stackoom
  简体   繁体   中英

Connect to Active Directory for Login (in my product) using Service Account and User Account Credentials of AD

 原文  2019-03-18 18:54:32       c#/ .net/ active-directory/ ldap

Question

I am currently using Directory Searcher for Authenticating user against AD. 

  DirectoryEntry adsEntry = new DirectoryEntry(ConfigurationManager.AppSettings["ADConnectionString"], username, password, System.DirectoryServices.AuthenticationTypes.Secure);
  DirectorySearcher adsSearcher = new DirectorySearcher(adsEntry);

  adsSearcher.Filter = "(sAMAccountName=" + _userName + ")";

  SetPropertiesToLoad(ref adsSearcher);


  SearchResult adsSearchResult = adsSearcher.FindOne();
  Logger.Debug("After adsSearcher.FindOne() success");

  if (!ExtractPropertiesReceivedFromAD(adsSearchResult, ref emailAddress, ref _name, username, ref errorMessage))
                return false;

This is working fine for many of the AD setups, but recently i encountered that 1 of the AD doesnt allow connection to it.

My client says they have LDAP Authentication in place, so i can't directly query to AD without supplying Service Account credentials.

So in this case to connect with AD using LDAP i need 1 credentials, and post that to validate user identity i need his own username/password.

Now how can i accommodate such situation in DirectorySearcher?

1 answers

solution1
 0  2019-03-20 01:33:31

This is the function I use to bind to an LDAP directory using a system credential, search for a supplied user ID, and then validate the supplied user credential. To used the function with Active Directory, 'strUIDAttr' is sAMAccountName. 

protected string ldapAuthTest(string strLDAPServer, string strSuppliedUser, string strSuppliedPwd, string strSystemUID, string strSystemPwd, string strLDAPUserBase, string strUIDAttr)
{
    strSuppliedUser = strSuppliedUser.Trim();
    string strResults = "";
    string strLDAPUserHost = strLDAPServer + strLDAPUserBase;

    // Establish LDAP connection and bind with system ID
    System.DirectoryServices.DirectoryEntry dirEntry = new System.DirectoryServices.DirectoryEntry();
    dirEntry.Path = strLDAPUserHost;
    dirEntry.Username = strSystemUID;
    dirEntry.Password = strSystemPwd;

    //dirEntry.AuthenticationType = System.DirectoryServices.AuthenticationTypes.None;
    dirEntry.AuthenticationType = System.DirectoryServices.AuthenticationTypes.SecureSocketsLayer;
    try
    {
        dirEntry.RefreshCache();

        // Search directory for the user logging on
        string strLDAPFilter = "(&(" + strUIDAttr + "=" + strSuppliedUser + "))";
        System.DirectoryServices.DirectorySearcher ldapSearch = new System.DirectoryServices.DirectorySearcher(dirEntry);
        ldapSearch.ServerTimeLimit = new TimeSpan(0, 0, 30);


        ldapSearch.Filter = strLDAPFilter;
        ldapSearch.SearchScope = System.DirectoryServices.SearchScope.Subtree;

        System.DirectoryServices.SearchResultCollection searchResults = ldapSearch.FindAll();


        if (searchResults.Count == 1)
        {
        string strLogonUserBase = searchResults[0].GetDirectoryEntry().Path;
        // get rid of strLDAPServer from directory entry path
        string strLogonUserFQDN = strLogonUserBase.Replace(strLDAPServer, "");
        dirEntry.Close();

        // Attempt to bind as the user
        System.DirectoryServices.DirectoryEntry userAuthAttempt = new System.DirectoryServices.DirectoryEntry();
        userAuthAttempt.Path = strLDAPUserHost;
        userAuthAttempt.Username = strLogonUserFQDN;
        userAuthAttempt.Password = strSuppliedPwd;
        //userAuthAttempt.AuthenticationType = System.DirectoryServices.AuthenticationTypes.None;
        userAuthAttempt.AuthenticationType = System.DirectoryServices.AuthenticationTypes.SecureSocketsLayer;
        try
        {
            userAuthAttempt.RefreshCache();
            userAuthAttempt.Close();
            strResults = "<td><font color='green'>User " + UserName.Value + " has authenticated successfully.</font></td>";
        }
        catch (Exception e)
        {
            string strAuthError = e.Message;
            string strLockedOut = "A constraint violation occurred.\r\n";
            string strBadPwd = "Logon failure: unknown user name or bad password.\r\n";
            string strNSAccountLock = "The server is unwilling to process the request.\r\n";
            if (String.Compare(strAuthError, strBadPwd) == 0)
                strResults = "<td><font color='red'>Logon failure for user " + UserName.Value + " - password is invalid.</font></td></tr>"; ;
            }
            else if (String.Compare(strAuthError, strLockedOut) == 0)
            {
            strResults = "<td><font color='red'>Logon failure for user " + UserName.Value + " - account is locked out.</font></td>"; ;
            }
            else if (String.Compare(strAuthError, strNSAccountLock) == 0)
            {
            strResults = "<td><font color='red'>Logon failure for user " + UserName.Value + " - password has expired.</font></td>"; ;
            }
            else
            {
            strResults = "<td><font color='red'>Logon failure for user " + UserName.Value + " (" + strLogonUserFQDN + ") :" + strAuthError + "</font></td>"; ;
            }
        }
        }
        else if (searchResults.Count > 1)
        {
        strResults = "<td><font color='red'>Account " + UserName.Value + " was found in the directory " + searchResults.Count + " times. Please contact the Help Desk to have this issue corrected.</font></td>"; ;
        }
        else
        {
        strResults = "<td><font color='red'>Account " + UserName.Value + " was not found in the directory.</font></td>"; ;
        }
        return strResults;
    }
    catch(Exception e)
    {
        string strAuthError = e.Message;
        string strConnectFail = "The server is not operational.\r\n";
        if (String.Compare(strAuthError, strConnectFail) == 0)
        {
        strResults = "<td><font color='red'>Transient connection failure, please try again.</font></td>"; ;
        }
        else
        {
        strResults = "<td><font color='red'>Transient failure (" + strAuthError + "), please try again.</font></td>";
        }
        return strResults;
    }
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Check if AD account has “Logon on as a service” right in Active Directory C# Connect to MS SQL Server using Active Directory Service Account Using login/pass to connect to Active Directory User Windows service with User account Login Connecting to SQL Server from .NET using an Active Directory Service Account C# Active Directory App - How do I store service account credentials? Disable User Account in Active Directory using C# Code Unable to get some user account information in UWP app - In-premise active directory (Not Azure AD) Setting Active Directory user account for first time Active Directory LDAP - Lock User Account
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM