2

I have the following code to retrieve the current active directory users:

public List<DomainContext> GetADUsers(string term=null)
{
    List<DomainContext> results = new List<DomainContext>();
    string ADServerName = System.Web.Configuration.WebConfigurationManager.AppSettings["ADServerName"];

    using (var context = new PrincipalContext(ContextType.Domain, ADServerName))
    using (var searcher = new PrincipalSearcher(new UserPrincipal(context)))
    {
        var searchResults = searcher.FindAll();

        foreach (Principal p in searchResults)
        {
            if (term == null || p.SamAccountName.ToString().ToUpper().StartsWith(term.ToUpper()))
            {
                DomainContext dc = new DomainContext();
                dc.DisplayName = p.DisplayName;
                dc.UserPrincipalName = p.UserPrincipalName;
                dc.Name = p.Name;
                dc.SamAccountName = p.SamAccountName;

                results.Add(dc);
            }
        }
    }

    return results;
}

My current situation is as follows:

  1. I am working on the development machine, where both the ASP.NET MVC web application and the Active Directory are on the same machine.

  2. I am not passing usernames and password to get the AD users.

So I have the following concerns when I move my ASP.NET MVC web application which contains the above code to my UAT server:

  1. On the UAT server the ASP.NET MVC web application and AD will be on two different machines.
  2. To access the AD from certain machine I might need to send a username and password to the AD server.

So will my original code works if:

  1. The AD and the ASP.NET MVC web application are on different machines?
  2. And if the AD server required passing a user name and password along with?
Fedor
  • 1,548
  • 3
  • 28
  • 38
John John
  • 1
  • 72
  • 238
  • 501

1 Answers1

2

There are two possibilities.

Either you pass the username/password to the PricipalContext or the identity of the application pool has enough priviledges to query the AD and you don't have to provide username/password then.

If the application server is in the AD, the latter is very convenient as there is no username/password in code and/or configuration files. If on the other hand the application server is not in AD, passing username/password in an explicit way is the only possibility for this to work.

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • thanks for your reply; so which configuration i should have in this way, i mean should i force certain configuration to our system administration department ? – John John Dec 06 '13 at 17:25
  • 1
    Yep, that's what we do. We give the possibility to provide username/passwords or leave them empty and describe both versions in the docs. The IT guys pick up the appropriate method depending on many conditions. – Wiktor Zychla Dec 06 '13 at 18:22
  • so if the UAT AD server can be accessed without username & password then i have no problem , since it will be the same case as in my development environment, and i have to only chnage the AD server name. while if the AD server require username/password, then i can still use the same approach but i need to provide the username /password to the IPrinciple ?? is this right ? – John John Dec 07 '13 at 00:54
  • We are trying to read AD data for a user and change password... If the AD and IIS server is on same Domain then is username and password of AD admin required to be passed? I think username and password should be passed only if the IIS and AD are on different servers. Is this correct? – variable Aug 20 '14 at 06:54