4

My issue here is how to deal with security and a proper implementation of impersonation which will work from a client machine and authenticate properly to my IIS server which passes the still valid impersonation ticket along with the LDAP request.

My System is an independent server running on my company intranet which hosts the domain controller, LDAP server, etc, and uses Kerberos protocol.

  • System Info: IIS7 with Windows Auth and Impersonate on Windows 7 x64
  • Network Info: IIS 6, LDAP, Kerberos

Here is my VB.NET method.

Protected FirstName, LastName, EMail As String
Protected Sub Lookup(ByVal UserName As String)
    UserName = Trim(UserName)
    UserName = Replace(UserName, "\", "/")
    UserName = Right(UserName, Len(UserName) - InStr(1, UserName, "/"))

    Using (Hosting.HostingEnvironment.Impersonate) 'ADDED
        Dim directoryEntry As New DirectoryEntry("LDAP://dl/DC=dl,DC=net")
        'directoryEntry.AuthenticationType = AuthenticationTypes.Delegation 'REMOVED

        Dim ds As New DirectorySearcher(directoryEntry)
        Dim r As SearchResult
        Try
            ds.PropertiesToLoad.Add("givenName") 'First Name
            ds.PropertiesToLoad.Add("sn")        'Last Name
            ds.PropertiesToLoad.Add("mail")      'Email

            ds.Filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & UserName & "))"
            r = ds.FindOne 'Query LDAP; find record with UserName.

            'Populates all the variables retrieved from LDAP.
            FirstName = If(r.Properties.Contains("givenName"), Trim(r.Properties("givenName").Item(0)), "")
            LastName = If(r.Properties.Contains("sn"), Trim(r.Properties("sn").Item(0)), "")
            If IsNothing(r.Properties.Contains("mail")) Then
                EMail = If(r.Properties.Contains("userPrincipalName"), Trim(r.Properties("userPrincipalName").Item(0)), "")
            Else
                EMail = If(r.Properties.Contains("mail"), Trim(r.Properties("mail").Item(0)), "")
            End If
            EMail = EMail.ToLower
        Catch ex As Exception
            'Error Logging to Database Here
        End Try
    End Using
End Sub

Please ask any questions necessary to get the information you need to help me. I've been researching this for weeks and it seems that Impersonation has such an insane number of variables that I could easily get lost. I just can't figure out how to implement this in my code... I'm still fairly new to .NET :(

Chiramisu
  • 4,687
  • 7
  • 47
  • 77
  • The answer lied in what Brian suggested. In fact my server was not authorized by the Domain Controller for Delegation. Once I got that changed by my IT department and added the `Using` statement as noted in my updated code, everything worked beautifully :) – Chiramisu Feb 16 '12 at 17:51

1 Answers1

2

You shouldn't need to configure an AuthenticationType for this to work. You will however need to ensure that the service account (or computer account if network service) hosting the code above is allowed to delegate to the LDAP service on all of the DCs in your environment.

Brian Desmond
  • 4,473
  • 1
  • 13
  • 11
  • Thank you so much!! I can't believe it was something like this, but I know almost nothing about AD and IT admin. Thank you SO MUCH for pointing me in the right direction after countless hours of frustration and research. ^.^ – Chiramisu Feb 16 '12 at 17:52