Accessing ActiveDirectory through LDAP with .NET

[Tim Mavers]

I am trying to determine the best way I can authenticate against an
ActiveDirectory using LDAP with .NET. I need to use LDAP because I need to
authenticate across the Internet.

Right now I have code that authenticates (e.g. I pass username/password to
it) via NTLM but the problem is I am accessing this via a domain user
account that has access to the domain controller (e.g. it's the account that
IIS is running under).

Obviously this doesn't work over the Internet and the only temporary
solution is for my client to set up a VPN and have a trust relationship,
which is really not something they want to do.

I read somewhere (brief blurb) that I could access this information via
LDAP.

Essentially I am building sort of a single-sign on application where the
user enters their name/password in my app and it is authenticated against an
ActiveDirectory instance.

Any ideas on how I can do this in a secure manner over the Internet without
the need for a VPN?

Thanks,

 

[Paul Clement]

¤ I am trying to determine the best way I can authenticate against an
¤ ActiveDirectory using LDAP with .NET. I need to use LDAP because I need to
¤ authenticate across the Internet.
¤
¤ Right now I have code that authenticates (e.g. I pass username/password to
¤ it) via NTLM but the problem is I am accessing this via a domain user
¤ account that has access to the domain controller (e.g. it's the account that
¤ IIS is running under).
¤
¤ Obviously this doesn't work over the Internet and the only temporary
¤ solution is for my client to set up a VPN and have a trust relationship,
¤ which is really not something they want to do.
¤
¤ I read somewhere (brief blurb) that I could access this information via
¤ LDAP.
¤
¤ Essentially I am building sort of a single-sign on application where the
¤ user enters their name/password in my app and it is authenticated against an
¤ ActiveDirectory instance.
¤
¤ Any ideas on how I can do this in a secure manner over the Internet without
¤ the need for a VPN?

It isn't clear to me what type of application this is but you may want to take a look at the
following:

HOW TO: Authenticate against the Active Directory by Using Forms Authentication and Visual Basic
..NET
http://support.microsoft.com/default.aspx?scid=kb;en-us;326340


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)

 

[Tim Mavers]

Thanks for the link. My application is an ASP.NET app (C#). Will this work
across the Internet (I didn't seen any mention of security/firewall
configurations, etc.). In other words, my app is runing at a data-center
and the AD is at some other company. What would need to happen to access
the AD (via LDAP) from my app at the datacenter? Our current approach (not
using LDAP) is to access it through the AD API which needs domain access
(something the company will not allow across the Internet--for obvious
reasons). Here's a quick example to help illustrate my problem:

1. User browses to my login page runing at the datacenter
2. User enters name and password in my app.
3. My app then has to (somehow) authenticate the name/pw with the company's
AD server running at some other datacenter on some part of the planet).

Thanks,

Tim

 

[Paul Clement]

¤ Thanks for the link. My application is an ASP.NET app (C#). Will this work
¤ across the Internet (I didn't seen any mention of security/firewall
¤ configurations, etc.). In other words, my app is runing at a data-center
¤ and the AD is at some other company. What would need to happen to access
¤ the AD (via LDAP) from my app at the datacenter? Our current approach (not
¤ using LDAP) is to access it through the AD API which needs domain access
¤ (something the company will not allow across the Internet--for obvious
¤ reasons). Here's a quick example to help illustrate my problem:
¤
¤ 1. User browses to my login page runing at the datacenter
¤ 2. User enters name and password in my app.
¤ 3. My app then has to (somehow) authenticate the name/pw with the company's
¤ AD server running at some other datacenter on some part of the planet).

Is your web server (that is hosting your application) a member of the domain that you need to
authenticate against?


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)

 

[Tim Mavers]

Is your web server (that is hosting your application) a member of the
domain that you need to
authenticate against?

No, that is the problem. The application runs at a separate site but the
client wants their users to be able to log in with their local (domain)
name/password (i.e. not a separately managed name/password for my app). I
am trying to figure out a secure way of authenticating against the domain
across the Internet.

In regards to LDAP, how does it address these types of issues? How would
someone be able to authenticate against an LDAP server?

Is this even possible?

There are solutions where you set up a VPN and then have the company domain
trust the domain the site runs under but that is pretty much out of the
question as my client is not going to trust a foreign domain (from the
datacenter) where IIS is running under.

Thanks,

Tom

 

[Paul Clement]

¤ ¤ > Is your web server (that is hosting your application) a member of the
¤ > domain that you need to
¤ > authenticate against?
¤
¤ No, that is the problem. The application runs at a separate site but the
¤ client wants their users to be able to log in with their local (domain)
¤ name/password (i.e. not a separately managed name/password for my app). I
¤ am trying to figure out a secure way of authenticating against the domain
¤ across the Internet.
¤
¤ In regards to LDAP, how does it address these types of issues? How would
¤ someone be able to authenticate against an LDAP server?
¤
¤ Is this even possible?
¤
¤ There are solutions where you set up a VPN and then have the company domain
¤ trust the domain the site runs under but that is pretty much out of the
¤ question as my client is not going to trust a foreign domain (from the
¤ datacenter) where IIS is running under.
¤

Well I have to scratch my head a bit about this scenario. It's rather difficult
to authenticate against a domain that you don't have access to. ;-)

I wish I had a better answer for you but the bottom line is that you don't have
direct access to an authentication mechanism for the client site. If all that
you need to do is validate credentials via LDAP you could use a Web Service, but
it would need to be running on the client site.


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)

 

[Tim Mavers]

Well I have to scratch my head a bit about this scenario. It's rather
difficult
to authenticate against a domain that you don't have access to. ;-)

I guess a better to put it this is there a way I can authenticate against an
ActiveDirectory using LDAP via LDAP's credentials vs using Microsoft's
credentials.

For example, if I am running some LDAP server under Linux and I want to
authenticate against it, I would need to include some sort of credentials
(ones that have nothing to do with ActiveDirectory).

Since ActiveDirectory supports LDAP, can this be done under a Windows
environment? Since in other words, what would have to happen to allow me to
authenticate against ACtiveDirectory? I would have to open up all these
ports and then expose my domain publicly to the Internet (vs. just having an
LDAP interface exposed)?

Thanks,

 

[Paul Clement]

¤ ¤ > Well I have to scratch my head a bit about this scenario. It's rather
¤ > difficult
¤ > to authenticate against a domain that you don't have access to. ;-)
¤
¤ I guess a better to put it this is there a way I can authenticate against an
¤ ActiveDirectory using LDAP via LDAP's credentials vs using Microsoft's
¤ credentials.
¤
¤ For example, if I am running some LDAP server under Linux and I want to
¤ authenticate against it, I would need to include some sort of credentials
¤ (ones that have nothing to do with ActiveDirectory).
¤
¤ Since ActiveDirectory supports LDAP, can this be done under a Windows
¤ environment? Since in other words, what would have to happen to allow me to
¤ authenticate against ACtiveDirectory? I would have to open up all these
¤ ports and then expose my domain publicly to the Internet (vs. just having an
¤ LDAP interface exposed)?

You can authenticate with the Windows domain but I don't know how you would automatically
authenticate with the Linux server unless you have some kind of integrated authentication or trust
between the domains.


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)

 

[Paul Clement]

¤ ¤ > You can authenticate with the Windows domain but I don't know how you
¤ > would automatically
¤ > authenticate with the Linux server unless you have some kind of integrated
¤ > authentication or trust
¤ > between the domains.
¤
¤ Could I do this:
¤
¤ Make a .NET call (of some sort) across the Internet using an LDAP name and
¤ password (for an account that is valid on the NT domain)?
¤
¤ Basically all I want to do is pass a username and password through LDAP and
¤ have an ActiveDirectory validate it.
¤
¤ Another angle... Let's say I have some LDAP server that has a bunch of
¤ usernames and passwords. I should be able to enter a username/password and
¤ have the ldap server authenticate it correct? If this server happens to be
¤ an ActiveDirectory server, wouldn't the list of users it uses to look up (to
¤ authenticate) be the same as the ones in the AD?
¤
¤ I simply am trying to pass credentials across the Internet to be
¤ authenticated.

OK, eliminating any other potential issues or system configurations from the equation you may want
to see if the System.Net.WebRequest class will work for you. You should be able to use this class to
pass your credentials:

http://msdn.microsoft.com/library/d...f/html/frlrfSystemNetWebRequestClassTopic.asp


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)

 

[Guest]

Tim,

How about this scenario:

1. At the client's network, add a web server (running IIS) and add the
appropriate dns entries to expose [http://example.timsclient.corp]. I'll
assume you know the rest of adding another IP to the box and creating a new
web site, assigning the IP to that site......

2. Create a web service that takes the user credentials as params and
authenticates against the AD.

3. Consume this web service in your app at the datacenter.

This should also allow future apps written in whatever to access the
centralized authentication web service.

In my last job, my employer dictated that we would use PKI...we used a
similar design to incorporate authentication in multiple apps written in Java
and ASP.Net....

Ryan