Authenticate with AD without sending username/password?
Darren
I think on reflection it really belongs here. FWIW I have searched
MSDN (online and offline), Google, newsgroups, and everything else I
can think of, and haven't found an answer to this. I'm not quite sure
what to search on - I've tried various combinations of "Active
Directory", "authentication", "trusted connection", "integrated
security", "NTLM", ...
I feel I must be missing something simple - could someone PLEASE help
out?
===========================================================================
OK here's what I'm trying to do: our network runs Active Directory.
From a Windows client program (written in VB.NET), we want to access
Active Directory, and ask it something like, "Is the currently logged
on Windows user a valid domain user, and to what groups does he
belong?" I know I could do this using the DirectorySearcher object,
but that seems to require searching based on the username (which you
can get from Windows with GetCurrent). My concern is that it's too
easy too spoof a username, so it seems a weak way to access A-D. For
example, if Fred is a privileged user on the network, I could create a
local user "Fred" on my machine, and spoof Active Directory that way.
I know there would be a check on the Domain too, but it just seems
inherently insecure if I'm just doing a "get current user credentials"
and then passing those to Active Directory.
Is there a way to authenticate with A-D "implicitly", without
explicitly passing the user credentials? I'd like the exchange of
user info to happen directly between Windows and Active Directory - a
bit like the way Trusted Connections work in SQL Server, if you're
familiar with those. I'd like to do this in a .NET friendly way, but
if I have to resort to unmanaged code and ADSI that would be fine too.
Thanks for any help.
-Darren.
Joe Kaplan
user's credentials. Just do a bind to RootDSE specifying no credentials and
AuthenticationTypes.Secure. That will bind to AD with the current user's
credentials.
dim rootDSEEntry as New DirectoryEntry(LDAP://rootDSE, Nothing, Nothing,
AuthenticationTypes.Secure)
From the RootDSE object, you can read the defaultNamingContext property to
get the distinguished name of the container to search for users in.
dim searchRootDN as string =
DirectCast(rootDSEEntry.Properties("defaultNamingContext").Value,
System.String
dim searchRootEntry as New DirectoryEntry("LDAP://" + searchRootDN, Nothing,
Nothing, AuthenticationTypes.Secure)
To find the user, you need to do a search by the samAccountName of the user.
This can be calculated by getting the current WindowsIdentity.Name property
and lopping off the domain part:
'this is cheesy, but it works ok for parsing the string
dim samAccountName as string =
WindowIdentity.GetCurrent().Name.Split("\"c)(1)
Now you can search the AD for the user by their their samAccountName by
creating a DirectorySearcher object and then find their user object:
dim searcher as New DirectorySearcher()
searcher.SearchRoot = searchRootEntry
searcher.Filter =
String.Format("(&(objectCategory=person)(objectClass=user)(samAccountName={0
}))", samAccountName)
searcher.SearchScope = SearchScope.Subtree
dim result as SearchResult = searcher.FindOne()
dim userEntry as result.GetDirectoryEntry()
Now you can use the current user's entry to read either their tokenGroups
attribute or their memberOf attribute. TokenGroups will give you the
transitive membership of the user's security groups, but they are returned
as SIDs. MemberOf gives you the groups (not just security) that the user is
directly a member of (not the nested membership), so you must recurse
through the tree to get the full membership.
Depending on what you need (security-only or all groups), you can use either
of the two approaches. If you need some more info on SID binding, let me
know.
Joe K.
"Darren" <darre...@hotmail.com> wrote in message
news:3514a44c.03030...@posting.google.com...
Darren
binding with Username and Password = Nothing,
AuthenticationTypes.Secure, and it does what we want - passes
credentials implicitly. Is there a way to do the searching without
explicitly using the username from "GetCurrent"? I would like
something such as (pseudo code),
DirectorySearcher.FindRolesForCurrentUser()
whereby I don't pass in a username or password, but A-D just gives me
the info for the currently logged on user.
If you have a few mins, feel free to e-mail me - my address is in the
header (it's already spam infested so I didn't obfuscate it).
Thanks again.
-Darren.
"Joe Kaplan" <ilearnedthi...@noway.com> wrote in message news:<O4fIXoz4...@TK2MSFTNGP11.phx.gbl>...
Joe Kaplan
There is probably some Win32 NetAPI you could call to do what you want
though. I'm not really sure how to proceed with that. I am pretty sure
that you can use Pinvoke to simply open up the current user's token, read
their group sids and then resolve them with the LookupAccountName function.
All of that can be done without using System.DirectoryServices.
You could also get the current user's SID from their token and bind directly
to that in the AD, so you wouldn't have to do a search. There are a bunch
of options.
There is a pretty cool .NET wrapper for the security functions posted by an
MS employee at http://www.gotdotnet.com that you could use to do all of this
work.
Joe K.
"Darren" <darre...@hotmail.com> wrote in message
news:3514a44c.03030...@posting.google.com...
Joe Kaplan
There is probably some Win32 NetAPI you could call to do what you want
though. I'm not really sure how to proceed with that. I am pretty sure
that you can use Pinvoke to simply open up the current user's token, read
their group sids and then resolve them with the LookupAccountName function.
All of that can be done without using System.DirectoryServices.
You could also get the current user's SID from their token and bind directly
to that in the AD, so you wouldn't have to do a search. There are a bunch
of options.
There is a pretty cool .NET wrapper for the security functions posted by an
MS employee at http://www.gotdotnet.com that you could use to do all of this
work.
Joe K.
"Darren" <darre...@hotmail.com> wrote in message
news:3514a44c.03030...@posting.google.com...