|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Accessing ActiveDirectory through LDAP with .NETActiveDirectory using LDAP with .NET. I need to use LDAP because I need to authenticate across the Internet. Right now I have code that authenticates (e.g. I pass username/password to it) via NTLM but the problem is I am accessing this via a domain user account that has access to the domain controller (e.g. it's the account that IIS is running under). Obviously this doesn't work over the Internet and the only temporary solution is for my client to set up a VPN and have a trust relationship, which is really not something they want to do. I read somewhere (brief blurb) that I could access this information via LDAP. Essentially I am building sort of a single-sign on application where the user enters their name/password in my app and it is authenticated against an ActiveDirectory instance. Any ideas on how I can do this in a secure manner over the Internet without the need for a VPN? Thanks, On Tue, 21 Dec 2004 17:16:52 -0600, "Tim Mavers" <webv***@hotmail.com> wrote: ¤ I am trying to determine the best way I can authenticate against an ¤ ActiveDirectory using LDAP with .NET. I need to use LDAP because I need to ¤ authenticate across the Internet. ¤ ¤ Right now I have code that authenticates (e.g. I pass username/password to ¤ it) via NTLM but the problem is I am accessing this via a domain user ¤ account that has access to the domain controller (e.g. it's the account that ¤ IIS is running under). ¤ ¤ Obviously this doesn't work over the Internet and the only temporary ¤ solution is for my client to set up a VPN and have a trust relationship, ¤ which is really not something they want to do. ¤ ¤ I read somewhere (brief blurb) that I could access this information via ¤ LDAP. ¤ ¤ Essentially I am building sort of a single-sign on application where the ¤ user enters their name/password in my app and it is authenticated against an ¤ ActiveDirectory instance. ¤ ¤ Any ideas on how I can do this in a secure manner over the Internet without ¤ the need for a VPN? It isn't clear to me what type of application this is but you may want to take a look at the following: HOW TO: Authenticate against the Active Directory by Using Forms Authentication and Visual Basic ..NET http://support.microsoft.com/default.aspx?scid=kb;en-us;326340 Paul ~~~ pclem***@ameritech.net Microsoft MVP (Visual Basic) Thanks for the link. My application is an ASP.NET app (C#). Will this work
across the Internet (I didn't seen any mention of security/firewall configurations, etc.). In other words, my app is runing at a data-center and the AD is at some other company. What would need to happen to access the AD (via LDAP) from my app at the datacenter? Our current approach (not using LDAP) is to access it through the AD API which needs domain access (something the company will not allow across the Internet--for obvious reasons). Here's a quick example to help illustrate my problem: 1. User browses to my login page runing at the datacenter 2. User enters name and password in my app. 3. My app then has to (somehow) authenticate the name/pw with the company's AD server running at some other datacenter on some part of the planet). Thanks, Tim Show quoteHide quote "Paul Clement" <UseAdddressAtEndofMess***@swspectrum.com> wrote in message news:abvis0t9i6ote1nt5g0ak2rdngkil06dn5@4ax.com... > On Tue, 21 Dec 2004 17:16:52 -0600, "Tim Mavers" <webv***@hotmail.com> > wrote: > > ¤ I am trying to determine the best way I can authenticate against an > ¤ ActiveDirectory using LDAP with .NET. I need to use LDAP because I > need to > ¤ authenticate across the Internet. > ¤ > ¤ Right now I have code that authenticates (e.g. I pass username/password > to > ¤ it) via NTLM but the problem is I am accessing this via a domain user > ¤ account that has access to the domain controller (e.g. it's the account > that > ¤ IIS is running under). > ¤ > ¤ Obviously this doesn't work over the Internet and the only temporary > ¤ solution is for my client to set up a VPN and have a trust relationship, > ¤ which is really not something they want to do. > ¤ > ¤ I read somewhere (brief blurb) that I could access this information via > ¤ LDAP. > ¤ > ¤ Essentially I am building sort of a single-sign on application where the > ¤ user enters their name/password in my app and it is authenticated > against an > ¤ ActiveDirectory instance. > ¤ > ¤ Any ideas on how I can do this in a secure manner over the Internet > without > ¤ the need for a VPN? > > It isn't clear to me what type of application this is but you may want to > take a look at the > following: > > HOW TO: Authenticate against the Active Directory by Using Forms > Authentication and Visual Basic > .NET > http://support.microsoft.com/default.aspx?scid=kb;en-us;326340 > > > Paul ~~~ pclem***@ameritech.net > Microsoft MVP (Visual Basic) On Mon, 27 Dec 2004 12:36:30 -0600, "Tim Mavers" <webv***@hotmail.com> wrote: ¤ Thanks for the link. My application is an ASP.NET app (C#). Will this work ¤ across the Internet (I didn't seen any mention of security/firewall ¤ configurations, etc.). In other words, my app is runing at a data-center ¤ and the AD is at some other company. What would need to happen to access ¤ the AD (via LDAP) from my app at the datacenter? Our current approach (not ¤ using LDAP) is to access it through the AD API which needs domain access ¤ (something the company will not allow across the Internet--for obvious ¤ reasons). Here's a quick example to help illustrate my problem: ¤ ¤ 1. User browses to my login page runing at the datacenter ¤ 2. User enters name and password in my app. ¤ 3. My app then has to (somehow) authenticate the name/pw with the company's ¤ AD server running at some other datacenter on some part of the planet). Is your web server (that is hosting your application) a member of the domain that you need to authenticate against? Paul ~~~ pclem***@ameritech.net Microsoft MVP (Visual Basic) "Paul Clement" <UseAdddressAtEndofMess***@swspectrum.com> wrote in message No, that is the problem. The application runs at a separate site but the news:r4r0t09m3obnfsr6l3mh4psd4q82lspj0j@4ax.com... > Is your web server (that is hosting your application) a member of the > domain that you need to > authenticate against? client wants their users to be able to log in with their local (domain) name/password (i.e. not a separately managed name/password for my app). I am trying to figure out a secure way of authenticating against the domain across the Internet. In regards to LDAP, how does it address these types of issues? How would someone be able to authenticate against an LDAP server? Is this even possible? There are solutions where you set up a VPN and then have the company domain trust the domain the site runs under but that is pretty much out of the question as my client is not going to trust a foreign domain (from the datacenter) where IIS is running under. Thanks, Tom On Mon, 27 Dec 2004 15:42:29 -0600, "Tim Mavers" <webv***@hotmail.com> wrote: ¤ > Is your web server (that is hosting your application) a member of the ¤ "Paul Clement" <UseAdddressAtEndofMess***@swspectrum.com> wrote in message ¤ news:r4r0t09m3obnfsr6l3mh4psd4q82lspj0j@4ax.com... ¤ > domain that you need to ¤ > authenticate against? ¤ ¤ No, that is the problem. The application runs at a separate site but the ¤ client wants their users to be able to log in with their local (domain) ¤ name/password (i.e. not a separately managed name/password for my app). I ¤ am trying to figure out a secure way of authenticating against the domain ¤ across the Internet. ¤ ¤ In regards to LDAP, how does it address these types of issues? How would ¤ someone be able to authenticate against an LDAP server? ¤ ¤ Is this even possible? ¤ ¤ There are solutions where you set up a VPN and then have the company domain ¤ trust the domain the site runs under but that is pretty much out of the ¤ question as my client is not going to trust a foreign domain (from the ¤ datacenter) where IIS is running under. ¤ Well I have to scratch my head a bit about this scenario. It's rather difficult to authenticate against a domain that you don't have access to. ;-) I wish I had a better answer for you but the bottom line is that you don't have direct access to an authentication mechanism for the client site. If all that you need to do is validate credentials via LDAP you could use a Web Service, but it would need to be running on the client site. Paul ~~~ pclem***@ameritech.net Microsoft MVP (Visual Basic) "Paul Clement" <UseAdddressAtEndofMess***@swspectrum.com> wrote in message I guess a better to put it this is there a way I can authenticate against an news:ruv2t0hjl5rjqf3kfsorr1mtie7dhg285a@4ax.com... > Well I have to scratch my head a bit about this scenario. It's rather > difficult > to authenticate against a domain that you don't have access to. ;-) ActiveDirectory using LDAP via LDAP's credentials vs using Microsoft's credentials. For example, if I am running some LDAP server under Linux and I want to authenticate against it, I would need to include some sort of credentials (ones that have nothing to do with ActiveDirectory). Since ActiveDirectory supports LDAP, can this be done under a Windows environment? Since in other words, what would have to happen to allow me to authenticate against ACtiveDirectory? I would have to open up all these ports and then expose my domain publicly to the Internet (vs. just having an LDAP interface exposed)? Thanks, On Wed, 29 Dec 2004 12:33:10 -0600, "Tim Mavers" <webv***@hotmail.com> wrote: ¤ > Well I have to scratch my head a bit about this scenario. It's rather ¤ "Paul Clement" <UseAdddressAtEndofMess***@swspectrum.com> wrote in message ¤ news:ruv2t0hjl5rjqf3kfsorr1mtie7dhg285a@4ax.com... ¤ > difficult ¤ > to authenticate against a domain that you don't have access to. ;-) ¤ ¤ I guess a better to put it this is there a way I can authenticate against an ¤ ActiveDirectory using LDAP via LDAP's credentials vs using Microsoft's ¤ credentials. ¤ ¤ For example, if I am running some LDAP server under Linux and I want to ¤ authenticate against it, I would need to include some sort of credentials ¤ (ones that have nothing to do with ActiveDirectory). ¤ ¤ Since ActiveDirectory supports LDAP, can this be done under a Windows ¤ environment? Since in other words, what would have to happen to allow me to ¤ authenticate against ACtiveDirectory? I would have to open up all these ¤ ports and then expose my domain publicly to the Internet (vs. just having an ¤ LDAP interface exposed)? You can authenticate with the Windows domain but I don't know how you would automatically authenticate with the Linux server unless you have some kind of integrated authentication or trust between the domains. Paul ~~~ pclem***@ameritech.net Microsoft MVP (Visual Basic) "Paul Clement" <UseAdddressAtEndofMess***@swspectrum.com> wrote in message Could I do this:news:154jt0hcrpu69ka96cjnrhkgs5lutgqrf9@4ax.com... > You can authenticate with the Windows domain but I don't know how you > would automatically > authenticate with the Linux server unless you have some kind of integrated > authentication or trust > between the domains. Make a .NET call (of some sort) across the Internet using an LDAP name and password (for an account that is valid on the NT domain)? Basically all I want to do is pass a username and password through LDAP and have an ActiveDirectory validate it. Another angle... Let's say I have some LDAP server that has a bunch of usernames and passwords. I should be able to enter a username/password and have the ldap server authenticate it correct? If this server happens to be an ActiveDirectory server, wouldn't the list of users it uses to look up (to authenticate) be the same as the ones in the AD? I simply am trying to pass credentials across the Internet to be authenticated. Thanks, On Wed, 5 Jan 2005 16:39:05 -0600, "Tim Mavers" <webv***@hotmail.com> wrote: ¤ > You can authenticate with the Windows domain but I don't know how you ¤ "Paul Clement" <UseAdddressAtEndofMess***@swspectrum.com> wrote in message ¤ news:154jt0hcrpu69ka96cjnrhkgs5lutgqrf9@4ax.com... ¤ > would automatically ¤ > authenticate with the Linux server unless you have some kind of integrated ¤ > authentication or trust ¤ > between the domains. ¤ ¤ Could I do this: ¤ ¤ Make a .NET call (of some sort) across the Internet using an LDAP name and ¤ password (for an account that is valid on the NT domain)? ¤ ¤ Basically all I want to do is pass a username and password through LDAP and ¤ have an ActiveDirectory validate it. ¤ ¤ Another angle... Let's say I have some LDAP server that has a bunch of ¤ usernames and passwords. I should be able to enter a username/password and ¤ have the ldap server authenticate it correct? If this server happens to be ¤ an ActiveDirectory server, wouldn't the list of users it uses to look up (to ¤ authenticate) be the same as the ones in the AD? ¤ ¤ I simply am trying to pass credentials across the Internet to be ¤ authenticated. OK, eliminating any other potential issues or system configurations from the equation you may want to see if the System.Net.WebRequest class will work for you. You should be able to use this class to pass your credentials: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemNetWebRequestClassTopic.asp Paul ~~~ pclem***@ameritech.net Microsoft MVP (Visual Basic) Tim,
How about this scenario: 1. At the client's network, add a web server (running IIS) and add the appropriate dns entries to expose [http://example.timsclient.corp]. I'll assume you know the rest of adding another IP to the box and creating a new web site, assigning the IP to that site...... 2. Create a web service that takes the user credentials as params and authenticates against the AD. 3. Consume this web service in your app at the datacenter. This should also allow future apps written in whatever to access the centralized authentication web service. In my last job, my employer dictated that we would use PKI...we used a similar design to incorporate authentication in multiple apps written in Java and ASP.Net.... Ryan Show quoteHide quote "Tim Mavers" wrote: > I am trying to determine the best way I can authenticate against an > ActiveDirectory using LDAP with .NET. I need to use LDAP because I need to > authenticate across the Internet. > > Right now I have code that authenticates (e.g. I pass username/password to > it) via NTLM but the problem is I am accessing this via a domain user > account that has access to the domain controller (e.g. it's the account that > IIS is running under). > > Obviously this doesn't work over the Internet and the only temporary > solution is for my client to set up a VPN and have a trust relationship, > which is really not something they want to do. > > I read somewhere (brief blurb) that I could access this information via > LDAP. > > Essentially I am building sort of a single-sign on application where the > user enters their name/password in my app and it is authenticated against an > ActiveDirectory instance. > > Any ideas on how I can do this in a secure manner over the Internet without > the need for a VPN? > > Thanks, > > >  
Other interesting topics
How to make this better and faster?
How to screen scrap a non-browser based object? .NET competes with java-script Direction and suggestions needed compress specific data multiline toolbarbuttons MSIL FileSystemWatcher event fired only once Child control in non client area ? Form Event - Minimizing/Restoring |
|||||||||||||||||||||||
