|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Identifying group memberships for users authenticated with AD Trusin one forest, while Dom3 is in another. There are bidirectional trusts between Dom1 and Dom2, and there is a one way trust from Dom2 to Dom3. We have a users stored in Dom1, and Dom3, and those users are assigned to groups in Dom2. Based on these group memberships, when a user authenticates to the application we are developing, we wish to test group membership and assign privilige levels. I have been able to successfully authenticate users connecting to the LDAP server on Dom2 with accounts from Dom1, and Dom3 using the following: { ... try { DirectoryEntry de = new DirectoryEntry("LDAP://...", username, password, AuthenticationTypes.Secure | AuthenticationTypes.Sealed); } Catching the appropriate exception allows me to determine if the connection succeeded, authenticating the user. Once I have connected I am unable to query the directory for elements such as userprincipalname, and furthermore when I enumerate group memberships accounts from Dom3 (one-way trust) are listed as SIDs. e.g. (Dom3 account in Dom2 group) member (System.String) : CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx,CN=ForeignSecurityPrincipals,DC=Dom2,DC=MyDom,DC=CA e.g. (Dom1 account in Dom2 group) member (System.String) : CN=Boily\, Yvan,OU=MyGroup,OU=MyDepartment,OU=MyOU,DC=Dom1,DC=MyDom,DC=CA Can anyone provide any advice on how to proceed? Hi
Unfortunately, I'm unable to replicate the problem at present. However, reading Keth Brown's book 'The .Net Developer's Guide to Windows Security', he suggests using a new class in the System.Security.Principal namespace (of .Net 2.0) called the SecurityIdentifier. You create an instance of the SecurityIdentifier by passing the string SID into the constructor. Call the Translate method to return an instance of the NTAccount object. The Value property of the NTAccount object returns the domain qualified name of the group. Hope this is useful Chris Seary 
Other interesting topics
Online Only Digital Signature
Windows Security Roles Role based security flaw? Login failed for user ''. The user is not associated with a trusted SQL Server connection. Digital Signaturing Least Privilege User Accounts GSSAPI bindings for C#/.NET bad encryption Assembly Trust How do I configure the CA in win 2003 server? |
|||||||||||||||||||||||
