Friday, June 29, 2007

Active Directory ASP.Net

So over the last week I have been working with Active Directory(AD) and ASP.Net. Before this week my only experience with AD in the past has been with windows forms applications.

I found that the using AD with either technology to be about the same, although with ASP.Net there were some additional steps needed to make it all work. The problem is these additional steps are not really obvious and took some trial and error on my part. I am now going to discuss what these additional steps are and why I had to take them.

First I am going to talk about the code itself. For both cases I used the DirectoryEntry object. The difference since our IIS server is sitting in the DMZ, I actually has to define the path to the AD server, something like this 'LDAP://ServerName/DC=corp,DC=DomainName,DC=com', and I also had to pass the proper credentials to the AD Server. So the whole think looked like this...

DirectoryEntry entry = new DirectoryEntry("LDAP://ServerName/DC=corp,DC=DomainName,DC=com", @"DomainName\UserName", "password");

If this was a windows forms application, you really don't need to pass the credentials or even a path, since it would use the default of the users machine. The funny thing is if this web application was hosted on a server inside the DMZ you wouldn't need this extra information either. I know this because in our Development environment the AD calls worked just fine, but once moved to the QC region, which happens to be in the DMZ, it failed with the following cryptic error..

System.Runtime.InteropServices.COMException

Luckily there was some posts on the web about this error with AD.

Next in the web.config I had to make the normal changes shown below....

<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="true"/>


The final changes I had to make were in IIS. On the Directory Security Tab in the IIS properties form, you click the edit button for Authentication and access control. Then you need to un-check the Anonymous access check box. Check Integrated Windows Authentication. The cool thing here is if the user is using IE, the web application will automatically detect the user, and no login will be needed. This is not the safest way to protect an application, however for my application it is all that is needed.

So those are the steps I had to take to AD a web application. Hope this helps.

4 comments:

Anonymous said...

Quick question. You use "DirectoryEntry entry = new DirectoryEntry("LDAP://ServerName/DC=corp,DC=DomainName,DC=com", @"DomainName\UserName", "password");" Do you actually use the text "UserName" and "password" or are these just symbolic for the actual username and password?

thx.

Unknown said...

no "UserName" and "password", are symbolic for the actual values, as is ServerName.

Sas the Code Guru said...

did you add clients(application users) to any user group on IIS server while configuring for this ?

Unknown said...

no I did not add users.