Solved

How to validate student only to specific domain

Posted on 2011-09-14
7
480 Views
Last Modified: 2012-05-12
Hi experts,

I need some help here. I have a forest with multiple subdomain

1. abc.com - forest name and also top level domain with two DC (ad0.abc.com and ad1.abc.com (replicated))

2. xyz.abc.com - subdomain for abc.com with two DC (adxyz0.xyz.abc.com and adxyz1.xyz.abc.com (replicated))

3. pqr.net - other company forest with trust relation

ALL DC in forest abc.com are GCs.

There will be user with same  "sAMAccountName" on DIFFERENT domain representing DIFFERENT people.

Let put some dummy account here:

1. john@abc.com - password j123
2. mark@abc.com - password m123
3. john@xyz.abc.com - password jx456
4. linda@xyz.abc.com - password l789

Here is my code:
Public Class AccountManagement
  Private m_sDefaultDomain As String 
  Private m_sDefaultOU As String 
  Private m_sServiceAccount As String = "serviceuser"
  Private m_sServicePassword As String = "servicepassword"

  Public Function ValidateCredential(sUserAccount As String, sUserPassword As String) As Boolean
    Dim oPrincipalContext = GetPrincipalContext()

    Return oPrincipalContext.ValidateCredentials(sUserAccount, sUserPassword)
  End Function

  Public Function ReturnUserID(sUserAccount As String) As String
    Dim asUserAccount() As String
    asUserAccount = sUserAccount.ToLower.Split("@")

    Return asUserAccount(0)
  End Function

  Public Function IsValidAccount(sUserAccount As String) As Boolean
    Dim asUserAccount() As String

      asUserAccount = sUserAccount.ToLower.Split("@")

      If asUserAccount(0) = "administrator" Then
        Return False
      Else
        If asUserAccount(1).EndsWith("abc.com") Or asUserAccount(1).EndsWith("pqr.net") Then
          m_sDefaultDomain = asUserAccount(1)
          m_sDefaultOU = "DC=" & asUserAccount(1).Replace(".", ",DC=")

          Return True
        Else
          Return False
        End If
      End If
  End Function

  Private Function GetPrincipalContext() As PrincipalContext
    Dim oPrincipalContext As New PrincipalContext(ContextType.Domain, m_sDefaultDomain, m_sDefaultOU, ContextOptions.SimpleBind, m_sServiceAccount, m_sServicePassword)

    Return oPrincipalContext
  End Function
End Class

Open in new window


This class initiated and called by other application like this:

Public Class frmTest

  Private Sub btnTestLogin_Click(sender As System.Object, e As System.EventArgs) Handles btnTestLogin.Click
    Dim oIC As New AccountManagement

    If oIC.IsValidAccount(txtUserID.Text) Then
      If oIC.ValidateCredential(oIC.ReturnUserID(txtUserID.Text), txtUserPassword.Text) Then
        MessageBox.Show("OK")
      Else
        MessageBox.Show("Not OK")
      End If
    End If
  End Sub
End Class

Open in new window


I have a problem with my code to do authentication of user on different domain.

When:
1.
txtUserID.text = john@abc.com
txtUserPassword.text = j123
Messagebox = OK
-This is good

2.
txtUserID.text = john@abc.com
txtUserPassword.text = jx456
Messagebox = Not OK
-This is good

3.
txtUserID.text = john@xyz.abc.com
txtUserPassword.text = jx456
Messagebox = OK
-This is good

4.
txtUserID.text = john@abc.com
txtUserPassword.text = jx456
Messagebox = Not OK
-This is good

5.
txtUserID.text = linda@xyz.abc.com
txtUserPassword.text = l789
Messagebox = OK
-This is good

6.
txtUserID.text = linda@abc.com
txtUserPassword.text = l789
Messagebox = OK
-This is NOT GOOD because linda not exist in domain abc.com

7.
txtUserID.text = mark@xyz.abc.com
txtUserPassword.text = m123
Messagebox = OK
-This is NOT GOOD because mark not exist in domain xyz.abc.com

I can overcome problem in number 6  & 7 with steps below.

I be able to make case 6 produce right result if I set m_sDefaultDomain value to the DC server, ad0.abc.com OR ad1.abc.com. NOT just domain abc.com.

Same case, I be able to make case 7 produce right result if I set m_sDefaultDomain value to the DC server, adxyz0.xyz.abc.com OR adxyz1.xyz.abc.com. NOT just domain xyz.abc.com.

However, having the DC name is not my favourite as sometimes the DC servers will be download for patching and maintenance.

So, my question, is there anyway I can do to make sure case 6 and 7 solved without having to use use DC name but using domain name instead?

0
Comment
Question by:khairil
  • 5
  • 2
7 Comments
 
LVL 13

Author Comment

by:khairil
ID: 36540312

I can overcome problem in number 6  & 7 with steps below.

I be able to make case 6 produce right result if I set m_sDefaultDomain value to the DC server, ad0.abc.com OR ad1.abc.com. NOT just domain abc.com.

Same case, I be able to make case 7 produce right result if I set m_sDefaultDomain value to the DC server, adxyz0.xyz.abc.com OR adxyz1.xyz.abc.com. NOT just domain xyz.abc.com.

However, having the DC name is not my favourite as sometimes the DC servers will be download for patching and maintenance.

My mistake, the run also failed when set to DC :((, any ideas?
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36541162
Actually, I am pretty sure that something must be wrong with your program. If a user account does not exist a domain it can definitely not be validated with message "OK". So something with the logic in your code does not fit. Sure this is not much help but maybe a little hint.
0
 
LVL 13

Author Comment

by:khairil
ID: 36541357
Yup,

I think the logic is there already, just in this case, if no user exist in one domain, the code try to use GC to find if any other user with the same SAMAccount in other domain and match the password. So what I am looking right now, is how to force the code just to find user in the dedicated domain only without traverse to other domain.

The program works fine is it is only one domain, but failed it there are more domains and have user with exist in other domain but same password eventhougt after supplying domain name when creating PrincipalContext object.

I'm looking forward to do validation on PrincipaName such as "john@abc.com" instead of just "john" in this case. However, having full pricipalname like "john@abc.com" or "ABC/john" failed during authentication.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36543567
Well I can actually not help you by myself but found an article with some code snippet for authentication that could help you (need to scroll a little bit down for the relevant code):

http://www.dotnetspider.com/resources/2137-Active-Directory-Au-entication-wi-Form-Based-Au.aspx
0
 
LVL 13

Author Comment

by:khairil
ID: 36546746
Thanks Kirschi,

But the site is using DirectoryEntry which is now obsolete, whereas I am using DirectoryServices in .Net framework 4.0.
0
 
LVL 13

Accepted Solution

by:
khairil earned 0 total points
ID: 36899031
I have submitted the same question to Microsoft engineer. So I am going to close this question, thanks to all expert for your valuable time and information.
0
 
LVL 13

Author Closing Comment

by:khairil
ID: 36929304
Closing by getting expert's advice from Microsoft.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question