Solved

How to validate student only to specific domain

Posted on 2011-09-14
7
495 Views
Last Modified: 2012-05-12
Hi experts,

I need some help here. I have a forest with multiple subdomain

1. abc.com - forest name and also top level domain with two DC (ad0.abc.com and ad1.abc.com (replicated))

2. xyz.abc.com - subdomain for abc.com with two DC (adxyz0.xyz.abc.com and adxyz1.xyz.abc.com (replicated))

3. pqr.net - other company forest with trust relation

ALL DC in forest abc.com are GCs.

There will be user with same  "sAMAccountName" on DIFFERENT domain representing DIFFERENT people.

Let put some dummy account here:

1. john@abc.com - password j123
2. mark@abc.com - password m123
3. john@xyz.abc.com - password jx456
4. linda@xyz.abc.com - password l789

Here is my code:
Public Class AccountManagement
  Private m_sDefaultDomain As String 
  Private m_sDefaultOU As String 
  Private m_sServiceAccount As String = "serviceuser"
  Private m_sServicePassword As String = "servicepassword"

  Public Function ValidateCredential(sUserAccount As String, sUserPassword As String) As Boolean
    Dim oPrincipalContext = GetPrincipalContext()

    Return oPrincipalContext.ValidateCredentials(sUserAccount, sUserPassword)
  End Function

  Public Function ReturnUserID(sUserAccount As String) As String
    Dim asUserAccount() As String
    asUserAccount = sUserAccount.ToLower.Split("@")

    Return asUserAccount(0)
  End Function

  Public Function IsValidAccount(sUserAccount As String) As Boolean
    Dim asUserAccount() As String

      asUserAccount = sUserAccount.ToLower.Split("@")

      If asUserAccount(0) = "administrator" Then
        Return False
      Else
        If asUserAccount(1).EndsWith("abc.com") Or asUserAccount(1).EndsWith("pqr.net") Then
          m_sDefaultDomain = asUserAccount(1)
          m_sDefaultOU = "DC=" & asUserAccount(1).Replace(".", ",DC=")

          Return True
        Else
          Return False
        End If
      End If
  End Function

  Private Function GetPrincipalContext() As PrincipalContext
    Dim oPrincipalContext As New PrincipalContext(ContextType.Domain, m_sDefaultDomain, m_sDefaultOU, ContextOptions.SimpleBind, m_sServiceAccount, m_sServicePassword)

    Return oPrincipalContext
  End Function
End Class

Open in new window


This class initiated and called by other application like this:

Public Class frmTest

  Private Sub btnTestLogin_Click(sender As System.Object, e As System.EventArgs) Handles btnTestLogin.Click
    Dim oIC As New AccountManagement

    If oIC.IsValidAccount(txtUserID.Text) Then
      If oIC.ValidateCredential(oIC.ReturnUserID(txtUserID.Text), txtUserPassword.Text) Then
        MessageBox.Show("OK")
      Else
        MessageBox.Show("Not OK")
      End If
    End If
  End Sub
End Class

Open in new window


I have a problem with my code to do authentication of user on different domain.

When:
1.
txtUserID.text = john@abc.com
txtUserPassword.text = j123
Messagebox = OK
-This is good

2.
txtUserID.text = john@abc.com
txtUserPassword.text = jx456
Messagebox = Not OK
-This is good

3.
txtUserID.text = john@xyz.abc.com
txtUserPassword.text = jx456
Messagebox = OK
-This is good

4.
txtUserID.text = john@abc.com
txtUserPassword.text = jx456
Messagebox = Not OK
-This is good

5.
txtUserID.text = linda@xyz.abc.com
txtUserPassword.text = l789
Messagebox = OK
-This is good

6.
txtUserID.text = linda@abc.com
txtUserPassword.text = l789
Messagebox = OK
-This is NOT GOOD because linda not exist in domain abc.com

7.
txtUserID.text = mark@xyz.abc.com
txtUserPassword.text = m123
Messagebox = OK
-This is NOT GOOD because mark not exist in domain xyz.abc.com

I can overcome problem in number 6  & 7 with steps below.

I be able to make case 6 produce right result if I set m_sDefaultDomain value to the DC server, ad0.abc.com OR ad1.abc.com. NOT just domain abc.com.

Same case, I be able to make case 7 produce right result if I set m_sDefaultDomain value to the DC server, adxyz0.xyz.abc.com OR adxyz1.xyz.abc.com. NOT just domain xyz.abc.com.

However, having the DC name is not my favourite as sometimes the DC servers will be download for patching and maintenance.

So, my question, is there anyway I can do to make sure case 6 and 7 solved without having to use use DC name but using domain name instead?

0
Comment
Question by:khairil
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 13

Author Comment

by:khairil
ID: 36540312

I can overcome problem in number 6  & 7 with steps below.

I be able to make case 6 produce right result if I set m_sDefaultDomain value to the DC server, ad0.abc.com OR ad1.abc.com. NOT just domain abc.com.

Same case, I be able to make case 7 produce right result if I set m_sDefaultDomain value to the DC server, adxyz0.xyz.abc.com OR adxyz1.xyz.abc.com. NOT just domain xyz.abc.com.

However, having the DC name is not my favourite as sometimes the DC servers will be download for patching and maintenance.

My mistake, the run also failed when set to DC :((, any ideas?
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36541162
Actually, I am pretty sure that something must be wrong with your program. If a user account does not exist a domain it can definitely not be validated with message "OK". So something with the logic in your code does not fit. Sure this is not much help but maybe a little hint.
0
 
LVL 13

Author Comment

by:khairil
ID: 36541357
Yup,

I think the logic is there already, just in this case, if no user exist in one domain, the code try to use GC to find if any other user with the same SAMAccount in other domain and match the password. So what I am looking right now, is how to force the code just to find user in the dedicated domain only without traverse to other domain.

The program works fine is it is only one domain, but failed it there are more domains and have user with exist in other domain but same password eventhougt after supplying domain name when creating PrincipalContext object.

I'm looking forward to do validation on PrincipaName such as "john@abc.com" instead of just "john" in this case. However, having full pricipalname like "john@abc.com" or "ABC/john" failed during authentication.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36543567
Well I can actually not help you by myself but found an article with some code snippet for authentication that could help you (need to scroll a little bit down for the relevant code):

http://www.dotnetspider.com/resources/2137-Active-Directory-Au-entication-wi-Form-Based-Au.aspx
0
 
LVL 13

Author Comment

by:khairil
ID: 36546746
Thanks Kirschi,

But the site is using DirectoryEntry which is now obsolete, whereas I am using DirectoryServices in .Net framework 4.0.
0
 
LVL 13

Accepted Solution

by:
khairil earned 0 total points
ID: 36899031
I have submitted the same question to Microsoft engineer. So I am going to close this question, thanks to all expert for your valuable time and information.
0
 
LVL 13

Author Closing Comment

by:khairil
ID: 36929304
Closing by getting expert's advice from Microsoft.
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question