Hi there.

I have the following environment:

Active Directory running on Windows 2000. There is a root domain called
ad.sys and within this root domain there are the following subdomains:

dom1.ad.sys
dom2.ad.sys
dom3.ad.sys

I need to restrict access to a certain part of a ASP.NET page to some
admin user and check their password agains the windows domain.

IIS Authentication doesnt seem to be an option, I cant seem to supply
several domains.

One possilbe way would probably be:
In the database have a list of names which have access to the admin
part. When the login name matches one of that list make an connection to
the domain and check the passwort. Connection could be ldap.

Is this procedure valid? Any other ideas?

If this is a valid way, how do I connect to another domains? If the
webpage runs in one or none of those domains. I tried


System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad,D
C=sys", "DOM1\ldapuser", "Idontknow");

But when I try to access de.Children I get an error saying

System.Runtime.InteropServices.COMExcpetion ocured in
system.directoryservices.dll

Additional Information: Unknow error (0x80050000)


When I use a ldap client on my workstation which is in neither of these
domains I can connect and get the data.

Anyone knows whats going on or how I should do this?





--
mfg
Marc Eggenberger

AD question are best answwer in the
microsoft.public.active.directory.interfaces newsgroup. I am sure the two
Joe's will be able to give you a complete answer.


--
HTH

Ollie Riches
http://www.phoneanalyser.net

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a programmer
helping programmers.

"Marc Eggenberger" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi there.
>
> I have the following environment:
>
> Active Directory running on Windows 2000. There is a root domain called
> ad.sys and within this root domain there are the following subdomains:
>
> dom1.ad.sys
> dom2.ad.sys
> dom3.ad.sys
>
> I need to restrict access to a certain part of a ASP.NET page to some
> admin user and check their password agains the windows domain.
>
> IIS Authentication doesnt seem to be an option, I cant seem to supply
> several domains.
>
> One possilbe way would probably be:
> In the database have a list of names which have access to the admin
> part. When the login name matches one of that list make an connection to
> the domain and check the passwort. Connection could be ldap.
>
> Is this procedure valid? Any other ideas?
>
> If this is a valid way, how do I connect to another domains? If the
> webpage runs in one or none of those domains. I tried
>
>
> System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
> ("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad,D
> C=sys", "DOM1\ldapuser", "Idontknow");
>
> But when I try to access de.Children I get an error saying
>
> System.Runtime.InteropServices.COMExcpetion ocured in
> system.directoryservices.dll
>
> Additional Information: Unknow error (0x80050000)
>
>
> When I use a ldap client on my workstation which is in neither of these
> domains I can connect and get the data.
>
> Anyone knows whats going on or how I should do this?
>
>
>
>
>
> --
> mfg
> Marc Eggenberger

Marc,

I'm not an expert on AD, but I think that the reason your call to get
the DirectoryEntry fails is because by default, the ASP.NET process runs
under the local user ASPNET, which doesn't have network permissions. You
can impersonate another user to run under for this operation. Check out the
documentation for the Impersonate method on the WindowsIdentity class to see
how to do this.

You can also impersonate a user for all the pages in a directory by
setting the <identity> tag in the web.config file for the directory, but
that would mean all pages run as that user, which might not be such a good
idea.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (E-Mail Removed)

"Marc Eggenberger" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi there.
>
> I have the following environment:
>
> Active Directory running on Windows 2000. There is a root domain called
> ad.sys and within this root domain there are the following subdomains:
>
> dom1.ad.sys
> dom2.ad.sys
> dom3.ad.sys
>
> I need to restrict access to a certain part of a ASP.NET page to some
> admin user and check their password agains the windows domain.
>
> IIS Authentication doesnt seem to be an option, I cant seem to supply
> several domains.
>
> One possilbe way would probably be:
> In the database have a list of names which have access to the admin
> part. When the login name matches one of that list make an connection to
> the domain and check the passwort. Connection could be ldap.
>
> Is this procedure valid? Any other ideas?
>
> If this is a valid way, how do I connect to another domains? If the
> webpage runs in one or none of those domains. I tried
>
>
> System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
> ("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad,D
> C=sys", "DOM1\ldapuser", "Idontknow");
>
> But when I try to access de.Children I get an error saying
>
> System.Runtime.InteropServices.COMExcpetion ocured in
> system.directoryservices.dll
>
> Additional Information: Unknow error (0x80050000)
>
>
> When I use a ldap client on my workstation which is in neither of these
> domains I can connect and get the data.
>
> Anyone knows whats going on or how I should do this?
>
>
>
>
>
> --
> mfg
> Marc Eggenberger

"Marc Eggenberger" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi there.
>
> I have the following environment:
>
> Active Directory running on Windows 2000. There is a root domain called
> ad.sys and within this root domain there are the following subdomains:
>
> dom1.ad.sys
> dom2.ad.sys
> dom3.ad.sys
>
> I need to restrict access to a certain part of a ASP.NET page to some
> admin user and check their password agains the windows domain.
>
> IIS Authentication doesnt seem to be an option, I cant seem to supply
> several domains.
>
> One possilbe way would probably be:
> In the database have a list of names which have access to the admin
> part. When the login name matches one of that list make an connection to
> the domain and check the passwort. Connection could be ldap.
>
> Is this procedure valid? Any other ideas?
>
> If this is a valid way, how do I connect to another domains? If the
> webpage runs in one or none of those domains. I tried
>
>
> System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
> ("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad,D
> C=sys", "DOM1\ldapuser", "Idontknow");
>
> But when I try to access de.Children I get an error saying
>
> System.Runtime.InteropServices.COMExcpetion ocured in
> system.directoryservices.dll
>
> Additional Information: Unknow error (0x80050000)
>
>
> When I use a ldap client on my workstation which is in neither of these
> domains I can connect and get the data.
>
> Anyone knows whats going on or how I should do this?
>
>
>
>
>
> --
> mfg
> Marc Eggenberger


If this works from a console program:

> System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
> ("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad,D
> C=sys", "DOM1\ldapuser", "Idontknow");
>

it should also work from asp.net, using the exact same bind string of
course.
Are you sure it fails when calling de.Children?

Willy.