Query an AD domain via SSL

Question

I have a domain and port number (636) as well as a username and password.

I am trying to figure out a way to connect to this AD via Secure LDAP and get a users 'givenname', 'sn', 'mail', and probably a few custom attributes.

However I have no idea how to do this in C#.

I think that Microsoft may have a method for this available already but I am going to defer to you all.

The final user experience will be: See login screen, enter username and password, those credentials are sent over LDAP and the users info is returned to my web app, then I log them in if it all went well... though I don't know what a failed attempt would look like either so I can deny them. Any ideas?

Please include code samples so I can understand the implementation, thanks!

It's obvious that you did not even attempt to look for this on your own (I would know, I build a class library for this not even a month ago). Please ask for answers to specific questions, not entire solutions. — Brad, Oct 22 '10 at 18:15
The first link on google itself should give you all the information you need http://www.c-sharpcorner.com/uploadfile/ankithakur/login_using_active_directory04052006061801am/login_using_active_directory.aspx — Jagmag, Oct 22 '10 at 18:16
@Shogun, did you find out anything new at the link @InSane posted? — Brad, Oct 22 '10 at 18:26
@InSane this looks like it uses SQL I don't understand how that relates to LDAP, I'm really confused here... — MetaGuru, Oct 22 '10 at 18:33
@Shogun - Do go through the `GetADSILogin()` method. In this method, the example is only using a DB table to get the paramters to login into AD. You could very well hardcode those or use some other technique to store the values. The logic of how it is using `System.DirectoryServices` and `DirectoryEntry` etc is what you need to check out. — Jagmag, Oct 22 '10 at 18:37
Hmm how is my question any different from this one http://stackoverflow.com/questions/546438/authenticating-user-using-ldap-from-php besides a different language? That one didn't get down voted... — MetaGuru, Oct 22 '10 at 19:41

Wyatt Barnett · Answer 1 · 2010-10-22T18:38:41.220

3

Did you even try google?

EDIT

Sorry for the hubub and the snarky response. I think the problem you were having is you didn't quite ask the question right -- either here or on google. Anyhow, you don't need a lick of C# code here. You just need to configure your web app to use AD as a membership provider. You'll need a connection string [getting this right was the hardest part]:

<connectionStrings>
    <add name="MyAd"
         connectionString="LDAP://adserver/OU=Users"
         />
</connectionStrings>

And a membership provider:

<membership defaultProvider="AdProvider">
        <providers>
            <add 
                name="AdProvider"
                type="System.Web.Security.ActiveDirectoryMembershipProvider, 
                    System.Web, Version=2.0.0.0, 
                    Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 
                connectionStringName="MyAd"
                applicationName="ItRemoteHelpdesk"
                enablePasswordReset="false"
                 />
        </providers>
    </membership>

Then users can login with their normal username@domain and password.

edited Oct 22 '10 at 18:38

answered Oct 22 '10 at 18:11

Wyatt Barnett

15,573
3
34
53

@Shogun, seriously!! you just asked us to build a **solution** for you, not answer a *question*. If all you want is a question answered, then yes, it's possible. – Brad Oct 22 '10 at 18:14
@Brad, I did not, I simply asked for code samples and information on what C# Library to use... and the point of asking on SO is to help add to the site and get advice from the users, for example some pitfalls that people might have run into, real time advice... wow, just.. wow.. – MetaGuru Oct 22 '10 at 18:26
@Shogun, your question is just simply too broad. I wrote an entire Dll to custom-wrap .NET's AD authentication. Would that be suitable to post? Probably not. – Brad Oct 22 '10 at 18:29
Thanks Wyatt, do you know if it's possible to have this along side of normal login? Most accounts in the web app will login in directly to the web app using normal username/password lookup in our DB, but some special accounts will be flagged to login VIA their AD. – MetaGuru Oct 22 '10 at 18:47
Never tried it, but you've got the same considerations here as you would with any other multi-membership provider application. – Wyatt Barnett Oct 22 '10 at 19:05
hmm ok, also the domain information will be stored in the database so that my solution could be used for multiple accounts to different domains, etc, thanks for the input – MetaGuru Oct 22 '10 at 19:07

score 1 · Answer 2 · answered Oct 22 '10 at 18:33

1

The System.DirectoryServices.AccountManagement is the .NET dll to use for the newer, non-LDAP AD authentication.

Try this website for a good starting point with code examples:

http://www.codeproject.com/KB/system/usingAccountManagement.aspx

answered Oct 22 '10 at 18:33

Brad

15,361
6
36
57

it has to be Secure LDAP.. so I'm guessing 'non-LDAP' is not using Secure LDAP, right? – MetaGuru Oct 22 '10 at 18:36
@Shogun, you can use the `ContextOptions` enum when creating your `Context` (the link to the DC) to specify that you want SSL http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.contextoptions.aspx – Brad Oct 22 '10 at 18:41
all's well that ends well. :) – Brad Oct 22 '10 at 18:49
@Brad, one more question about this link provided, is this actually using the Secure LDAP protocol? Our partner has only allowed for this protocol from a specific IP address on our side. – MetaGuru Oct 22 '10 at 19:18
@Shogoun, I cannot help you there. It wasn't required in my implementation. – Brad Oct 22 '10 at 20:55

marc_s · Answer 3 · 2010-10-23T06:57:00.780

0

You should definitely check out the .NET 3.5 System.DirectoryServices.AccountManagement namespace as suggested by Brad.

To get a good head start on how to use it, read this MSDN Magazine article: Managing Directory Security Principals in the .NET Framework 3.5

The article does talk several times about how to securely (using SSL) connect to your AD domain, and how to e.g. create users or retrieve user information. I think reading that article closely and trying out the code samples should give you a good idea on how to do what you're looking for.

Update: quite obviously, all those method in S.DS.AM require you to be authenticated against AD. The new classes also provide for pretty simple verification of user credentials (as shown in that article I linked to):

// establish context 
PrincipalContext domain = new PrincipalContext(ContextType.Domain);

// determine whether a user can validate to the directory
bool validated = domain.ValidateCredentials("user1", "Password1");

edited Oct 23 '10 at 06:57

answered Oct 22 '10 at 20:35

marc_s

732,580
175
1,330
1,459

I'm confused. I am trying to have AD users login with their username and password to a client AD through my web app. This looks like I can just look up any user without a password... How then do I authenticate someone? And how am I gaining access, some admin password? More reading I must do... this seem so... overly complicated! – MetaGuru Oct 23 '10 at 02:15
@Shogun: of course, you can only ever look someone up if you're already authenticated. Read that article I'm linking to!! It also shows you how to easily validate credentials against AD, and how to login a given user. Only when **logged in** can he do all the other stuff, of course!! – marc_s Oct 23 '10 at 06:53
Oh... the client gave me a test user but no admin account or anything like that, I guess I need to go back and ask for one? Or can I authenticate a normal user? Please clarify, I am very confused here.. – MetaGuru Oct 25 '10 at 12:57
@Shogun: that depends on the Active Directory configuration, but by default, any domain user can at least from the AD (at least parts of it) – marc_s Oct 25 '10 at 13:12

Query an AD domain via SSL

3 Answers3