1

I have a ASP .Net web appliaction written in Visual Basic .Net running on Windows Server 2003 (IIS 6) that works like the one described in How to grab AD credentials from client machine in a web application?

A user access our Intranet page and it uses Windows Authentication to identify the user. The application then looks up that user in Active Directory and grabs the attribute value for that user's IpPhone. This number is what we use for Employee ID's.

In IE8 I can access the site and Windows Auth prompts me and it appears to work but the application is unable to get my Active Directory user "IP Phone" value (AKA my Employee Number). If I add the URL to Trusted Sites, the application works grabs my Employee ID successfully.

That wouldn't be a big deal except it does this in every browser (FireFox, Safari, and Chrome). I found a workaround for Firefox (ntlm-authenticate, google 'about config' for firefox). However this app shouldn't need to be in Trusted Sites, and I believe if I can get this to work without being in Trusted Sites it will work in all browsers.

Does anyone have any idea whats going on? Thanks in advance.

Community
  • 1
  • 1
David Mathis
  • 247
  • 1
  • 2
  • 8

1 Answers1

0

Take a look at the setting in the screenshot below. The automatic logon refers to using your Windows authentication as you access resources via Internet Explorer. In other words, if you access a web page on a server in your directory, the credentials that you logged in on your machine with are automatically passed to the server you're accessing.

The credentials are generally, for some reason unknown to me, passed along to trusted sites as well. I don't know why this is, but I've seen this behavior enough to be confident stating it.

This feature is only available in IE, except for the workaround you found for Firefox, and will not work in other browsers, unless you find similar workarounds.

A better solution would be to specify the username and password in code as shown here:

http://msdn.microsoft.com/en-us/library/wh2h7eed.aspx

This performs a search and passes along a username and password, rather than relying on the Windows Integrated security.

alt text

I have a working snippet of code here for getting an email based on username in our domain, that you can modify for your needs:

Public Function GetEmailFromUserName(ByVal UserID As String) As String
    Dim ReturnValue As String = ""


    Dim myAD As New System.DirectoryServices.DirectoryEntry("LDAP://mydomain", System.Configuration.ConfigurationManager.AppSettings("adsearchname"), System.Configuration.ConfigurationManager.AppSettings("adsearchpwd"))
    Dim searcher As New System.DirectoryServices.DirectorySearcher(myAD)
    searcher.Filter = ("(anr= " & UserID & ")")
    searcher.PropertiesToLoad.Add("mail")
    For Each myResult As System.DirectoryServices.SearchResult In searcher.FindAll()
        For Each Key As String In myResult.Properties.PropertyNames
            If InStr(myResult.Properties.Item(Key).Item(0), "@") Then
                ReturnValue = myResult.Properties.Item(Key).Item(0)
            End If
        Next
    Next

    Return ReturnValue
End Function
David
  • 72,686
  • 18
  • 132
  • 173
  • Thanks David, we ended up creating a low level domain user account and hard-coding that into the web.config. After that we added it to the IIS_WPG group and everythign worked! – David Mathis Jan 10 '11 at 20:51
  • Good deal! Don't forget to encrypt your web.config to protect the username/password. – David Jan 10 '11 at 20:51