G
GC
I'm looking to build a web app that authenticates against my current active
directory. Anyone have any examples on how to do this? Thanks!
directory. Anyone have any examples on how to do this? Thanks!
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
K
Kunal Das
S
Scott Allen
GC:
Have you look at using <authentication mode="Windows"> in web.config?
Have you look at using <authentication mode="Windows"> in web.config?
W
Willy Denoyette [MVP]
Not sure why you want to use the AD as authentication service?
I know this:
http://msdn.microsoft.com/library/d...ve_directory_authentication_from_asp__net.asp
gives you a sample how to use the AD as an authentication service, but it
isn't one, its a Directory Service.
And the sample is a receipt for failure, for the following reasons:
1. The sample is using a server-less bind against the root of the directory
service.
String adPath = "LDAP://DC=..,DC=.."; //Path to you LDAP directory server
- Server-less binding only works if the asp.net application run as a domain
identity (and impersonation disabled), it fails when run with a local
identity (SYSTEM, ASPNET you name it) because ADSI tries to connect to the
LDAP server on the local system (and I suppose you don't have IIS on the
same machine as the DC).
2. Suppose you could successfully connect, What if your otherwise valid
credentials (the credentials you want to authenticate) don't have access to
the AD root?
Something you should consider when you care about security. bummer! the
authentication fails because of an authorization issue not an authentication
failure.
Now let's suppose above is not an issue, a successful bind will transfer the
directory schema from the LDAP server to the ADSI client (here your asp.net
application) to be cached, and you are ready to search the DS, just like
it's done in the sample (see DirectorySearcher).
Here there are two issues:
- transferring the schema takes time and depends on the LDAP server load and
network connectivity.
- searching the account shouldn't be done as you are already authenticated
as a domain user when binding, so you know already that the credentials are
valid.
Not that there are other reasons for failure, but I hope you get the
picture.
Willy.
I know this:
http://msdn.microsoft.com/library/d...ve_directory_authentication_from_asp__net.asp
gives you a sample how to use the AD as an authentication service, but it
isn't one, its a Directory Service.
And the sample is a receipt for failure, for the following reasons:
1. The sample is using a server-less bind against the root of the directory
service.
String adPath = "LDAP://DC=..,DC=.."; //Path to you LDAP directory server
- Server-less binding only works if the asp.net application run as a domain
identity (and impersonation disabled), it fails when run with a local
identity (SYSTEM, ASPNET you name it) because ADSI tries to connect to the
LDAP server on the local system (and I suppose you don't have IIS on the
same machine as the DC).
2. Suppose you could successfully connect, What if your otherwise valid
credentials (the credentials you want to authenticate) don't have access to
the AD root?
Something you should consider when you care about security. bummer! the
authentication fails because of an authorization issue not an authentication
failure.
Now let's suppose above is not an issue, a successful bind will transfer the
directory schema from the LDAP server to the ADSI client (here your asp.net
application) to be cached, and you are ready to search the DS, just like
it's done in the sample (see DirectorySearcher).
Here there are two issues:
- transferring the schema takes time and depends on the LDAP server load and
network connectivity.
- searching the account shouldn't be done as you are already authenticated
as a domain user when binding, so you know already that the credentials are
valid.
Not that there are other reasons for failure, but I hope you get the
picture.
Willy.