Problem with LDAP authentication in asp.net application

Question

0.00/5 (No votes)

See more:

Hi,

I've problem with LDAP authentication of my asp.net application since it was a intranet application my job is to get authenticated using active directory (LDAP). For this i've using the below class.

VB

Public Class LDAP
    Public Const SECURITY_IMPERSONATION_LEVEL_SecurityAnonymous As Integer = 0
    Public Const SECURITY_IMPERSONATION_LEVEL_SecurityIdentification As Integer = 1
    Public Const SECURITY_IMPERSONATION_LEVEL_SecurityImpersonation As Integer = 2
    Public Const SECURITY_IMPERSONATION_LEVEL_SecurityDelegation As Integer = 3

    Public Const LOGON32_PROVIDER_DEFAULT As Integer = 0
    Public Const LOGON32_PROVIDER_WINNT35 As Integer = 1
    Public Const LOGON32_PROVIDER_WINNT40 As Integer = 2
    Public Const LOGON32_PROVIDER_WINNT50 As Integer = 3

    Public Const LOGON32_LOGON_INTERACTIVE As Integer = 2
    Public Const LOGON32_LOGON_NETWORK As Integer = 3
    Public Const LOGON32_LOGON_BATCH As Integer = 4
    Public Const LOGON32_LOGON_SERVICE As Integer = 5
    Public Const LOGON32_LOGON_UNLOCK As Integer = 7
    Public Const LOGON32_LOGON_NETWORK_CLEARTEXT As Integer = 8
    Public Const LOGON32_LOGON_NEW_CREDENTIALS As Integer = 9

    Public Const ERROR_LOGON_FAILURE As Integer = 1326

    <DllImport("advapi32.dll", CharSet:=CharSet.Auto, SetLastError:=True)> _
    Public Shared Function LogonUser(ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, ByRef phToken As IntPtr) As Boolean
    End Function

    <DllImport("advapi32.dll", CharSet:=CharSet.Auto, SetLastError:=True)> _
    Public Shared Function RevertToSelf() As Boolean
    End Function

    <DllImport("kernel32.dll", CharSet:=CharSet.Auto)> _
    Public Shared Function CloseHandle(ByVal handle As IntPtr) As Boolean
    End Function

    <DllImport("advapi32.dll", CharSet:=CharSet.Auto, SetLastError:=True)> _
    Public Shared Function DuplicateToken(ByVal hToken As IntPtr, ByVal impersonationLevel As Integer, ByRef hNewToken As IntPtr) As Integer
    End Function

    Public Shared Function Login(ByVal Username As String, ByVal Password As String) As Boolean
        Dim secPerm As New SecurityPermission(SecurityPermissionFlag.UnmanagedCode)
        secPerm.Assert()

        Dim user As WindowsIdentity = Nothing

        Dim refToken As IntPtr = IntPtr.Zero
        Dim loggedIn As Boolean

        loggedIn = LDAP.LogonUser(Username, "LDAP://LDAP connection string";, Password, LDAP.LOGON32_LOGON_NETWORK_CLEARTEXT, LDAP.LOGON32_PROVIDER_DEFAULT, refToken)

        'If loggedIn = True Then
        '    user = New WindowsIdentity(refToken, "NTLM", WindowsAccountType.Normal, True)
        'End If
        'CodeAccessPermission.RevertAssert()

        'Return user

        Return loggedIn


    End Function
End Class

It works well if i run this locally, but it doesn't connect while hosting in IIS7.5. I've searched my best in google but the alternatives they've given was not works for me. Kindly take a look at this and revert your suggestions.

My Ref: http://msdn.microsoft.com/en-us/library/gg703322(v=vs.98).aspx[^]

http://stackoverflow.com/questions/4505231/impersonate-user-in-codebehind[^]

Thanks & Regards,
BlueSathish

Posted 29-Dec-13 23:43pm

bluesathish

Add a Solution

Comments

Zoltán Zörgő 31-Dec-13 14:57pm

You wanto autenticate against a legacy LDAP server or against Active directory?

bluesathish 1-Jan-14 5:20am

LDAP server located in one location, we've the connection to connect it for authenticate users using their domain.

Zoltán Zörgő 1-Jan-14 5:42am

As I see, you work outside the target environment. That makes it more complicated. You need to get known that infrastructure. You sound a little bit confused about these terms: Active Directory is an LDAP implementation, but not all LDAP servers are Active Directory domain controllers. You can't use these microsoft tools to authenticate against any LDAP server, just against AD or local SAM. Even less, not all LDAP servers can be used for authentication.
And again: making an asp.net application to work properly integrated with a domain environment is not just simply creating a login method. And there isn an other topic you have to address: logon method. Do they need form based logon, or ntlm/kerberos. You should check ActiveDirectoryMembershipProvider instead of making it from the scratch. But this might be also interesting: http://www.codeproject.com/Articles/265870/Bypass-Forms-Authentication-to-Use-Active-Director

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

ZurdoDev · Answer 1 · 2013-12-31T06:14:00

Solution 1

Don't use DllImports. .Net has built-in methods for doing this.

See http://msdn.microsoft.com/en-us/library/system.directoryservices(v=vs.110).aspx[^]

Also, for an example see, http://www.dotnetgallery.com/kb/resource6-Login-authentication-using-LDAP-Active-Directory-for-ASPNET-applications.aspx[^]

If you don't need to do any logic or if the logic for authenticating the users is simple you could just use built in Forms Authentication and not have to write any code. For a sample see http://msdn.microsoft.com/en-us/library/ff650308.aspx[^]

Posted 31-Dec-13 6:14am

ZurdoDev

v2

Comments

Zoltán Zörgő 31-Dec-13 15:03pm

OP does not need even these since there is an Active Directory Membership provider to use - if AD is the case.

ZurdoDev 31-Dec-13 15:15pm

That is another option. I personally don't care for it but yes, you could use it.

bluesathish 1-Jan-14 5:30am

Thanks for your suggestion, i'll check it out and revert you.