?
Solved

LDAP query - advanced permission/authentication issue

Posted on 2006-07-10
2
Medium Priority
?
2,066 Views
Last Modified: 2007-12-19
I have an LDAP query that works fine by default.  We are invoking via a webservice.  We then went into IIS and made the directory use Integrated Windows Authentication.

Still no problem.

We then wanted to be able to read the windows identity of the user logged in.  So we added a new webconfig inside the parent folder (which only contains the webservice) that is as follows:

<?xml version="1.0"?>
<configuration>
    <appSettings/>
    <connectionStrings/>
    <system.web>
                  <identity impersonate="true"/>
    </system.web>
</configuration>

Now - we can successfully read the username of the person logged in, but the LDAP query fails.
The error we get is:
================================================
System.Runtime.InteropServices.COMException: An operations error occurred.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_IsContainer()
   at System.DirectoryServices.DirectoryEntries.ChildEnumerator..ctor(DirectoryEntry container)
   at System.DirectoryServices.DirectoryEntries.GetEnumerator()
... more stack of our specific code
================================================

If we go to the LDAP query code and add in

de.Username = "adminuser";
de.Password = "P@ssword";

then it works.

But if we use any user that is not an admin it does not work.

Therefore we think that the problem is with the account that is being used to access the webservice.

The goal here is to restrict the webservice to only allow certain windows accounts to run it within our network.  We test the identity in the webservice constructor.  I know there are other ways, but for now we need to go with this option as the other methods of WSE etc have caused other issues.

So it works without that web.config or with the web.config with an admin account hardcoded in (which we don't want either).  It does not work if an admin account is passed in through the windows identity.

Is there a way that we can get this to work without hard-coding in a username and password to the directory entry and still being able to read in the windows identity of the user in the constructor of the webservice?  Note - it is not possible to turn this directory into its own .NET Application.

We also do not want to send in the password to the webservice to then feed into the DirectoryEntry.

It just seems strange that the same account if using Windows Authentication doesnot work, but hardcoded in does work.

Maybe is there a way to tell the DirectoryEntry to use anonymous LDAP query?  How was it working before we added the web.config file?  Was it using an anonymous LDAP query before we added the web.config file?  If so is there a way to revert the LDAP query back to being anonymous?

PS all the LDAP query is doing is reading a list of users within a specific group.

Thanks
0
Comment
Question by:mrichmon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 35

Accepted Solution

by:
mrichmon earned 0 total points
ID: 17084412
Working off of this article:
http://support.microsoft.com/?kbid=306158

I was able to determine that we can remove the web.config file and then programatically change the security context to the currently authenticated user, then revert back to the nt authority\network service account for the LDAP portion.

Basically the code is as follows:

// Change the security context to the currently logged in user from the nt authority\network service context
            System.Security.Principal.WindowsImpersonationContext impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

// Code that needs the current user goes here such as
string username = WindowsIdentity.GetCurrent().Name;

// Revert back to normal context (i.e.  nt authority\network service account)
impersonationContext.Undo();

// Code for LDAP.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We all know that functional code is the leg that any good program stands on when it comes right down to it, however, if your program lacks a good user interface your product may not have the appeal needed to keep your customers happy. This issue can…
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question