Hello.

I've got the following problem:

There is a web application (ASP.NET), that needs to
authenticate users against local machine and Active Directory.
By default, the application works as ASPNET account (Win2000, XP).
When working on ASPNET account the apllication is able to do the following:


string path = "WinNT://" + Environment.MachineName + ",computer";
DirectoryEntry entry = new DirectoryEntry(path, username, pwd);
try
{
//force authentication
Object o = entry.NativeGuid;

//authentication succeeded

}
catch(...)
{
//authentication failed
}

Wnen run as ASPNET account, the code is able to work correctly.
However, when run as SYSTEM account, exception is thrown


I need to switch to system account, because I also need to authenticate
users in Acitive Directory, and ASPNET this time cannnot connect to AD,
whereas SYSTEM account can.

So, currently I can authenticate users either in local system (when run as
ASPNET) or in AD (when run as SYSTEM), bot not concurrently (i.e.
I can not do this without restarting the process)

SYSTEM ASPNET
LOCAL USERS - +
DOMAIN USES + -


Questions:
1. Is there any way to grant local ASPNET account ability to connect to AD ?
2. Is there any way to allow SYSTEM account to authenticate users against
local machine. (The inability seems ridiculous...)
(Note: I cannot temporarily use impersonation [SYSTEM is granted right to
impersonate someone elese] to check credentials, since the application is
a muliti user system and the fraction of time the app would work as somebody
else (not system but e.g John.Smith ) would leed to errors. Ok, I might
lock entire application functionality when somebody performs logon
but this would be hugely ineffective and would require to redesign
plenty of code. (The application is pretty complex))


Thanks for help
Michał

A couple of things:

ASPNET can definitely talking to Active Directory. However, you may need to
supply a domain controller name in your LDAP path as well as valid domain
credentials depending on what you are binding to. If you just want to test
user names and passwords via a DirectoryEntry bind, this will work fine.
Make sure you use the LDAP provider though.

For authenticating against local machine accounts, the WinNT provider is not
well suited for this as it has all sorts of problems binding with different
credentials in the same process. It would probably be better to call the
LogonUser API to test the user's credentials (although you'll need high
privileges to call this API in Win2K). LogonUser can also validate domain
credentials.

Instead of doing this authentication in code, is it possible for you to
leverage IIS security to do this work for you?

Joe K.


"Michal Januszczyk" <MichaJanuszczyk (AT) discussions (DOT) microsoft.com> wrote in
message news:C10D63AA-6F9B-471A-AB7B-65B2EDF8EB55 (AT) microsoft (DOT) com...

"Joe Kaplan (MVP - ADSI)" wrote:
currently i'm using the following code to talk to DC:

string path = @"LDAP://CN=Users,DC=mydomain,DC=com";
DirectoryEntry entry = new DirectoryEntry(path, domainAndUsername, pwd);
DirectorySearcher search =null;
try
{
// Bind to the native AdsObject to force authentication.
Object obj = entry.NativeObject;
...
}

What can I change here to make ASPNET account to connect (and talk) to AD ?


I cannot use LogonUser function since this would make the whole application working as another user for fraction of time. If the application would require to do something that the "curret account" cannot do, there would be an error. This is quite low probable, but may happen. I might use locking here, but i would have to enforce locking in many places in the application (the app stimultaneously serves many users)


I can not do that since I'm using forms authentication.
The application allows to use application-specific accounts
(if somebody does not want to use windows accounts), local machine
windows accounts (authentication code example has been provided),
and domain-wide accounts, if the machine is conected into domain.


Thank You
Michał

Inline:

"Michal Januszczyk" <MichaJanuszczyk (AT) discussions (DOT) microsoft.com> wrote in
message news:E3B5F91A-D5E6-43FB-B89A-4B24ECFFB738 (AT) microsoft (DOT) com...
Just add the domain controller dns name to your LDAP path:
LDAP://yourdc.domain.com/rootDSE (or whatever DN you wish to use)

Also, you should ALWAYS specify AuthenticationTypes.Secure when specifying
credentials to ensure that they are not sent in clear text on the network.
Additionally, you may wish to add AuthenticationTypes.ServerBind if you
specify a specific DC name as that will give you a small performance boost.

would require to do something that the "curret account" cannot do, there
would be an error. This is quite low probable, but may happen. I might use
locking here, but i would have to enforce locking in many places in the
application (the app stimultaneously serves many users)
Actually, you can use LogonUser here in the same way that you are
authenticating to AD with a DirectoryEntry object. LogonUser will succeed
if the user's credentials are accepted in a similar way to the
DirectoryEntry bind. Whether or not you impersonate the returned token is
up to you, but it can definitely be used as an authentication mechanism.

I don't understand your comment about having the code running as a different
user and having to use locking and such as you would be using LogonUser here
as a replacement for the S.DS code. What is the difference in your mind?

Understand this part. I figured you were using forms authentication, but I
thought I'd throw that out. I am often confused as to why people use Forms
authentication and make their lives so much harder when regular IIS
authentication might work fine. However, sometimes people have to use Forms
auth. for whatever reason.

HTH,

Joe K.