Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

LDAP Not all users returning Memberof information Asp.Net

Posted on 2008-10-23
10
Medium Priority
?
3,358 Views
Last Modified: 2013-12-24
I am using asp.net 2.0 with C#.  I am authenticating users against LDAP and that is working fine.  Once they are authenticated, I want to pull more information from LDAP, however, I have noticed that not all users will return information such as memberof.  I am however able to get the displayName.  I have the LDAP connection string in the web.config file, and I created a special user account that I use to query LDAP.  Below is the code that I am using.  For some reason not all users will return memberof information.
Please see the attached code snippet.

With the code, the display name is set regardless of the user, the memberOf will only set on certin users. I have looked through my LDAP directory and I do not see a connection between the users that do not show.  

Any help would be appreciated.  
Thank you.

DirectoryEntry entry = new DirectoryEntry();
 
        DirectorySearcher Dsearch = new DirectorySearcher(entry);
 
        String filterText = "sAMAccountName=" + _userName;
 
        Dsearch.Filter = filterText;
 
        SearchResult sResultSet = Dsearch.FindOne();
 
        if (sResultSet.Properties["displayName"].Count > 0)
        {
            _displayName = sResultSet.Properties["displayName"][0].ToString();
 
            string memberOF = (String)sResultSet.Properties["memberof"][0];
 
        }

Open in new window

0
Comment
Question by:shanemay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22794376

Hey,

If the user is only a member of Domain Users of their Primary Group then memberOf will not return. Primary group membership is evaluated outside of memberOf / member.

Chris
0
 

Author Comment

by:shanemay
ID: 22795669
Thank you for the response.  Based on your comments, I added the following code to see if I could pull any other LDAP data from member.  Please see the attached code.  For some reason the only information being pulled on certain users is the "displayName" property.  The code works because I always get a displayName.  For some user I get most of the information, for some users I get nothing.  Again, thank you, any help would be greatly appreciated.  


names[0] = "Given Name = " + sResultSet.Properties["givenName"][0].ToString();
            names[1] = "initials = " + sResultSet.Properties["initials"][0].ToString();
            names[2] = "sn = " + sResultSet.Properties["sn"][0].ToString();
            names[3] = "homemdb = " + sResultSet.Properties["homemdb"][0].ToString();
            names[4] = "countrycode = " + sResultSet.Properties["countrycode"][0].ToString();
            names[5] = "cn = " + sResultSet.Properties["cn"][0].ToString();
            names[6] = "msexchuseraccountcontrol = " + sResultSet.Properties["msexchuseraccountcontrol"][0].ToString();
            names[7] = "mailnickname = " + sResultSet.Properties["mailnickname"][0].ToString();
            names[8] = "msexchhomeservername = " + sResultSet.Properties["msexchhomeservername"][0].ToString();
            names[9] = "msexchhidefromaddresslists = " + sResultSet.Properties["msexchhidefromaddresslists"][0].ToString();
            names[10] = "msexchalobjectversion = " + sResultSet.Properties["msexchalobjectversion"][0].ToString();
            names[11] = "usncreated = " + sResultSet.Properties["usncreated"][0].ToString();
            names[12] = "objectguid = " + sResultSet.Properties["objectguid"][0].ToString();
            names[13] = "msexchrequireauthtosendto = " + sResultSet.Properties["msexchrequireauthtosendto"][0].ToString();
            names[14] = "whenchanged = " + sResultSet.Properties["whenchanged"][0].ToString();
            names[15] = "memberof = " + sResultSet.Properties["memberof"][0].ToString();
            names[16] = "accountexpires = " + sResultSet.Properties["accountexpires"][0].ToString();
            names[17] = "displayname = " + sResultSet.Properties["displayname"][0].ToString();
            names[18] = "primarygroupid = " + sResultSet.Properties["primarygroupid"][0].ToString();
            names[19] = "badpwdcount = " + sResultSet.Properties["badpwdcount"][0].ToString();
            names[20] = "objectclass = " + sResultSet.Properties["objectclass"][0].ToString();
            names[21] = "instancetype = " + sResultSet.Properties["instancetype"][0].ToString();
            names[22] = "msmqdigests = " + sResultSet.Properties["msmqdigests"][0].ToString();
            names[23] = "objectcategory = " + sResultSet.Properties["objectcategory"][0].ToString();
            names[24] = "samaccounttype = " + sResultSet.Properties["samaccounttype"][0].ToString();
            names[25] = "whencreated = " + sResultSet.Properties["whencreated"][0].ToString();
            names[26] = "lastlogon = " + sResultSet.Properties["lastlogon"][0].ToString();
            names[27] = "useraccountcontrol = " + sResultSet.Properties["useraccountcontrol"][0].ToString();
            names[28] = "msmqsigncertificates = " + sResultSet.Properties["msmqsigncertificates"][0].ToString();
            names[29] = "samaccountname = " + sResultSet.Properties["samaccountname"][0].ToString();
            names[30] = "userparameters = " + sResultSet.Properties["userparameters"][0].ToString();
            names[31] = "mail = " + sResultSet.Properties["mail"][0].ToString();
            names[32] = "msexchmailboxsecuritydescriptor = " + sResultSet.Properties["msexchmailboxsecuritydescriptor"][0].ToString();
            names[33] = "adspath = " + sResultSet.Properties["adspath"][0].ToString();
            names[34] = "lockouttime = " + sResultSet.Properties["lockouttime"][0].ToString();
            names[35] = "homemta = " + sResultSet.Properties["homemta"][0].ToString();
            names[36] = "description = " + sResultSet.Properties["description"][0].ToString();
            names[37] = "msexchmailboxguid = " + sResultSet.Properties["msexchmailboxguid"][0].ToString();
            names[38] = "pwdlastset = " + sResultSet.Properties["pwdlastset"][0].ToString();
            names[39] = "logoncount = " + sResultSet.Properties["logoncount"][0].ToString();
            names[40] = "codepage = " + sResultSet.Properties["codepage"][0].ToString();
            names[41] = "name = " + sResultSet.Properties["name"][0].ToString();
            names[42] = "usnchanged = " + sResultSet.Properties["usnchanged"][0].ToString();
            names[43] = "legacyexchangedn = " + sResultSet.Properties["legacyexchangedn"][0].ToString();
            names[44] = "proxyaddresses = " + sResultSet.Properties["proxyaddresses"][0].ToString();
            names[45] = "userprincipalname = " + sResultSet.Properties["userprincipalname"][0].ToString();
            names[46] = "admincount = " + sResultSet.Properties["admincount"][0].ToString();
            names[47] = "badpasswordtime = " + sResultSet.Properties["badpasswordtime"][0].ToString();
            names[48] = "objectsid = " + sResultSet.Properties["objectsid"][0].ToString();
            names[49] = "msexchpoliciesincluded = " + sResultSet.Properties["msexchpoliciesincluded"][0].ToString();
            names[50] = "mdbusedefaults = " + sResultSet.Properties["mdbusedefaults"][0].ToString();
            names[51] = "distinguishedname = " + sResultSet.Properties["distinguishedname"][0].ToString();
            names[52] = "showinaddressbook = " + sResultSet.Properties["showinaddressbook"][0].ToString();
            names[53] = "givenname = " + sResultSet.Properties["givenname"][0].ToString();
            names[54] = "textencodedoraddress = " + sResultSet.Properties["textencodedoraddress"][0].ToString();
            names[55] = "lastlogontimestamp = " + sResultSet.Properties["lastlogontimestamp"][0].ToString(); 

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22795783
I'd have to guess it was how you were attempting to return / display the values that's at fault. Reading them in like that should work, although some will be pretty useless.  If I use the method above and simply write the response to a Label it works.

For memberOf, it's an array, so you'd have to loop through each value rather than just the first index.

Chris
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:shanemay
ID: 22796453
Thank you again for the reply.  Below is the code that I use to display the information.  I agree. It should work, and it does for some users.  For others I get nothing.  I feel that it is a permission issue, but I am not sure were to begin.  I used the generic label names for testing just to see what it would return.  Do you think it could have to do with the account the manages the asp.net worker thread?  I am really at a loss.  
         lblDisplayName.Text = _displayName;
 
        _fullUserName = DOMAIN_PREFIX + _userName;
 
        lblGroupName.Text = _groupName;
        lblLDAPMember.Text = _LDAPMembership;
 
        DateTime myDate = new DateTime();
 
        myDate = DateTime.Now;
 
        lblDate.Text = myDate.ToLongDateString();
 
        Label1.Text = names[0];
        Label2.Text = names[1];
        Label3.Text = names[2];
        Label4.Text = names[3];
        Label5.Text = names[4];
        Label6.Text = names[5];
        Label7.Text = names[6];
        Label8.Text = names[7];
        Label9.Text = names[8];
        Label10.Text = names[9];
        Label11.Text = names[10];
        Label12.Text = names[11];
        Label13.Text = names[12];
        Label14.Text = names[13];
        Label15.Text = names[14];
        Label16.Text = names[15];
        Label17.Text = names[16];
        Label18.Text = names[17];
        Label19.Text = names[18];
        Label20.Text = names[19];

Open in new window

0
 
LVL 4

Accepted Solution

by:
anipeddi earned 1200 total points
ID: 22798542
In my past project i had faced this issue and i did solve it.
Are you using windows authentication, if so turn on impersonation in your application,
steps to do this
1)have user credentials who has admin access on Active Directory
2)Go to your web.config file, Turn on impersonation, specify username and password(you could encrypt the user credentials)
  for example
                                           <authentication mode="Windows"/>
            <identity impersonate="true" userName="xxxx" password="xxxx"/>

0
 

Author Comment

by:shanemay
ID: 22798617
Thank you for the reply, when you suggest that the user have admin access on Active Directory, do you mean the user should have admin access to the server.  I am running windows Server 2003.  Also, I am using windows authentication.  I created a log in page that authenticates against my LDAP.  I will make the changes on Monday and reply back.  Again, thank you for the suggestion.
0
 
LVL 4

Expert Comment

by:anipeddi
ID: 22798954
I think initially you should understand the concept of impersonation. Pls read this article
http://www.c-sharpcorner.com/UploadFile/manishkdwivedi/impersonation10092007065217AM/impersonation.aspx
http://msdn.microsoft.com/en-us/library/xh507fc5(VS.71).aspx


The user who uses the application does not need to have Admin rights on the Server.
but the problem is with out having admin rights he can not see the memberof() information So,
Use your login screen to authenticate the user, and turn on impersonation.
when you turn on the impersonation No matter who logged in to the application, just uses the user credentials what you have specified in the impersonation node to hit the Active directory.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22802378

> but the problem is with out having admin rights he can not see the memberof() information So

Yes he can.

All attributes are have authenticated users Read unless that has been explicitly removed on the directory level.

Web Applications do not need to run as Administrator to read the directory.

Chris
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 800 total points
ID: 22804616
memberOf doesn't return primary group membership.
To get that information, you nead to compare the group's PrimaryGroupToken with the user's PrimaryGroupId.
Collect a recordset with the groups and when accessing the user, apply a filter on the group-recordset to find the matching primary group.
rsGroup.Filter="(PrimaryGroupToken="+sResultSet.Properties("primaryGroupId")+")"
0
 

Author Closing Comment

by:shanemay
ID: 31509348
Thank you your help.  This worked out perfectly.  Again, thank you.  
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I’ll look at how you can use a backup to start a secondary instance for MongoDB.
In this article, we’ll look at how to deploy ProxySQL.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question