Authenticate agains several Active Directory Domains

M

Marc Eggenberger

Hi there.

I have the following environment:

Active Directory running on Windows 2000. There is a root domain called
ad.sys and within this root domain there are the following subdomains:

dom1.ad.sys
dom2.ad.sys
dom3.ad.sys

I need to restrict access to a certain part of a ASP.NET page to some
admin user and check their password agains the windows domain.

IIS Authentication doesnt seem to be an option, I cant seem to supply
several domains.

One possilbe way would probably be:
In the database have a list of names which have access to the admin
part. When the login name matches one of that list make an connection to
the domain and check the passwort. Connection could be ldap.

Is this procedure valid? Any other ideas?

If this is a valid way, how do I connect to another domains? If the
webpage runs in one or none of those domains. I tried


System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad,D
C=sys", "DOM1\ldapuser", "Idontknow");

But when I try to access de.Children I get an error saying

System.Runtime.InteropServices.COMExcpetion ocured in
system.directoryservices.dll

Additional Information: Unknow error (0x80050000)


When I use a ldap client on my workstation which is in neither of these
domains I can connect and get the data.

Anyone knows whats going on or how I should do this?
 
O

Ollie Riches

AD question are best answwer in the
microsoft.public.active.directory.interfaces newsgroup. I am sure the two
Joe's will be able to give you a complete answer.


--
HTH

Ollie Riches
http://www.phoneanalyser.net

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a programmer
helping programmers.
 
N

Nicholas Paldino [.NET/C# MVP]

Marc,

I'm not an expert on AD, but I think that the reason your call to get
the DirectoryEntry fails is because by default, the ASP.NET process runs
under the local user ASPNET, which doesn't have network permissions. You
can impersonate another user to run under for this operation. Check out the
documentation for the Impersonate method on the WindowsIdentity class to see
how to do this.

You can also impersonate a user for all the pages in a directory by
setting the <identity> tag in the web.config file for the directory, but
that would mean all pages run as that user, which might not be such a good
idea.

Hope this helps.
 
W

Willy Denoyette [MVP]

Marc Eggenberger said:
Hi there.

I have the following environment:

Active Directory running on Windows 2000. There is a root domain called
ad.sys and within this root domain there are the following subdomains:

dom1.ad.sys
dom2.ad.sys
dom3.ad.sys

I need to restrict access to a certain part of a ASP.NET page to some
admin user and check their password agains the windows domain.

IIS Authentication doesnt seem to be an option, I cant seem to supply
several domains.

One possilbe way would probably be:
In the database have a list of names which have access to the admin
part. When the login name matches one of that list make an connection to
the domain and check the passwort. Connection could be ldap.

Is this procedure valid? Any other ideas?

If this is a valid way, how do I connect to another domains? If the
webpage runs in one or none of those domains. I tried


System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad,D
C=sys", "DOM1\ldapuser", "Idontknow");

But when I try to access de.Children I get an error saying

System.Runtime.InteropServices.COMExcpetion ocured in
system.directoryservices.dll

Additional Information: Unknow error (0x80050000)


When I use a ldap client on my workstation which is in neither of these
domains I can connect and get the data.

Anyone knows whats going on or how I should do this?
Click to expand...


If this works from a console program:
System.DirectoryServices.DirectoryEntry de = new DirectoryEntry
("ldap://servername/OU=Administrators,OU=Site,OU=Country,DC=dom1,DC=ad,D
C=sys", "DOM1\ldapuser", "Idontknow");
Click to expand...

it should also work from asp.net, using the exact same bind string of
course.
Are you sure it fails when calling de.Children?

Willy.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Question regarding ou's and child-domains 6
Querying all domains 1
Syntax question enumerating Active Directory Group Properties 1
Accessing properties in Active Directory 1
Active Directory Woes 1
Active Directory Replication issue 1
Domain Controller - Active Directory errors galore 6

Top