Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to validate student only to specific domain

Posted on 2011-09-14
7
Medium Priority
?
542 Views
Last Modified: 2012-05-12
Hi experts,

I need some help here. I have a forest with multiple subdomain

1. abc.com - forest name and also top level domain with two DC (ad0.abc.com and ad1.abc.com (replicated))

2. xyz.abc.com - subdomain for abc.com with two DC (adxyz0.xyz.abc.com and adxyz1.xyz.abc.com (replicated))

3. pqr.net - other company forest with trust relation

ALL DC in forest abc.com are GCs.

There will be user with same  "sAMAccountName" on DIFFERENT domain representing DIFFERENT people.

Let put some dummy account here:

1. john@abc.com - password j123
2. mark@abc.com - password m123
3. john@xyz.abc.com - password jx456
4. linda@xyz.abc.com - password l789

Here is my code:
Public Class AccountManagement
  Private m_sDefaultDomain As String 
  Private m_sDefaultOU As String 
  Private m_sServiceAccount As String = "serviceuser"
  Private m_sServicePassword As String = "servicepassword"

  Public Function ValidateCredential(sUserAccount As String, sUserPassword As String) As Boolean
    Dim oPrincipalContext = GetPrincipalContext()

    Return oPrincipalContext.ValidateCredentials(sUserAccount, sUserPassword)
  End Function

  Public Function ReturnUserID(sUserAccount As String) As String
    Dim asUserAccount() As String
    asUserAccount = sUserAccount.ToLower.Split("@")

    Return asUserAccount(0)
  End Function

  Public Function IsValidAccount(sUserAccount As String) As Boolean
    Dim asUserAccount() As String

      asUserAccount = sUserAccount.ToLower.Split("@")

      If asUserAccount(0) = "administrator" Then
        Return False
      Else
        If asUserAccount(1).EndsWith("abc.com") Or asUserAccount(1).EndsWith("pqr.net") Then
          m_sDefaultDomain = asUserAccount(1)
          m_sDefaultOU = "DC=" & asUserAccount(1).Replace(".", ",DC=")

          Return True
        Else
          Return False
        End If
      End If
  End Function

  Private Function GetPrincipalContext() As PrincipalContext
    Dim oPrincipalContext As New PrincipalContext(ContextType.Domain, m_sDefaultDomain, m_sDefaultOU, ContextOptions.SimpleBind, m_sServiceAccount, m_sServicePassword)

    Return oPrincipalContext
  End Function
End Class

Open in new window


This class initiated and called by other application like this:

Public Class frmTest

  Private Sub btnTestLogin_Click(sender As System.Object, e As System.EventArgs) Handles btnTestLogin.Click
    Dim oIC As New AccountManagement

    If oIC.IsValidAccount(txtUserID.Text) Then
      If oIC.ValidateCredential(oIC.ReturnUserID(txtUserID.Text), txtUserPassword.Text) Then
        MessageBox.Show("OK")
      Else
        MessageBox.Show("Not OK")
      End If
    End If
  End Sub
End Class

Open in new window


I have a problem with my code to do authentication of user on different domain.

When:
1.
txtUserID.text = john@abc.com
txtUserPassword.text = j123
Messagebox = OK
-This is good

2.
txtUserID.text = john@abc.com
txtUserPassword.text = jx456
Messagebox = Not OK
-This is good

3.
txtUserID.text = john@xyz.abc.com
txtUserPassword.text = jx456
Messagebox = OK
-This is good

4.
txtUserID.text = john@abc.com
txtUserPassword.text = jx456
Messagebox = Not OK
-This is good

5.
txtUserID.text = linda@xyz.abc.com
txtUserPassword.text = l789
Messagebox = OK
-This is good

6.
txtUserID.text = linda@abc.com
txtUserPassword.text = l789
Messagebox = OK
-This is NOT GOOD because linda not exist in domain abc.com

7.
txtUserID.text = mark@xyz.abc.com
txtUserPassword.text = m123
Messagebox = OK
-This is NOT GOOD because mark not exist in domain xyz.abc.com

I can overcome problem in number 6  & 7 with steps below.

I be able to make case 6 produce right result if I set m_sDefaultDomain value to the DC server, ad0.abc.com OR ad1.abc.com. NOT just domain abc.com.

Same case, I be able to make case 7 produce right result if I set m_sDefaultDomain value to the DC server, adxyz0.xyz.abc.com OR adxyz1.xyz.abc.com. NOT just domain xyz.abc.com.

However, having the DC name is not my favourite as sometimes the DC servers will be download for patching and maintenance.

So, my question, is there anyway I can do to make sure case 6 and 7 solved without having to use use DC name but using domain name instead?

0
Comment
Question by:khairil
  • 5
  • 2
7 Comments
 
LVL 13

Author Comment

by:khairil
ID: 36540312

I can overcome problem in number 6  & 7 with steps below.

I be able to make case 6 produce right result if I set m_sDefaultDomain value to the DC server, ad0.abc.com OR ad1.abc.com. NOT just domain abc.com.

Same case, I be able to make case 7 produce right result if I set m_sDefaultDomain value to the DC server, adxyz0.xyz.abc.com OR adxyz1.xyz.abc.com. NOT just domain xyz.abc.com.

However, having the DC name is not my favourite as sometimes the DC servers will be download for patching and maintenance.

My mistake, the run also failed when set to DC :((, any ideas?
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36541162
Actually, I am pretty sure that something must be wrong with your program. If a user account does not exist a domain it can definitely not be validated with message "OK". So something with the logic in your code does not fit. Sure this is not much help but maybe a little hint.
0
 
LVL 13

Author Comment

by:khairil
ID: 36541357
Yup,

I think the logic is there already, just in this case, if no user exist in one domain, the code try to use GC to find if any other user with the same SAMAccount in other domain and match the password. So what I am looking right now, is how to force the code just to find user in the dedicated domain only without traverse to other domain.

The program works fine is it is only one domain, but failed it there are more domains and have user with exist in other domain but same password eventhougt after supplying domain name when creating PrincipalContext object.

I'm looking forward to do validation on PrincipaName such as "john@abc.com" instead of just "john" in this case. However, having full pricipalname like "john@abc.com" or "ABC/john" failed during authentication.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36543567
Well I can actually not help you by myself but found an article with some code snippet for authentication that could help you (need to scroll a little bit down for the relevant code):

http://www.dotnetspider.com/resources/2137-Active-Directory-Au-entication-wi-Form-Based-Au.aspx
0
 
LVL 13

Author Comment

by:khairil
ID: 36546746
Thanks Kirschi,

But the site is using DirectoryEntry which is now obsolete, whereas I am using DirectoryServices in .Net framework 4.0.
0
 
LVL 13

Accepted Solution

by:
khairil earned 0 total points
ID: 36899031
I have submitted the same question to Microsoft engineer. So I am going to close this question, thanks to all expert for your valuable time and information.
0
 
LVL 13

Author Closing Comment

by:khairil
ID: 36929304
Closing by getting expert's advice from Microsoft.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question