMgrEmailAddress = "Unknown"
EmployeeMgrAlternateEmailAddress = "Unknown"
End If

Exit Sub '*** Let's get out of here because we've got
our info

End If 'the Active Directory entry is the correct one

Next 'Next Active Directory entry

Catch exp As Exception

myErrMsg = "Exception:" & exp.Message
FullEmployeeName = "Not Found 3"
EmployeeShortName = "Not Found 3"
DepartmentName = "Not Found 3"
EmployeeExtension = "000"
EmployeeIDNumber = "0000"
EmployeeEmailAddress = "(e-mail address removed)"
EmployeeAlternateEmailAddress = "(e-mail address removed)"
EmployeeSupervisorManager = "Not Found 3"
EmployeeTitle = "Not Found 3"

End Try 'searching for the Active Directory Entry for the current
windows identity
End Sub 'getUserInfo

=====================================================

 

[Joe Kaplan]

What happens if the browser user logs out and logs back in again? Does that
fix it?

Also, if you are using .NET 2.0 instead of 1.1, there is a relatively
straightforward way you can code around this problem.

Basically, the steps would be to cast the Context.User.Identity to a
WindowsIdentity and get the user's SID. Then, once you have the SID, you
can do an LDAP query based on that instead of querying based on the
username. The SID is rename safe and only changes if the user is moved to a
different domain.

That is probably the cleanest solution to this problem.

It is also doable in .NET 1.1, but there isn't an easy way to get the user's
SID from the token without p/invoke, so it is more complex.

Joe K.

 

[lgalusha]

Thanks Joe, this is working for us.

What happens if the browser user logs out and logs back in again? Does
that fix it?

Also, if you are using .NET 2.0 instead of 1.1, there is a relatively
straightforward way you can code around this problem.

Basically, the steps would be to cast the Context.User.Identity to a
WindowsIdentity and get the user's SID. Then, once you have the SID, you
can do an LDAP query based on that instead of querying based on the
username. The SID is rename safe and only changes if the user is moved to
a different domain.

That is probably the cleanest solution to this problem.

It is also doable in .NET 1.1, but there isn't an easy way to get the
user's SID from the token without p/invoke, so it is more complex.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net