User Authentication in AD

Question

2.50/5 (2 votes)

See more:

Good day all.

I'm working on user management and it requires that I will register user that are in the AD from one of the units. This is to ensure that only those that are in the AD and are in the application DB will be using the application (double authentication).

My problem is that in the course of registering users into the application DB, I don't know how to check for user's name in the AD without the user's password. The fields for registeration are: Username, Password, Rank, Unit. I want to remove this password field but if I remove it the application will be registering those that are not in the AD.

My code is as shown below:

 Protected Sub btnButton1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnButton1.Click
 Try
  
 If getOrder() = False Then Return
  
 
Dim entry As New DirectoryEntry("LDAP://IP Address")
 entry.Username = txtUsername.Text + "@gov.net"
 entry.Password = txtPassword.Text
  
 Dim searcher As New DirectorySearcher("(&(objectCategory=Person)(objectClass=User))")
  
 searcher.SearchRoot = entry
 searcher.PropertiesToLoad.Add("cn")
  
 Dim result As SearchResult
  
 searcher.Filter = "(mail=net\" & txtUsername.Text & "@gov.net)"
  
 result = searcher.FindOne
  
 Dim sql As String = "INSERT INTO Table (Role,Username,Unit,Rank) VALUES ( '" & _
 ddlRole.Text & "','" & txtUsername.Text.Replace("'", "''") & "','" & _ ddlUnit.Text & "','" & ddlRank.Text & "')"
  
 Dim gentool As New functions
 If gentool.ExecuteDatabase(sql) = True Then
 lblMsg.Text = "Registered successfully"
 goClear()
 Else
 lblMsg.Text = "User already exists"
 End If
  
 Catch ex As Exception
 lblMsg.Text = "Registration failure: Either username or password" 'ex.Message
 End Try
 End Sub

Posted 17-Apr-13 4:08am

DOZDOZ

Updated 17-Apr-13 4:09am

Richard C Bishop

v2

Add a Solution

Comments

Espen Harlinn 17-Apr-13 10:29am

First time doing anything related to security? You're well on your way to implementing several of the OWASP Top 10

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Answer 1 · 2013-04-17T08:42:00

Solution 1

Yeah, this is a horror story on many levels. For instance, that little Text.Replace() thing you're doing is laughable. It's not going to prevent injection attacks from user input and it can, and will, lead to your code crashing depending on what the user typed. Google for ".net parameterized queries" for a ton of examples and discussion on what you should be doing.

If you want to authenticate someone against AD, you need their password. It's that simple.

If you want to see if someone is IN ActiveDirectory, then you just have to do an LDAP search for their account name, no user password required. This code WILL need to be running under an account that has read permissions to AD though. Even so, this, of course, won't tell if the account is expired or locked without additional work on your part, but hey, it's your job, not mine.

Posted 17-Apr-13 8:42am

Dave Kreskowiak

Updated 17-Apr-13 8:44am

v2

Comments

Espen Harlinn 17-Apr-13 14:48pm

5'ed!

DOZDOZ 19-Apr-13 10:12am

Hello Dave Kreskowiak,

Thanks for having time for this my issue.

But the point is that the client still want me to register user without requesting for his/her password. Please, I therefore request for more contribution to enable me actualize this feature.

Dave Kreskowiak 19-Apr-13 10:37am

OK, it sounds as though you're requirements and business rules are completely at odds with each other, or your business rules are garbage.

But, since you apparently don't need to authenitcate against AD nor apparently have to validate the users credentials against AD, what's stopping you from using the code you already have to insert the user into the database??

DOZDOZ 22-Apr-13 10:20am

I'm authenticating against AD and equally validating the user credentials agaisnt the AD. My problem is that I want to register a user without requesting for his/her password on the form.

Dave Kreskowiak 22-Apr-13 10:22am

SO what's stopping you? You already have the registration code.

DOZDOZ 22-Apr-13 11:14am

if I remove the password field (textbox) on the registration interface, the code will no longer authenticate and validate users against AD. Meaning that the user must provide his/her password, which the client don't want.

Dave Kreskowiak 22-Apr-13 14:26pm

You're contradicting yourself. On one hand, you say you want to register the user in the DB without authenticating the user in AD. On the other, you're saying you have to go to AD before you add them to the DB.

Which is it?? You cannot code against requirements if you don't understand them yourself.

DOZDOZ 23-Apr-13 0:09am

I want to go to AD before adding the new user to the DB. Thanks for your patience to understand me.

Looking forward for your assistance. Please, look at that my code or think of possible way(s) to actualize that without requesting for the new user's password.

Dave Kreskowiak 23-Apr-13 0:30am

I'm not emailing anyone. It's either done here or not at all.

"Go to AD" to do what??

DOZDOZ 23-Apr-13 3:35am

Note: Not all the people in the AD will be granted access to the application. So, I want to go to AD to check if the person is in AD before registering the person in the application DB.

Thanks.

Dave Kreskowiak 23-Apr-13 7:31am

Then search for their account name. You don't need their password for that.

DOZDOZ 23-Apr-13 9:03am

Without their password, the application will be registering even those that are not in the AD. And that is my problem.

Dave Kreskowiak 23-Apr-13 9:42am

WHAT?? If their account doesn't exist in AD you don't register them! Why is that so hard?? If the search doesn't return anything (you ARE checking the result of that AD search aren't you??) you don't register them.

DOZDOZ 23-Apr-13 17:16pm

If their account doesn't exist in AD I don't register them. My concern is that without the password in the search, it will be registering everything.

I'm finding it difficult dear.

Dave Kreskowiak 23-Apr-13 18:47pm

WRONG! You search for the account anme. That's it. Nothing else. If the account is there, you reigster them. If it's not there, you don't. Why is that so hard to understand?

DOZDOZ 25-Apr-13 4:24am

Not so hard to understand but so hard for me to implement.

Dave Kreskowiak 25-Apr-13 8:18am

WHAT?? All the code is already there. You're just missing an IF statement checking the result from the search.

DOZDOZ 26-Apr-13 3:37am

Dave, please tell me where because I've tried but to no avail. Looking forward to recieving your help. It is holding me for two weeks now.

Dave Kreskowiak 26-Apr-13 8:00am

Really?? You've been waiting for how many days for someone to write this line of code for you?? Had you read the documentation on DirecotrySearcher.FindOne, you would have had your code written in 5 minutes. Immediatly after your result = searcher.FindOne line:

If result IsNot Nothing Then
    ...  Code for inserting user into database
Else
    ...  Code for telling the user they don't exist in AD, or whatever you want.
End If

DOZDOZ 29-Apr-13 4:52am

Watch my code below and show me the error because I've used the If ... Else ... Endif statement and it is not given me what I want. Thanks for your patience and continued help. I mean without the password, I'll be getting "user not found". What do I do?

Protected Sub btnRegister_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnRegister.Click
Try

If getOrder() = False Then Return

Dim entry As New DirectoryEntry("LDAP://10.2.0.231")
entry.Username = txtUsername.Text + "@gov.net"
entry.Password = txtPassword.Text

Dim searcher As New DirectorySearcher("(&(objectCategory=Person)(objectClass=User))")

searcher.SearchRoot = entry
searcher.PropertiesToLoad.Add("cn")
' searcher.PropertiesToLoad.Add("Mail")

Dim result As SearchResult

searcher.Filter = "(mail=FIRS\" & txtEmail.Text & "@gov.net)"

result = searcher.FindOne()

If result Is Nothing Then
lblMsg.Text = "Username not found!"
Else
Dim sql As String = "INSERT INTO Table (Role,Username,Unit,Rank) VALUES ( '" & _
ddlRole.Text & "','" & txtUsername.Text.Replace("'", "''") & "','" & _ ddlUnit.Text & "','" & ddlRank.Text & "')"

Dim gentool As New functions
If gentool.ExecuteDatabase(sql) = True Then
lblMsg.Text = "Registered successfully"
goClear()
Else
lblMsg.Text = "User already exists"
End If
End If

Catch ex As Exception
' lblMsg.Text = "Either e-mail or password or both is/are not in the AD" 'ex.Message
End Try

End Sub

Dave Kreskowiak 29-Apr-13 8:05am

It's not giving me what I want.

is a really crap description of the problem. I have no idea what you expect the code to do, nor what the code is actually doing.

What do I do?
That's easy. Debug the code! Which one of us is getting paid to do that? I'm not going to spoon feed you. Step through the code line by line and inspect the variables, because it's obvious that you think they are holding certain values and their not.

DOZDOZ 29-Apr-13 9:23am

You are there! Thanks a million time for your encouragements and guidelines.