locked
Cannot authenticate user in AD LDS RRS feed

  • Question

  • Not sure if this is the correct forum to use, but...

    I have been authenticating users against Active Directory successfully for a long time.  Now delving into AD LDS to support a website.  I am able to bind to and LDS DirectoryEntry for a user but cannot authenticate that user.  The following works fine and returns a DirectoryEntry:

    DirectoryEntry de = new DirectoryEntry("LDAP://192.168.x.x:50389/CN=x,CN=y,CN=Roles,CN=webapp1,DC=apps,DC=net")

    I am also able to complete a directory search based on the user CN that returns a valid object.  However, when I try to authenticate the user with the following I get the error "There is no such object on the server".

    DirectoryEntry objLDS = new DirectoryEntry(results[0].Path, domainAndUsername, pwd, AuthenticationTypes.Secure)

    The path is the correct path to the user object.  The password is good as well.  So I am thinking the issue is in the formatiing of the user name.  In AD I use my.domain\\username.  In LDS I have tried using just the username, DCs plus the username, DCs and LDS Instance plus the user name (and many other variations), nothing has worked.

              username

              apps.net\\username

              webapp1.apps.net\\username

    Can someone provide the correct format for LDS?  I have dug deep into MS documentation and been to oodles of sites but am stumped.

    Thanks much

    Full code block:

    string domainAndUsername = "apps.net" + @"\" + username;
    DirectoryEntry de = new DirectoryEntry("LDAP://192.168.x.x:50389/CN=x,CN=y,CN=Roles,CN=webapp1,DC=apps,DC=net");
                        
    DirectorySearcher deSearch = new DirectorySearcher();
    deSearch.SearchRoot = de;
    deSearch.Filter = "(&(objectClass=user) (cn=" + username + "))"; 
    SearchResultCollection results = deSearch.FindAll();
    if (results.Count > 0)
    {
        DirectoryEntry objLDS = new DirectoryEntry(results[0].Path, domainAndUsername, pwd, AuthenticationTypes.Secure);
        if (objLDS.Guid != null)
        {
            return true;
        }
        else
        {
            return false;
        }
     }

    Monday, September 10, 2012 12:37 AM

Answers

  • You mean "Just go to BING...." ;-)

    When authenticating to AD LDS, one must use the appropriate authentication type for the principal.  If you are attempting to authenticate to an AD LDS Instance using an AD LDS principal, then you must use the DN of the principal AND use a simple bind.  In System.DirectoryServices terms, an Authentication type of NONE.

    Assume that the user defined below, "CN=John Doe,dc=chickendance,dc=contoso,dc=com" is a valid enabled user object in an AD LDS instance and has been added to the Readers role.  If you want to bind to the AD LDS instances as John Doe, then the code would be similar to the following:

    string path = @"LDAP://maxv08r2sql.br549root.nttest.microsoft.com:389/dc=chickendance,dc=contoso,dc=com";
    string userid = @"cn=John Doe,dc=chickendance,dc=contoso,dc=com";
    string PassWd = @"Password1";
    DirectoryEntry de = new DirectoryEntry(path, userid, PassWd, AuthenticationTypes.None);
    Console.WriteLine(de.Properties["distinguishedname"][0]);


    Lets say that the AD LDS instance is running on a server that is a member of Contoso.Com, say the Administrator and the administrator has been added to the Administrators role on the AD LDS instance, they you could use the Authenticationtype.Secure because the AD LDS instance will pass the credentials onto the Active Directory for validation.  The code would look similar to the following:

    string path = @"LDAP://maxv08r2sql.br549root.nttest.microsoft.com:389/dc=chickendance,dc=contoso,dc=com";
    string userid = @"Contoso\Administrator";
    string PassWd = @"Password1";
    DirectoryEntry de = new DirectoryEntry(path, userid, PassWd, AuthenticationTypes.None);
    Console.WriteLine(de.Properties["distinguishedname"][0]);

    The general recommendation for using an AD LDS instance and binding with AD LDS principals is to make sure that you have a certificate server and then bind to the AD LDS instance using SSL.


    Trevor Hancock (Microsoft)
    Please remember to "Mark As Answer" the replies that help.

    Friday, September 14, 2012 7:28 PM

All replies

  • See the forum page below

    http://stackoverflow.com/questions/290548/c-sharp-validate-a-username-and-password-against-active-directory

    I think the issue is with the credentials.


    jdweng

    Monday, September 10, 2012 1:07 AM
  • Joel, thanks for the reply.  I agree, something with the creds just wont line up.  I have tried every variation descibed in the link you sent.  Perhaps you can answer this, in AD DS I believe the username is compared against the  sAMAccountName.  This does not exist in the user schema in AD LDS.  What user schema attribute in AD LDS is the username compared to when authenticating?
    Tuesday, September 11, 2012 4:20 AM
  • Just go to google ad perform a search for following

    ad lds schema


    jdweng

    Tuesday, September 11, 2012 8:11 AM
  • You mean "Just go to BING...." ;-)

    When authenticating to AD LDS, one must use the appropriate authentication type for the principal.  If you are attempting to authenticate to an AD LDS Instance using an AD LDS principal, then you must use the DN of the principal AND use a simple bind.  In System.DirectoryServices terms, an Authentication type of NONE.

    Assume that the user defined below, "CN=John Doe,dc=chickendance,dc=contoso,dc=com" is a valid enabled user object in an AD LDS instance and has been added to the Readers role.  If you want to bind to the AD LDS instances as John Doe, then the code would be similar to the following:

    string path = @"LDAP://maxv08r2sql.br549root.nttest.microsoft.com:389/dc=chickendance,dc=contoso,dc=com";
    string userid = @"cn=John Doe,dc=chickendance,dc=contoso,dc=com";
    string PassWd = @"Password1";
    DirectoryEntry de = new DirectoryEntry(path, userid, PassWd, AuthenticationTypes.None);
    Console.WriteLine(de.Properties["distinguishedname"][0]);


    Lets say that the AD LDS instance is running on a server that is a member of Contoso.Com, say the Administrator and the administrator has been added to the Administrators role on the AD LDS instance, they you could use the Authenticationtype.Secure because the AD LDS instance will pass the credentials onto the Active Directory for validation.  The code would look similar to the following:

    string path = @"LDAP://maxv08r2sql.br549root.nttest.microsoft.com:389/dc=chickendance,dc=contoso,dc=com";
    string userid = @"Contoso\Administrator";
    string PassWd = @"Password1";
    DirectoryEntry de = new DirectoryEntry(path, userid, PassWd, AuthenticationTypes.None);
    Console.WriteLine(de.Properties["distinguishedname"][0]);

    The general recommendation for using an AD LDS instance and binding with AD LDS principals is to make sure that you have a certificate server and then bind to the AD LDS instance using SSL.


    Trevor Hancock (Microsoft)
    Please remember to "Mark As Answer" the replies that help.

    Friday, September 14, 2012 7:28 PM
  • Thanks very much for this quite helpful information.  The key in your response was "...user...added to the Readers role".  I never would have guessed that after creating a user and setting a password that the user would not be able to bind to their own LDS record.  But if the user object is not in Readers group, it fails because it has no READ rights.
    Friday, September 21, 2012 2:58 AM
  • I have a similar issue and can't use the proposed solution.  What I am finding out is that adding a user to the Readers role allows that account to not only view his/her entry but also allows that user to read all user entries in my entire directory.  How do I go about telling AD LDS to allow this user to read his/her entry only and disallow access to all other records in my directory?

    Jesse Santana - Assistant Director CSU Long Beach – Network Services 1250 Bellflower Blvd. Long Beach, CA 90840

    Thursday, November 8, 2012 7:28 PM
  • Believe me, I spent like at least 2 nights on why my user can authenticate but cant get any additional data. Looked at least a 100 pages for an answer and nobody explained it as precise and correct as you did. 

    " and has been added to the Readers role. " changed everything! 

    Thank you Trevor!

    Tuesday, February 25, 2014 8:34 AM