I am trying to build a registration section for a website (internal to my dept). Now to get new users registered, I built a form where user enters his employee id i.e. AD account name and then clicks a button to fetch his details. Which are later saved in database where registration requests are queued. Once those requests are approved by admin then only those users can use the application. Now the problem is that user is not logged in, so is it possible for non logged in user to fetch details from AD server. if it is then how.? Because when I tried the below listed code I am getting bad username or password error using FindOne function.
public string getProperties(string StaffCode, string property)
{
try
{
string result = "";
using (var de = new DirectoryEntry(_path))
using (var ds = new DirectorySearcher(de))
{
ds.Filter = string.Format("(sAMAccountName={0})", StaffCode);
ds.PropertiesToLoad.AddRange(new[] {
"sn", // last name
"givenName", // first name
"mail", // email
"telephoneNumber", // phone number
// etc - add other properties you need
});
var res = ds.FindOne();
if (res == null)
{
result = "noUserFound";
}
else
{
foreach (string propName in res.Properties.PropertyNames)
{
ResultPropertyValueCollection valueCollection = res.Properties[propName];
foreach (Object propertyValue in valueCollection)
{
if (propName == property)
{
result = propertyValue.ToString();
}
}
}
}
}
return result;
}
catch (Exception ex)
{
return "someErrorOccurred";
}
Please help me in overcoming this issue.
Thanks in advance
My guess is that the identity of the application pool you run this code under doesn't have enough priviledges to query the AD without authentication.
Specifically, start with replacing this constructor
using ( var de = new DirectoryEntry( _path ) )
with the one that takes admin's username/password in an explicit way
using ( var de = new DirectoryEntry( _path, username, password ) )
and make sure the username has enough priviledges to query the catalog.
If this works, you could possibly try to go back to the original version but you'd have to make sure the identity of the asp.net application pool has enough priviledges to query the AD but also, that the asp.net server is a part of the domain (if it is not, authentication without providing username/password in an explicit way will most likely not work).
Related
I wrote C# code to get email from Active Directory. It is working fine on my local system, but after hosting I am not getting email address. Followings are the things I already tried -
Changed application pool identity to NetworkService
Enabled Windows and Digest Authentications (both at the same time and one by one too)
Code:
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "comppany.com" , "DC=compnay,DC=com", ContextOptions.Negotiate))
// tried above and below//(ContextType.Domain, System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName))
{
// validate the credentials
bool isValid = pc.ValidateCredentials(Uid, Pwd);
if (isValid)
{
try
{
using (UserPrincipal up = UserPrincipal.FindByIdentity(pc, Uid))
{
return up != null && !String.IsNullOrEmpty(up.EmailAddress) ? up.EmailAddress : string.Empty;
}
//return "Validate successfully.";
}
catch (Exception ex)
{
return ex.Message;
}
}
}
Also tried following -
using (var connection = new DirectoryEntry())
{
using (var search = new DirectorySearcher(connection)
{
Filter = "(samaccountname=" + Uid + ")",
PropertiesToLoad = { "mail" },
})
{
return (string)search.FindOne().Properties["mail"][0];
}
}
None of them are working after hosting the app in IIS7.0
Please help.
Thanks
It will be because your user (i.e. you) will have rights to read from Active Directory, but the IIS user and Network Service won't.
Put a try catch round the using statement thing and you should see this in the exception.
There are alternative PrincipalContext constructors that allow you to specify the details of the user to connect as, or you could change the IIS app pool to run as a user with rights - I'd go with the PrincipalContext way though.
As a quick test try this version of the PrincipalContext constructor - put your username and password in the username and password paramemetrs and see if it works when hosted in IIS - if this works then you need to come up with some way of passing the user details in via config. (Generally a service account with only the rights to read, whose password does not change often is used for this)
Using .NET c# I need to programmatically manage / add subscribers to my lists in aWeber using the API. The process that I am tasked with will be a Windows Service that runs x # of times a day and updates the subscribers at aWeber and the lists that they are in.
So .. all of my research using the aWeber API with .NET has shown me that a signon page at aWeber must be completed in order to receive the oauth_verifier back in the callback URL.
So in summary here are my questions:
Any recommendations on how to accomplish this task using an unattended service?
Has anyone does this?
Any help is greatly appreciated.
Thanks
Emma
1) How to use Aweber .NET SDK to connect with Aweber account [Regular Account - (i.e.) Not the developer's one].
Download .NET SDK for Aweber from https://aweber.codeplex.com/
Ans :- 1) Create a developer account - Visit https://labs.aweber.com/
2) As you have successfully created the account you would see ConsumerKey, ConsumerSecret, & an AppId in your Application.
3) Then for the fist time add the following code.
string ConsumerKey = ConfigurationManager.AppSettings["AWeberConsumerKey"];
string ConsumerSecret= ConfigurationManager.AppSettings["AWeberConsumerSecret"];
Aweber.API api = new Aweber.API(ConsumerKey, ConsumerSecret);
api.CallbackUrl = "http://" + Request.Url.Host + ":" + Request.Url.Port + "/Authorize/Index";
api.get_request_token();
Response.Cookies["oauth_token"].Value = api.OAuthToken;
Response.Cookies["oauth_token_secret"].Value = api.OAuthTokenSecret;
api.authorize();
**Now create An Authorize controller in case of MVC or Authorize.aspx**
string ConsumerKey = ConfigurationManager.AppSettings["AWeberConsumerKey"];
string ConsumerSecret= ConfigurationManager.AppSettings["AWeberConsumerSecret"];
API api = new API(ConsumerKey, ConsumerSecret);
api.OAuthVerifier = Request["oauth_verifier"];
Response.Cookies["access_token"].Value = api.get_access_token();
Account account = api.getAccount();
**Now you can apply your code to create, delete... subscribers to/from the list**
When you run this code first the authorize page will appear where you need to add your Aweber regular account credentials.
Once it's verified then you'll get access to the aweber's(Customer) account.
**But you would not like the authorize page appear always whenever you run your application so you can omit it by doing the following steps.**
1. Use the PHP script provided in http://stackoverflow.com/questions/15378034/how-to-create-an-app-in-aweber
2. Run the above PHP script & you'll get the pair of accesskey & accesssecret.Copy them to your C# code (these are the permanent keys).
3. Initialize the API with this code:
string ConsumerKey = ConfigurationManager.AppSettings["AWeberConsumerKey"];
string ConsumerSecret = ConfigurationManager.AppSettings["AWeberConsumerSecret"];
string accessKey = ConfigurationManager.AppSettings["accessKey"];
string accessSecret = ConfigurationManager.AppSettings["accessSecret"];
Aweber.API api = new Aweber.API(ConsumerKey, ConsumerSecret);
api.OAuthToken = accessKey;
api.OAuthTokenSecret = accessSecret;
Account account = api.getAccount();
**Now we'll code to create subscriber to a particular list**
int listid = int.Parse(ConfigurationManager.AppSettings["ListId"]);
foreach (List list in account.lists().entries)
{
if (list.id == listid) Your List's ID **(Mylist - xxxxxxx)**
{
foreach (Subscriber subscriber in list.subscribers().entries)
{
if (subscriber.email.Equals(objRegModel.EmailID))
{
flag = false;
break;
**Checks whether the similar subscriber exists on the list**
}
else
{
flag = true;
}
}
if (flag == true)
{
BaseCollection<Subscriber> target = list.subscribers();
SortedList<string, object> parameters = new SortedList<string, object>();
parameters.Add("email", objRegModel.EmailID);
parameters.Add("name", objRegModel.FirstName + " " + objRegModel.LastName);
Subscriber subscriber = target.create(parameters);
**This will add the subscriber to the specified list only if does not exist on that list.**
}
}
}
**To Delete a particluar subscriber from the list**
Apply the same logic till Account account = api.getAccount();
To get the EmailID,IP Address etc of the subscribers on the
list.Refer to this link https://labs.aweber.com/docs/permissions
int listid = int.Parse(ConfigurationManager.AppSettings["ListId"]);
foreach (List list in account.lists().entries)
{
if (list.id == listid)
{
foreach (Subscriber subscriber in list.subscribers().entries)
{
We Perform the check whether the email of the subscriber exists on the list or not & accordingly delete it from the list.
if (subscriber.email == eid && subscriber.status != "unconfirmed")
{
try
{
if (subscriber.delete())
{
//Response.Write("Subscriber Successfully Deleted");
}
}
catch (Exception ex)
{
}
}
}
}
}
}
I have a method to retrieve a list of AD groups that a user belongs to. Here is the code:
public static List<GroupPrincipal> GetGroups(string userName)
{
List<GroupPrincipal> result = new List<GroupPrincipal>();
// establish domain context
PrincipalContext yourDomain = new PrincipalContext(ContextType.Domain);
UserPrincipal user = null;
// find your user
user = UserPrincipal.FindByIdentity(yourDomain, userName);
// if found - grab its groups
if (user != null)
{
PrincipalSearchResult<Principal> groups = user.GetGroups();
// iterate over all groups
foreach (Principal p in groups)
{
// make sure to add only group principals
if (p is GroupPrincipal)
{
result.Add((GroupPrincipal)p);
}
}
}
return result;
}
In both IE and Chrome, this can work fine, but in Firefox, it always gives me DirectoryServicesCOMException on the user = UserPrincipal.FindByIdentity(yourDomain, userName); I don't even have any idea what kind of exception that is. Can someone explain me what the error is and how to fix it? Thank you so much!
Change the call to look like this:
using (HostingEnvironment.Impersonate()){
user = UserPrincipal.FindByIdentity(yourDomain, userName);
}
You will need to make sure that your application pool has AD permissions. This will perform the underlying AD call using the credentials of the hosting environment (the web App Pool Identity) instead of the credentials of user, who may not have permissions to query the AD server.
I have a Windows Service (running as the Local System user) that needs to validate a user based on username and password, in addition to checking if the user belongs to the group WSMA. My current code is like this:
var pc = new PrincipalContext(ContextType.Machine);
using (pc)
{
try
{
if (pc.ValidateCredentials(username, password))
{
using (var groupEntry = new DirectoryEntry("WinNT://./WSMA,group"))
{
foreach (object member in (IEnumerable)groupEntry.Invoke("Members"))
{
using (var memberEntry = new DirectoryEntry(member))
{
if (memberEntry.Path.ToLower().EndsWith(username.ToLower()))
{
return new LoginResult{ success = true };
}
}
}
}
}
return new LoginResult{ success = false };
}
catch (PrincipalOperationException poe)
{
if (poe.ErrorCode == -2147023688)
{
return new LoginResult { Success = false, ErrorMessage = "Password expired" };
}
throw poe;
}
}
This all works as it should, as long as I'm connected to the network, but if I plug out my network cable, then the ValidateCredentials call give me the following error message:
FileNotFoundException unhandeled by user code. The network path was not found.
I guess this has something to do with AD, but I only need to check the local users, and not domain users so a network access should not be required.
Any way to do this using the PrincipalContext, or some other way that will work in a disconnected scenario?
Here's a way to logon the User (and thus check that it's a valid user/pass): MSDN Link
I guess this should work disconnected, too, if you use a local account
I currently use LogonUser() to authenticate my user's username and password on my local domain at the office and it works great for what i need it to do.
Since I developed the app I now need to make it work over my VPN. It seems LogonUser() will not work with REMOTELY validating credentials. Or will it? Is it possible to use LogonUser() to validate a user's credentials on a REMOTE domain account?
I have read in some places that using LOGON32_LOGON_NEW_CREDENTIALS for the 4th param (login type) and LOGON32_PROVIDER_WINNT50 for the 5th param (provider) would do the trick. But every time I try that I ALWAYS get success... I can supply a bogas user and pass and it will work every time :(.
Ideas?
Edit - Added Notes
Tried to use this function but I kept getting the exception telling me the user/pass was bad.
public bool Win2kCredentialsIsValid(string domain, string username, string password)
{
string adPath = "LDAP://" + domain + "/rootDSE";
DirectoryEntry adRoot = new DirectoryEntry(adPath, domain + "\\" + username, password, AuthenticationTypes.ReadonlyServer);
try
{
object o = adRoot.Properties["defaultNamingContext"];
}
catch
{
return false;
}
return true;
}
--
Edit - Added More Notes
OK so I tried yet another example just to get it to work and started down this path, and there are a few things to note...
MyServerHostName is exactly that, my server's hostname. EX: 'Server01'.
My domain name in this example is 'MyDomain.local'
So that makes my FQN for the server 'Server01.MyDomain.local'
I tried to make this work and got the following error...
The supplied context type does not match the server contacted. The server type is Domain.
This errored out at : var context = new PrincipalContext(ContextType.ApplicationDirectory, "MyServerHostName:389", "DC=MyDomain,DC=local"))
private bool CheckADCredentials()
{
bool bResults;
using (var context = new PrincipalContext(ContextType.ApplicationDirectory,
"MyServerHostName:389",
"DC=MyDomain,DC=local"))
{
var username = "firstname.lastname";
var email = "firstname.lastname#MyServerHostName";
var password = "123456";
var user = new UserPrincipal(context)
{
Name = username,
EmailAddress = email
};
user.SetPassword(password);
user.Save();
if (context.ValidateCredentials(username, password, ContextOptions.SimpleBind))
{
bResults = true;
}
else
{
bResults = false;
}
user.Dispose();
}
return bResults;
}
I ended up going with a different solution. Instead of trying to validate a user's account on a domain that my PC was not connected to I ended up caching my domain credentials in the database and just built a salted MD5 type encrypt function so it would make it hard .. er.. for someone to crack it. ;)
Now I just validate against cached credentials in the database when working remotely... It just required the user to first login on the domain but then the user can use it remotely day and night. ;)
Thanks!