Directory Programming .NET

Hi,

I've got a web application that is using AD for authentication. Because of a security policy some particular customer wants all the users to retype the password whenever they hit the application.
Behind the login page I use DirectoryEntry to verify the credentials using NativeObject. The user name textbox on the login page is automatically filled in with the current windows user the client browser is running as, including the domain name: CORPORATE\johnm.

At some point the customer merged with another company which has multiple domains accross the world like:
NORTHAMERICA\userx
ASIAPACIFIC\usery
EUROPE\userz

Their IT merged the Active Directory of both the companies but i don't have details about how exactly.
The new requirement is that "the login page should not ask for the domain name because it is confusing for the users". The login page should just ask about the user name( johnm, jackd, etc) and the password.

The current path I use looks like: LDAP://corpdc/DC=corporate, DC=com
where corpdc is the domain controller for the CORPORATE domain. If I bind using full SAM account name everything works for all domains, if I use just user names it works only for CORPORATE accounts. it is like the DC assumes CORPORATE as the default domain. (again I am missing some information here with regards to their setup)

How can I authenticate users against AD given just part of the SAM name (johnm) and the password?

BTW, I am reading the book, I was hoping to find a multi domain example. I am still trying to get my head around AD .net programming.

Cheers,
Cosmin

The bottom line is that AD needs a qualified user name for authentication. If you have multiple domains in a forest (or multiple forests), then you may not be able to assume that a plain username is unique as AD only attempts to ensure that sAMAccountName is unique domain wide, not forest wide. In your case, what if you had users in two different domains with username "johnm"?

What you can do is look up the user in the global catalog by sAMAccountName ( the plain name they enter) and if you only get one match, then get the userPrincipalName and use that in your bind.

As per ch 12 of the book, we don't recommend using DirectoryEntry for authentication purposes because it does not scale effectively. If you wish to do that though, you can use rootDSE as your path instead of using a specific domain partition.

There isn't much in the book that discusses multi-domain forests unfortunately but hopefully this fleshes out the details for you.

Cheers for that Joe, I'll have a look at the global catalog solution.

I know the DE is not recommended but it is working fine for us for now as we don't have too much load on the application.

Hi Joe,

I am using the code in the book to connect to the GC first like so:
         var gc = new DirectoryEntry("GC:");

            DirectoryEntry root = null;

            using (gc)
            {
                foreach (DirectoryEntry directoryEntry in gc.Children)
                {
                    root = directoryEntry;
                    break;
                }
            }

This code works however I can't find users by samaccountname if they are for a different domain(different than the default one).

If I am specific:
         var gc = new DirectoryEntry("GC://some.domain.com");
The root variable is null and the subsequent user lookup returns nothing.

        var filter = String.Format("(samaccountname={0})", user);

            var directorySearcher = new DirectorySearcher(root, filter, null, SearchScope.Subtree);

            using (SearchResultCollection searchResultCollection = directorySearcher.FindAll())
            {
                foreach (SearchResult searchResult in searchResultCollection)
                {
                    upn = searchResult.Properties["userprincipalname"][0].ToString();
                }
            }
upn is null here.

Does this have to do with the process(IIS process) account that is doing the querying? Is there any Bind done when I try to get the Children colletion of the GC? The IIS worker process runs as Network Service.
Or could it be that they don't replicate all information to all GCs?

Edit:
I was playing with ldp.exe to see what is going on. If I perform a search on the GC with no base DN I can find users by samaccountname from any domain in the forest.
How can I do the same type of search from code?

Edit:
Solved. I am using the LdapConnection directly to access the global catalog and search forest wide.