Overview
Applies To
- Microsoft® ASP.NET 1.x
- Microsoft® Visual Studio® .NET 2003
- Microsoft® Active Directory® Services
Summary
If you are developing web applications utilizing Microsoft® ASP.NET and have the need to secure your site from unauthorized access, you have surely investigated the various authentication and authorization techniques that ASP.NET 1.x enables. This article discusses how to use Microsoft Active Directory Services by using the developed wrapper API.
Contents
Active Directory provides the ability to authenticate and authorize users from a centralized location, so users don't need to remember the password for every application, if they use Active Directory for authentication. Microsoft uses Active Directory in almost all of their application servers like Microsoft Content Management Server, Microsoft Share Point Portal Server, Microsoft CRM, and Microsoft Exchange Server etc., for centralized authentication and authorization purposes. As Active Directory is integrated with the Windows Operating System, very intrinsic support is available at a very low level.
The Active Directory Services Interface (ADSI) has always been a very effective way of dealing with users in a Windows network. The System.DirectoryServices namespace gives users access to some rudimentary user administration via ASP.NET. ADSI classes in the DirectoryServices namespace enables programmers to access ADSI objects using the System.DirectoryServices namespace.
Active Directory is simply a hierarchical, object-oriented database that represents all of your network resources. At the top, there's typically the Organization (O), beneath that Organizational Units (OU) as containers, and finally, objects that consist of your actual resources. This hierarchical format creates a very familiar and easy-to-administer tree for systems administrators. For example, if you assign an OU access to a given resource, that access will also be persisted to the objects that are contained within it.
Active Directory Services is a bit complex, so to make it more user friendly, I created a wrapper API in VB.NET and C# .NET, which performs all the operations a developer needs in order to navigate the Active Directory.
By using the wrapper API, the developer can do the following operations:
- Add User to Group
- Create Active Directory Group
- Create Active Directory User
- Delete Active Directory Group Account
- Delete Active Directory User Account
- Enable Active Directory User Account
- Does Group Exist
- Is User Valid
- Load All Users
- Load All Groups
- Load Group
- Load User
- Login
- Remove User From Group
- Does User Exist
- Set Password
- Update User
- Update Group
As shown in the Figure 1, the wrapper API consists of the following classes:
ADManager class
ADManager is a singleton class responsible for managing the users and groups in the Active Directory.
How to use
To add a user to a particular Active Directory group, the following code will be used:
Dim _ADUser As ADUser
_ADUser = ADManager.Instance.LoadUser("adnan")
Dim _ADGroup As ADGroup
_ADGroup = ADManager.Instance.LoadGroup("DeveloperGroup")
ADManager.Instance.AddUserToGroup(_ADUser.DistinguishedName,
_ADGroup.DistinguishedName)
To check whether a user exists in Active Directory, the following simple code will be used:
If ADManager.Instance.UserExists("adnan") Then
MsgBox("User Exist in the Active Directory")
End If
ADGroup class
The ADGroup class consists of properties and methods responsible for dealing with Active Directory groups.
I map the following properties with an Active Directory Group in order to make the properties simple.
- "
Name" mapped with "cn"
- "
DisplayName" mapped with "DisplayName"
- "
DistinguishedName" mapped with "DistinguishedName"
- "
Description" mapped with "Description"
How to use
The ADGroup class is used to create/update groups in the Active Directory. Shown below is a code snippet for creating a group in Active Directory:
Dim _AdGroup As New ADGroup
_AdGroup.Name = "DeveloperGroup"
_AdGroup.Description ="All developers in the company"
_AdGroup = ADManager.Instance.CreateADGroup(_AdGroup)
ADUser class
The ADUser class consists of properties and methods responsible for dealing with Active Directory users. The ADUser properties and the corresponding property in the Active Directory are given below:
- "
FirstName" mapped with "givenName"
- "
MiddleInitial" mapped with "initials"
- "
LastName" mapped with "sn"
- "
UserPrincipalName" mapped with "UserPrincipalName"
- "
PostalAddress" mapped with "PostalAddress"
- "
MailingAddress" mapped with "MailingAddress"
- "
ResidentialAddress" mapped with "HomePostalAddress"
- "
Title" mapped with "Title"
- "
HomePhone" mapped with "HomePhone"
- "
OfficePhone" mapped with "TelephoneNumber"
- "
Mobile" mapped with "Mobile"
- "
HomePhone" mapped with "HomePhone"
- "
Fax" mapped with "FacsimileTelephoneNumber"
- "
Email" mapped with "Email"
- "
Url" mapped with "Url"
- "
UserName" mapped with "sAMAccountName"
- "
DistinguishedName" mapped with "DistinguishedName"
- "
IsAccountActive" to check the user status in the Active Directory
How to use
- The
ADUser class is used to create a user. The code snippet to create the user is given below:
Dim _AdUser As New ActiveDirectory.ADUser
_AdUser.FirstName = "Syed"
_AdUser.MiddleInitial = "Adnan"
_AdUser.LastName = "Ahmed" _AdUser.Email = "adnanahmed235@yahoo.com"
_AdUser.UserName = "adnan"
_AdUser.Password = "123456"
_AdUser.IsAccountActive = True
_AdUser.MailingAddress = "Riyadh, Saudi Arabia"
_AdUser.Title = "Software Engineer"
_AdUser = ADManager.Instance.CreateADUser(_AdUser)
- If you want to update the user in the Active Directory, use the following code snippet:
Dim _AdUser As ADUser
_AdUser = ADManager.Instance.LoadUser("adnan")
_AdUser.MailingAddress = "Jeddah, Saudi Arabia"
_AdUser.Title = "Senior Software Engineer"
_AdUser.Update()
- You can use the
ADUser class to reset the user password.
Dim _AdUser As ADUser
_AdUser = ADManager.Instance.LoadUser("adnan")
_AdUser.SetPassword("654321")
Utility class
The Utility class is responsible for the general options.
Before using the wrapper API, you have to follow the instructions below for Windows and web based applications.
Web based applications
Add the following line inside the <system.web> tag in the web.config file:
<identity impersonate="true" />
Add the following lines inside the <appSettings> tags:
<add key="Domain" value="MyDomain.com" />
<add key="ADPAth" value="LDAP://MyDomain " />
<add key="ADUser" value="administrator" />
<add key="ADPassword" value="123" />
<add key="ADUsersPath" value="OU=DeveloperDepartment," />
Note: Here in the 'ADUsersPath' key, the value ("OU=DeveloperDepartment,") shows the OU= Organizational Unit in the Active Directory as an example. You can write any of your organizational units or create a new one for testing.
Go to IIS, select the website, in the Properties window, select the Directory Service tab, in Authentication and Access Control Options, click the Edit button. It will open the Authentication Methods window, select Anonymous Access and enter the Domain Administrator Account user name and password, and select Integrated Windows Authentication, as shown in the following figures:
Figure #2
Figure #3
Windows based applications
Add the following lines inside the <configuration> tags:
<appSettings>
<add key="Domain" value="MyDomain.com" />
<add key="ADPAth" value="LDAP://MyDomain " />
<add key="ADUser" value="administrator" />
<add key="ADPassword" value="123" />
<add key="ADUsersPath" value="OU=DeveloperDepartment," />
</appSettings>
Note: A sample App.config file is included in the download file.
I have tested the project on the following platforms:
- Windows Server 2003
- Windows XP SP1 or SP2
I have demonstrated how easy it is to navigate Active Directory objects by using the wrapper API which uses System.DirectoryServices. In the next release of my wrapper API, I will demonstrate how to manage Active Directory Roles and Permissions by using the wrapper API. I have given the API in both VB.NET and C#.NET, and you can use it in both Windows and web based applications.
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Rant 
Admin