TGIF! I just spiced-up an ASP.NET app so that it uses DirectorySearch.FindOne <https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.direct...> to either verify a login user account exists or to authenticate. It runs perfectly on my work PC, but when I installed the app in IIS on my test server it died with *The specified domain either does not exist or could not be contacted*. I discovered that because my app was running as NETWORK SERVICE, which isn't a domain user, it can't see the Active Directory. A trap...only domain user accounts can *see* AD. Asking the customer (a hospital) to create a special account, assign it to the pool and set ACLs is impractical. My lovely new login feature has hit a roadblock and I'm not sure of a workaround or alternative. It's a specialist topic, but I thought I'd ask in here just in case some boffin has suggestions. *Greg Keogh* P.S. I just remembered that about 15 years ago I used a Win32 Interop to call LoginUser <https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logon...> for a similar purpose, but it was for local accounts and I'll need to research if it works for domain accounts.
I have found the answer. I record it here in case it helps someone in the future. While avoiding AD, if you simply want to check if an account exists either locally or in the default domain do this: uint sidSize = 0; uint domainSize = 0; int accountType = 0; bool b1 = LookupAccountName <https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-lookupaccountnamew>(null, user, null, ref sidSize, null, ref domainSize, ref accountType); int err2 = Marshal.GetLastWin32Error(); if (err2 == 0x007a) { *the account exists (insufficient buffer)* } else if (err2 == 0x0534) { *account not found (no mapping)* } else { *some bad error code* } If you want to authenicate an account credentials then call LoginUser <https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logon...>, there are lots of examples. *Greg* On Fri, 24 May 2024 at 09:06, Greg Keogh <gfkeogh@gmail.com> wrote:
TGIF!
I just spiced-up an ASP.NET app so that it uses DirectorySearch.FindOne <https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.direct...> to either verify a login user account exists or to authenticate. It runs perfectly on my work PC, but when I installed the app in IIS on my test server it died with *The specified domain either does not exist or could not be contacted*. I discovered that because my app was running as NETWORK SERVICE, which isn't a domain user, it can't see the Active Directory.
A trap...only domain user accounts can *see* AD. Asking the customer (a hospital) to create a special account, assign it to the pool and set ACLs is impractical. My lovely new login feature has hit a roadblock and I'm not sure of a workaround or alternative. It's a specialist topic, but I thought I'd ask in here just in case some boffin has suggestions.
*Greg Keogh*
P.S. I just remembered that about 15 years ago I used a Win32 Interop to call LoginUser <https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logon...> for a similar purpose, but it was for local accounts and I'll need to research if it works for domain accounts.
I'm a bit confused by this, because this is exactly the type of scenario where Network Service *does *make sense (I thought). It's not true to say that Network Service 'isn't a domain user' - it is, but presents as the identity of the hosting *machine *(ie domain\machine$ not domain\network service). But I'd be amazed if that needed special permissions to talk to AD (after all - surely the same underlying credentials and operations are underlying Win32 LookupAccountName), and Stack Overflow concurs (in 2011 at least): .net - Query Active Directory under NT AUTHORITY/NETWORK SERVICE - Stack Overflow <https://stackoverflow.com/questions/5352862/query-active-directory-under-nt-...> I think there's something else going on here. On Fri, 24 May 2024 at 07:09, Greg Keogh via ozdotnet <ozdotnet@ozdotnet.com> wrote:
TGIF!
I just spiced-up an ASP.NET app so that it uses DirectorySearch.FindOne <https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.direct...> to either verify a login user account exists or to authenticate. It runs perfectly on my work PC, but when I installed the app in IIS on my test server it died with *The specified domain either does not exist or could not be contacted*. I discovered that because my app was running as NETWORK SERVICE, which isn't a domain user, it can't see the Active Directory.
A trap...only domain user accounts can *see* AD. Asking the customer (a hospital) to create a special account, assign it to the pool and set ACLs is impractical. My lovely new login feature has hit a roadblock and I'm not sure of a workaround or alternative. It's a specialist topic, but I thought I'd ask in here just in case some boffin has suggestions.
*Greg Keogh*
P.S. I just remembered that about 15 years ago I used a Win32 Interop to call LoginUser <https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logon...> for a similar purpose, but it was for local accounts and I'll need to research if it works for domain accounts. -- ozdotnet mailing list To manage your subscription, access archives: https://codify.mailman3.com/
-- piers
participants (2)
-
Greg Keogh -
Piers Williams