I am trying to display full name of user from active directory. It works fine on my local. But when I publish this code to IIS on server it shows display name as null. What may be the issue? My account is using windows authentication.
using (var context = new PrincipalContext(ContextType.Domain))
{
var principal = UserPrincipal.FindByIdentity(context, User.Identity.Name);
var displayName = principal?.DisplayName;
}
I had to use HostingEnvironment.Impersonate() in order to access my AD properties on my IIS server. (It worked without it on local)
using (HostingEnvironment.Impersonate())
{
// your code
}
Also, you'd have to change your Application Pool's identity from "AppPoolIdentity" to "NetworkService".
Related
I have an MVC5 web app that I utilize the following to obtain current user info. I have enabled windows login for the web app on IIS.
private readonly string _userName = UserPrincipal.Current.DisplayName;
item.CreatedBy = _userName;
This works when running the app on my development machine, however when I publish to IIS, it throws exceptions:
The
(&(objectCategory=user)(objectClass=user)(|(userPrincipalName=)(distinguishedName=)(name=)))
search filter is invalid.
How do I get this to work on the IIS server to correctly obtain user info?
BTW - I've also tried this:
private readonly PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
var user = UserPrincipal.FindByIdentity(ctx, User.Identity.Name);
item.CreatedBy = user.DisplayName;
but to no avail.
This may be what you mean by "I have enabled windows login for the web app on IIS", but confirm that you have Windows Authentication enabled on IIS itself. Details on what's going wrong in your "to no avail" case may also be helpful.
Looks like anonymous authentication was still enabled on the Default Web Site in IIS. I disabled, and now it works with the following code:
private readonly PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
var user = UserPrincipal.FindByIdentity(ctx, User.Identity.Name);
item.CreatedBy = user.DisplayName;
Writing a C#, Core 2.1, self-hosted web api to stand up an Identy Sewrver 4 instance...
Trying to use LDAP for (temp) user and role store. Yet, when I run the STS I am working on, I keep getting a "bad password" error when I query LDAP. I am working on my Laptop (in a workgroup), am running a DC in Hyper-V (domain).
I am trying to use System.DirectoryServices.AccountManagement and have a simple search setup as:
// Pass in userName as someone#domain.xyz
// Example: userName = keith#sol3.net
// Domain Controller is found at dc01.sol3.net
public static bool CanSignIn(string userName, string domainName)
{
using (var pc = new PrincipalContext(ContextType.Domain, domainName))
{
UserPrincipal user = null;
try
{
var name = userName.Split('#');
user = UserPrincipal.FindByIdentity(pc, IdentityType.Name, name[0]);
}
catch (Exception ex)
{
Log.Warning(ex, $"Could not find {userName} in Active Directory, Domain: {domainName}!");
}
return user != null;
}
}
I am wondering if:
I need to attach my laptop to the domain?
Using Kestrel is interfering?
Should I run in IIS Express mode?
Should I research how to run under HTTP.SYS?
What path will help here?
TIA
I think you need to manually authenticate using a password in order to query the directory. Using the method you detail in your question there is no way for the calling app to identify itself. If you want the app to run independently of the domain (i.e. not have to run as a domain user on a domain-joined server) then the best way would be to use a raw LdapConnection and bind a username/password NetworkCredential to it.
This example uses a pre-configured service account to query for a user by their primary email address:
var connection = new LdapConnection(ldapServerName);
connection.AuthType = AuthType.Basic;
//Additional connection setup omitted for brevity
connection.Bind(new NetworkCredential(serviceUserName, servicePassword));
var request = new SearchRequest(
baseDistinguishedName,
"(&(objectClass=person)(mail=" + EscapeFilterValue(emailAddress) + "))",
System.DirectoryServices.Protocols.SearchScope.Subtree,
null
);
SearchResponse response = (SearchResponse)_connection.SendRequest(request);
I have MVC 4 web app deployed on 'Alpha' domain and web app is getting the Windows User details using the following code. We have trusted relationship between 3 different domains (Alpha, Beta and Gamma). When a user called Beta\bloggs login opens the web app following code returns the details of alpha\bloggs. Is there a way to get the right user from active directory.
Thanks in advance.
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
{
using (UserPrincipal user = UserPrincipal.FindByIdentity(context, username))
{
if (user != null)
{
HttpContext.Current.Session["FullUserName"] = fullName;
HttpContext.Current.Session["EmailAddress"] = user.EmailAddress;
}
}
}
As far as I understand, you should test against a global catalog.
Can you try to change you context like this :
PrincipalContext context = new PrincipalContext(ContextType.Domain, "DNSName.Of.GlobalCatalog.com:3268", "DC=yourcompany,DC=com");
Context.domain identifies the credential store to use. A connection to the correct domain would still be required to lookup information in another domain. Domain trust just specifies credential mapping, who in domain x maps to credential y in domain z.
I don't think that FindByIdentity can handle implicit domain trust lookups.
I have the following code to retrieve the current active directory users:
public List<DomainContext> GetADUsers(string term=null)
{
List<DomainContext> results = new List<DomainContext>();
string ADServerName = System.Web.Configuration.WebConfigurationManager.AppSettings["ADServerName"];
using (var context = new PrincipalContext(ContextType.Domain, ADServerName))
using (var searcher = new PrincipalSearcher(new UserPrincipal(context)))
{
var searchResults = searcher.FindAll();
foreach (Principal p in searchResults)
{
if (term == null || p.SamAccountName.ToString().ToUpper().StartsWith(term.ToUpper()))
{
DomainContext dc = new DomainContext();
dc.DisplayName = p.DisplayName;
dc.UserPrincipalName = p.UserPrincipalName;
dc.Name = p.Name;
dc.SamAccountName = p.SamAccountName;
results.Add(dc);
}
}
}
return results;
}
My current situation is as follows:
I am working on the development machine, where both the ASP.NET MVC web application and the Active Directory are on the same machine.
I am not passing usernames and password to get the AD users.
So I have the following concerns when I move my ASP.NET MVC web application which contains the above code to my UAT server:
On the UAT server the ASP.NET MVC web application and AD will be on two different machines.
To access the AD from certain machine I might need to send a username and password to the AD server.
So will my original code works if:
The AD and the ASP.NET MVC web application are on different machines?
And if the AD server required passing a user name and password along with?
There are two possibilities.
Either you pass the username/password to the PricipalContext or the identity of the application pool has enough priviledges to query the AD and you don't have to provide username/password then.
If the application server is in the AD, the latter is very convenient as there is no username/password in code and/or configuration files. If on the other hand the application server is not in AD, passing username/password in an explicit way is the only possibility for this to work.
I'm creating a PrincipalContext object for retrieving a user's groups from our AD database (we use these then for authentication to various parts of the site).
This used to be done using forms authentication, so the code looked something like this
PrincipalContext pc =
new PrincipalContext(ContextType.Domain, "domain.com", username, password);
UserPrincipal usp =
UserPrincipal.FindByIdentity(pc, IdentityType.Guid, user.Guid.ToString());
foreach (var group in usp.GetGroups())
{
// Add group to collection
}
However, we recently switched to windows authentication, and I no longer have access to the user's password.
How can I search the AD database using the current user's credentials? I've tried using impersonation, but it throws an An operations error occurred error on the FindByIdentity line. If I forget about authentication all together I'm limited in the number of groups that are returned.
Here is a method I use, You could change it to return a collection:
public static List<string> getGrps(string userName)
{
List<string> grps = new List<string>();
try
{
var currentUser = UserPrincipal.Current;
RevertToSelf();
PrincipalSearchResult<Principal> groups = currentUser.GetGroups();
IEnumerable<string> groupNames = groups.Select(x => x.SamAccountName);
foreach (var name in groupNames)
{
grps.Add(name.ToString());
}
return grps;
}
catch (Exception ex)
{
// Logging
}
}
I assume you want the results IEnumerable, which is what I did here.
Anon's answer works for what I asked, but I also wanted to be able to search for other user's groups. The best way I've found to do this is to run the asp.net program's app pool under a service account, and then use my original code.
To do this in IIS Manager 7.5, go to the Application Pools, right click on the one your app is running under -> Advanced Settings, and change the identity from "ApplicationPoolIdentity" to a custom domain account.