Solved

How to validate student only to specific domain

Posted on 2011-09-14
7
461 Views
Last Modified: 2012-05-12
Hi experts,

I need some help here. I have a forest with multiple subdomain

1. abc.com - forest name and also top level domain with two DC (ad0.abc.com and ad1.abc.com (replicated))

2. xyz.abc.com - subdomain for abc.com with two DC (adxyz0.xyz.abc.com and adxyz1.xyz.abc.com (replicated))

3. pqr.net - other company forest with trust relation

ALL DC in forest abc.com are GCs.

There will be user with same  "sAMAccountName" on DIFFERENT domain representing DIFFERENT people.

Let put some dummy account here:

1. john@abc.com - password j123
2. mark@abc.com - password m123
3. john@xyz.abc.com - password jx456
4. linda@xyz.abc.com - password l789

Here is my code:
Public Class AccountManagement
  Private m_sDefaultDomain As String 
  Private m_sDefaultOU As String 
  Private m_sServiceAccount As String = "serviceuser"
  Private m_sServicePassword As String = "servicepassword"

  Public Function ValidateCredential(sUserAccount As String, sUserPassword As String) As Boolean
    Dim oPrincipalContext = GetPrincipalContext()

    Return oPrincipalContext.ValidateCredentials(sUserAccount, sUserPassword)
  End Function

  Public Function ReturnUserID(sUserAccount As String) As String
    Dim asUserAccount() As String
    asUserAccount = sUserAccount.ToLower.Split("@")

    Return asUserAccount(0)
  End Function

  Public Function IsValidAccount(sUserAccount As String) As Boolean
    Dim asUserAccount() As String

      asUserAccount = sUserAccount.ToLower.Split("@")

      If asUserAccount(0) = "administrator" Then
        Return False
      Else
        If asUserAccount(1).EndsWith("abc.com") Or asUserAccount(1).EndsWith("pqr.net") Then
          m_sDefaultDomain = asUserAccount(1)
          m_sDefaultOU = "DC=" & asUserAccount(1).Replace(".", ",DC=")

          Return True
        Else
          Return False
        End If
      End If
  End Function

  Private Function GetPrincipalContext() As PrincipalContext
    Dim oPrincipalContext As New PrincipalContext(ContextType.Domain, m_sDefaultDomain, m_sDefaultOU, ContextOptions.SimpleBind, m_sServiceAccount, m_sServicePassword)

    Return oPrincipalContext
  End Function
End Class

Open in new window


This class initiated and called by other application like this:

Public Class frmTest

  Private Sub btnTestLogin_Click(sender As System.Object, e As System.EventArgs) Handles btnTestLogin.Click
    Dim oIC As New AccountManagement

    If oIC.IsValidAccount(txtUserID.Text) Then
      If oIC.ValidateCredential(oIC.ReturnUserID(txtUserID.Text), txtUserPassword.Text) Then
        MessageBox.Show("OK")
      Else
        MessageBox.Show("Not OK")
      End If
    End If
  End Sub
End Class

Open in new window


I have a problem with my code to do authentication of user on different domain.

When:
1.
txtUserID.text = john@abc.com
txtUserPassword.text = j123
Messagebox = OK
-This is good

2.
txtUserID.text = john@abc.com
txtUserPassword.text = jx456
Messagebox = Not OK
-This is good

3.
txtUserID.text = john@xyz.abc.com
txtUserPassword.text = jx456
Messagebox = OK
-This is good

4.
txtUserID.text = john@abc.com
txtUserPassword.text = jx456
Messagebox = Not OK
-This is good

5.
txtUserID.text = linda@xyz.abc.com
txtUserPassword.text = l789
Messagebox = OK
-This is good

6.
txtUserID.text = linda@abc.com
txtUserPassword.text = l789
Messagebox = OK
-This is NOT GOOD because linda not exist in domain abc.com

7.
txtUserID.text = mark@xyz.abc.com
txtUserPassword.text = m123
Messagebox = OK
-This is NOT GOOD because mark not exist in domain xyz.abc.com

I can overcome problem in number 6  & 7 with steps below.

I be able to make case 6 produce right result if I set m_sDefaultDomain value to the DC server, ad0.abc.com OR ad1.abc.com. NOT just domain abc.com.

Same case, I be able to make case 7 produce right result if I set m_sDefaultDomain value to the DC server, adxyz0.xyz.abc.com OR adxyz1.xyz.abc.com. NOT just domain xyz.abc.com.

However, having the DC name is not my favourite as sometimes the DC servers will be download for patching and maintenance.

So, my question, is there anyway I can do to make sure case 6 and 7 solved without having to use use DC name but using domain name instead?

0
Comment
Question by:khairil
  • 5
  • 2
7 Comments
 
LVL 13

Author Comment

by:khairil
ID: 36540312

I can overcome problem in number 6  & 7 with steps below.

I be able to make case 6 produce right result if I set m_sDefaultDomain value to the DC server, ad0.abc.com OR ad1.abc.com. NOT just domain abc.com.

Same case, I be able to make case 7 produce right result if I set m_sDefaultDomain value to the DC server, adxyz0.xyz.abc.com OR adxyz1.xyz.abc.com. NOT just domain xyz.abc.com.

However, having the DC name is not my favourite as sometimes the DC servers will be download for patching and maintenance.

My mistake, the run also failed when set to DC :((, any ideas?
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36541162
Actually, I am pretty sure that something must be wrong with your program. If a user account does not exist a domain it can definitely not be validated with message "OK". So something with the logic in your code does not fit. Sure this is not much help but maybe a little hint.
0
 
LVL 13

Author Comment

by:khairil
ID: 36541357
Yup,

I think the logic is there already, just in this case, if no user exist in one domain, the code try to use GC to find if any other user with the same SAMAccount in other domain and match the password. So what I am looking right now, is how to force the code just to find user in the dedicated domain only without traverse to other domain.

The program works fine is it is only one domain, but failed it there are more domains and have user with exist in other domain but same password eventhougt after supplying domain name when creating PrincipalContext object.

I'm looking forward to do validation on PrincipaName such as "john@abc.com" instead of just "john" in this case. However, having full pricipalname like "john@abc.com" or "ABC/john" failed during authentication.
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 36543567
Well I can actually not help you by myself but found an article with some code snippet for authentication that could help you (need to scroll a little bit down for the relevant code):

http://www.dotnetspider.com/resources/2137-Active-Directory-Au-entication-wi-Form-Based-Au.aspx
0
 
LVL 13

Author Comment

by:khairil
ID: 36546746
Thanks Kirschi,

But the site is using DirectoryEntry which is now obsolete, whereas I am using DirectoryServices in .Net framework 4.0.
0
 
LVL 13

Accepted Solution

by:
khairil earned 0 total points
ID: 36899031
I have submitted the same question to Microsoft engineer. So I am going to close this question, thanks to all expert for your valuable time and information.
0
 
LVL 13

Author Closing Comment

by:khairil
ID: 36929304
Closing by getting expert's advice from Microsoft.
0

Join & Write a Comment

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now