 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / October 2004Authenticate UsernameToken against Active Directory
Hi, Can anyone please tell me how to authenticate a Username Token against Active Directory. Could not find much information on the web too. Thanks, Sumaira Ahmad > Hi, > > Can anyone please tell me how to authenticate a Username Token against > Active Directory. Could not find much information on the web too. > Thanks, > Sumaira Ahmad The default UsernameTokenManager in WSE2 performs a LogonUser call to Windows to authenticate the userid in the token. This uses Active Directory in a domain environment.  SignatureThis posting is provided "AS IS", with no warranties, and confers no rights. Thank you so much for your reply. But I am a little confused. Actually I am running ADAM and ASP.NET on Win XP Pro, with no domains on it. My windows account belongs to a workgroup. When I am authenticating UsernameToken against my Windows account, it works fine and I use the Default UsernameToken manager. Now I have created an ADAM User such as: CN=Mary Baker,OU=ADAM users,O=MyCompany,C=US and have set some password for it..I want this user to be authenticated and then be able to access web services. Now do I need to do some addiitonal stuff to do to log this account so that WSE can do a search with this account.I dont understand how it works. Also at the user interface what should I provide for the above user's username and password so that WSE can do a match with the all ADAM user accounts created and authenticate accordingly. Can you please throw some light on it, starting with steps to be followed after creating an ADAM User..I dont think my ADAM users belong to any domain, as I said I have no domains set up.. Do I have to specify some log on locally option for this user?I was reading it somewhere. But dont know how to do it. Please, any help or pointers would be highly appreciated.. Thanks, Sumaira > > Hi, > > [quoted text clipped - 6 lines] > Windows to authenticate the userid in the token. This uses Active > Directory in a domain environment. Hi Sumaira, I'm actually working the same problem, and it seems the only solution requires you to transfer the password in clear text in the SOAP message from the client to the server. This is due to the fact that you cannot - by design - retrieve the password of a user from ADAM. But here are steps that will let you authenticate a user against ADAM: 1. Add the user to ADAM, set the password and add the user to at least the Readers group. The user is now ready to be authenticated. 2. On your server, set up an appropriate policy and and register your own 'securityTokenManager' derived from UserNameTokenManager: <microsoft.web.services2> <security> <securityTokenManager type="Blabla.Security.AuthenticationManager, Bla.Bla.Security" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" qname="wsse:UsernameToken" /> </security> <policy> <cache name="x:\blabla\Security\Policies\ServerPolicy.config" /> </policy> </microsoft.web.services2> The policy should include something like: <wssp:TokenInfo> <SecurityToken xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext"> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> <wssp:Claims> <wssp:UsePassword Type="wssp:PasswordText" wsp:Usage="wsp:Required" /> </wssp:Claims> </SecurityToken> </wssp:TokenInfo> 3. Implement the class derived from UsernameTokenManager and override the 'AuthenticateToken' method to do something similar to the following. protected override string AuthenticateToken( UsernameToken token ) { string password = "invalidPassword"; try { DirectoryEntry authEntry = new DirectoryEntry( "LDAP://localhost:389/OU=ADAM users,O=MyCompany,C=US", token.Username, // must be the distinguished name token.Password, AuthenticationTypes.None ); authEntry.RefreshCache(); // Binding - this is where the actual authentication takes place password = token.Password; } catch { // authentication failed } return password; } 4. That basically does it. WSE will now compare the password you digged out (of the token, or a dummy password if authentication failed) with the password sent in the SOAP message. If the passwords match you're in - otherwise a Fault message is sent back. This approach seems a little counter to the intention of the UsernameTokenManager - we basically do the authentication ourselves and cheat the base class (UsernameTokenManager) into believing it still has a word in authentication. And as we base the implementation on access to the clear text of the password in the SOAP header, hashing the password in the message is not possible. So does anyone know a better way? Thanks, Niels > Thank you so much for your reply. But I am a little confused. > Actually I am running ADAM and ASP.NET on Win XP Pro, with no domains [quoted text clipped - 35 lines] > > Windows to authenticate the userid in the token. This uses Active > > Directory in a domain environment. Niels, Thank you so much for such a detailed reply.and a solution that worked so well. Well I am so relieved... Sumaira > Hi Sumaira, > [quoted text clipped - 112 lines] > > > Windows to authenticate the userid in the token. This uses Active > > > Directory in a domain environment. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.