 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Security / November 2006WindowsPrincipal is incorrect after AD account rename
Our environment is - we use Visual Studio 2005, Dotnet 2.0, VB to create a web application which we run on IIS 6. Our Web.config file has the following set: <authentication mode="Windows" /> <identity impersonate="true"/> We are using MyPrincipal = New WindowsPrincipal(Current.User.Identity) to obtain the name of the currently logged on user. This is working until we are forced to rename a user's account in Active Directory. For example, Mary Smith (domain\marys) gets married and becomes Mary Jones (domain\maryj). We rename the account in Active Directory Users and Computers and the rename appears to be fine. However from this point on when we look at WindowsPrincipal(Current.User.Identity) it returns domain\marys rather than her new name of domain\maryj. What are we missing? Hello, What is the result if you check "Current.User.Identity.Name", is it "domain\marys" or 'domain\maryj"? Will a IIS reset fix the problem? Also, you may have the user clear her local IE cache and cookie to see if this will help. Sincerely, Luke Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. I have included more of our code as I don't think I gave you enough information in my first post. Also an IISRest and clearing the IE cache do not resolve the problem. First we call setUser to get the identity of the logged on user. Then we call getUserInfo to find the AD account so that we can display information about the user (display name, supervisor, etc.) on the screen in our web app. When a user's name changes we get the wrong name in setUser so when we call getUserInfo we do not get a match. Is there a better way to do this or are we missed something when we do our AD rename. ===================================================== Public Sub setUser() Try 'to get the current user's identity Dim s As Integer '*** Holds the position of the slash in user Dim l As Integer '*** Holds the length of the user characters '*** Get the user's Window's information MyPrincipal = New WindowsPrincipal(Current.User.Identity) myUser = MyPrincipal.Identity.Name '*** Parse out the domain and user s = myUser.IndexOf("\") l = myUser.Length If l > 0 Then userDomain = myUser.Substring(0, s) userName = myUser.Substring(s + 1, l - (s + 1)) End If Catch exp As Exception myErrMsg = "Exception: " + exp.Message End Try 'to get the current user's identity End Sub 'setUser ===================================================== Public Sub getUserInfo() Dim x As Integer '*** Holds the position of the CN= in manager Dim y As Integer '*** Holds the position of the , in manager (first one) Dim mgrsupr As String 'hold string for manager/supervisor '*** Set the properties of the directory entry myDEntry.Path = dePath myDEntry.Username = deUsername myDEntry.Password = dePassword myDEntry.AuthenticationType = AuthenticationTypes.Secure '*** Set the properties of the searcher myFilter = "(&(anr=" & userName & ")(objectclass=user)(objectcategory=person))" mySearch = New DirectorySearcher(myDEntry) mySearch.Filter = myFilter mySearch.SearchScope = SearchScope.Subtree Try 'searching for the Active Directory Entry for the current windows identity src = mySearch.FindAll For Each sr In src '*** Get the search result's Active Directory Account name '*** we have to initially check to make sure that sAMAccountName is a valid '*** property that was loaded If sr.Properties.Contains("sAMAccountName") Then If sr.Properties("sAMAccountName")(0) <> Nothing Then myAN = CType(sr.Properties("sAMAccountName")(0), String) Else myAN = "Unknown" End If Else myAN = "Unknown" myErrMsg = "Exception: Active Directory Account Not Found" Exit Sub End If '*** First check to see if this search result is the one we want by '*** matching the Active Directory Account Name to the Domain User Name If myAN.ToLower = userName.ToLower Then '*** Get the user's Common Name If sr.Properties.Contains("CN") Then If sr.Properties("CN")(0) <> Nothing Then FullEmployeeName = CType(sr.Properties("CN")(0), String) Else FullEmployeeName = "Unknown" End If Else FullEmployeeName = "Unknown" End If '*** Get the user's Display Name If sr.Properties.Contains("displayName") Then If sr.Properties("DisplayName")(0) <> Nothing Then EmployeeShortName = CType(sr.Properties("DisplayName")(0), String) Else EmployeeShortName = "Unknown" End If Else EmployeeShortName = "Unknown" End If '*** Get the user's department If sr.Properties.Contains("department") Then If sr.Properties("department")(0) <> Nothing Then DepartmentName = CType(sr.Properties("department")(0), String) Else DepartmentName = "Unknown" End If Else DepartmentName = "Unknown" End If '*** Get the user's phone extension If sr.Properties.Contains("telephoneNumber") Then If sr.Properties("telephoneNumber")(0) <> Nothing Then EmployeeExtension = CType(sr.Properties("telephoneNumber")(0), String) Else EmployeeExtension = "???" End If Else EmployeeExtension = "???" End If '*** Get the users employee number If sr.Properties.Contains("otherTelephone") Then If sr.Properties("otherTelephone")(0) <> Nothing Then EmployeeIDNumber = CType(sr.Properties("otherTelephone")(0), String) Else EmployeeIDNumber = "????" End If Else EmployeeIDNumber = "???" End If '*** Get the user's internet email address If sr.Properties.Contains("mail") Then 'If sr.Properties("mail")(0) <> Nothing Then 'If InStr(1, CType(sr.Properties("mail")(0), String), "@", CompareMethod.Text) > 0 Then If CType(sr.Properties("mail")(0), String) Like "*@*" Then EmployeeEmailAddress = CType(sr.Properties("mail")(0), String) Else EmployeeEmailAddress = "Unknown" End If Else EmployeeEmailAddress = "Unknown" End If '*** Get the user's internet email address - alternate If sr.Properties.Contains("ipphone") Then 'If sr.Properties("ipphone")(0) <> Nothing Then 'If InStr(1, CType(sr.Properties("ipphone")(0), String), "@", CompareMethod.Text) > 0 Then If CType(sr.Properties("ipphone")(0), String) Like "*@*" Then EmployeeAlternateEmailAddress = CType(sr.Properties("ipphone")(0), String) Else EmployeeAlternateEmailAddress = "Unknown" End If Else EmployeeAlternateEmailAddress = "Unknown" End If '*** Get the user's title If sr.Properties.Contains("title") Then If sr.Properties("title")(0) <> Nothing Then EmployeeTitle = CType(sr.Properties("title")(0), String) Else EmployeeTitle = "Unknown" End If Else EmployeeTitle = "Unknown" End If '*** Get the user's manager If sr.Properties.Contains("manager") Then If sr.Properties("manager")(0) <> Nothing Then mgrsupr = CType(sr.Properties("manager")(0), String) '*** Parse out the manager/supervisor name x = mgrsupr.IndexOf("CN=") y = mgrsupr.IndexOf(",") If y > 0 Then EmployeeSupervisorManager = mgrsupr.Substring(x + 3, y - (x + 3)) getUserInfoforMgr(EmployeeSupervisorManager) Else EmployeeSupervisorManager = "Unknown" EmployeeMgrEmailAddress = "Unknown" EmployeeMgrAlternateEmailAddress = "Unknown" End If Else EmployeeSupervisorManager = "Unknown" EmployeeMgrEmailAddress = "Unknown" EmployeeMgrAlternateEmailAddress = "Unknown" End If Else EmployeeSupervisorManager = "Unknown" EmployeeMgrEmailAddress = "Unknown" EmployeeMgrAlternateEmailAddress = "Unknown" End If Exit Sub '*** Let's get out of here because we've got our info End If 'the Active Directory entry is the correct one Next 'Next Active Directory entry Catch exp As Exception myErrMsg = "Exception:" & exp.Message FullEmployeeName = "Not Found 3" EmployeeShortName = "Not Found 3" DepartmentName = "Not Found 3" EmployeeExtension = "000" EmployeeIDNumber = "0000" EmployeeEmailAddress = "system@associatedbag.com" EmployeeAlternateEmailAddress = "system@associatedbag.com" EmployeeSupervisorManager = "Not Found 3" EmployeeTitle = "Not Found 3" End Try 'searching for the Active Directory Entry for the current windows identity End Sub 'getUserInfo ===================================================== > Hello, > [quoted text clipped - 28 lines] > This posting is provided "AS IS" with no warranties, and confers no > rights. What happens if the browser user logs out and logs back in again? Does that fix it? Also, if you are using .NET 2.0 instead of 1.1, there is a relatively straightforward way you can code around this problem. Basically, the steps would be to cast the Context.User.Identity to a WindowsIdentity and get the user's SID. Then, once you have the SID, you can do an LDAP query based on that instead of querying based on the username. The SID is rename safe and only changes if the user is moved to a different domain. That is probably the cleanest solution to this problem. It is also doable in .NET 1.1, but there isn't an easy way to get the user's SID from the token without p/invoke, so it is more complex. Joe K.  SignatureJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- >I have included more of our code as I don't think I gave you enough >information in my first post. Also an IISRest and clearing the IE cache do [quoted text clipped - 291 lines] >> This posting is provided "AS IS" with no warranties, and confers no >> rights. Thanks Joe, this is working for us. > What happens if the browser user logs out and logs back in again? Does > that fix it? [quoted text clipped - 315 lines] >>> This posting is provided "AS IS" with no warranties, and confers no >>> rights. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.