Menu
I'm running an ASP.NET 4.0 app which uses the user name (i.e. HttpContext.Current.Request.LogonUserIdentity.Name.ToString()) to manage access to various components.
The user name being returned is in the form "abc\jsmith" where "abc" is the domain name and "jsmith" is the login name of the user.
Part of the security module for this app accesses the Active Directory groups that the user belongs to (e.g., "Accounting", "AccountsPayable", "AdminDepartment"). I'm able to get the user's name from Active Directory using the DirectoryEntry.Properties (i.e., System.DirectoryServices.PropertyCollection") "sAMAccountName".Value.
So far, everything is fine, but I want to be able to expand the app across multiple domains, which mean I need to be able to find the domain name in Active Directory as well as the user's Login Name. I can get a "Domain" value from PrincipalContext, but it's returning "abcdc", instead of "abc". Can I assume that this property will always return "dc" (as in "Domain Controller") at the end of each domain (in which case I can use a Substring of the property), or is there somewhere else I can get the user's current domain name?
648
One thing I am unclear on is your question about retrieving the domain name given a directoryentry in a domain controller. I am assuming that you have a server that can see multiple trusted domains, and that a user can log into your application from any one of them such that you don't know against what domain you need to test role membership.
For controlling access to features via ADGroup membership, could you use the
HttpContext.Current.User.IsInRole("appdomain\groupname")
where User.Identity.Name=="userdomain\user". I'm not familiar with domain trust issues, but this assumes that you can add users from the trusted domain into the domain group that you control so you don't need to worry about the group domain location.
If you can't, or if you have the same group name in each different domain, then you could do something like this?
HttpContext.Current.User.IsInRole(userDomainname + "\groupname")
Some points:
** UPDATE 6/8/2011 2:15 PM**
If I understand AD correctly, the user's domain is an integral part of the user object returned by AD. Expanding on your example of "Bob Newaccountant"...
So given the following 2 Domains with a trust between them:
1. "abcdc.com"
CN=Users
CN="Bob NewAccountant"
2. "abc.com"
CN=Users
CN="Local User1"
OU=Applications
OU=MyApplication
CN=ReportReaders (Members: abcdc\BNewAccountant, abc\luser1)
You should get the users' info given the following query:
//name parameter = domain
//container parameter = distinguished name
using(var ctx = new PrincipalContext(
ContextType.Domain,
name: "abc.com",
container: "OU=MyApplication,OU=Applications,DC=abc,DC=com",
"abc\serviceaccountname",
"Password1"))
{
var officeGroup = GroupPrincipal.FindByIdentity(ctx,
IdentityType.SamAccountName,
"ReportReaders");
foreach(Principal prin in officeGroup.GetMembers(recursive: true))
{
Console.WriteLine("DistinguishedName: " + prin.DistinguishedName
+ " UPN: " + prin.UserPrincipalName);
}
//Should result in
// DistinguishedName: CN=luser1,CN=Users,DC=abc,DC=com UPN: [email protected]
// DistinguishedName: CN=BNewAccountant,CN=Users,DC=abcdc,DC=com UPN: [email protected]
}
So you should be able to get the user's domain via distinguishedName or userPrincipalName properties of active directory. (Note: I don't have a dual domain setup handy to me so I am not able to test the above code at this time.) Is that getting closer?
54
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
