Hi all. I have what should be a very simple task that is becoming a nightmare. Just return a true/false from a web service given a user's name and password.

I have windows based form applications that I want to be able to get information from a database on a remote server.

I have the process worked out to transmit database information via a web service, and even template files, encrypting the request and the reply to the highest level possible (almost). (on the in-network development machine)

That's not the issue. The problem comes in when our network admins say that for each request, we should write a log file to the database showing that we authenticated the user and the details of the transaction. Still so far, not a problem.

So then, herecomes the crunch - authentication. From the local host server, I can get the old API process using the avdapi.dll to work great, and even the LDAP process to work like a charm.

But when I go to post to the test server, I found the wonderful world of process identity and impersonation.

Due to the security policies, they can't just add the machine name to the list of authorized identities (I guess for web facing machines that makes sense), but since this is a web service and not a web site there is not a log in screen and there are not roles defined, etc. etc.

I have a process for getting, encrypting, sending, and decryptinga users name, and I need to authenticate this using the network's active directory. It's OK to take a performance hit by authenticating each transaction, but it doesn't seem like impersonation can work since the examples have you hard coding the data into the web config file, which is ridiculous for a dynamic process that should be able to accomodate anyone in the AD. I just can't seem to assign the current role of the web service to the user's name and password that I send it so I can return just a true/false authentication result.

If I code set impersonations to true in the config file, the local host process blows up with many errors.

Everything I read is either really old, or specific to web sites with log in screens and membership roles and that is not the route I need to take since this is just a very small service that I want to reuse in many different applications and has to work against the AD.

So, any help is appreciated - thanks! hope this makes sense - it's been a long day :)

p.s. if this is the wrong forum, the admins can feel free to move it to where ever it should go.

OK, so after trolling through thousands of pages of blogs, forums, and documentations, I finally found a solution. And, as usual, it is something so unbelieveably simple that the issue was just in how I was crafting the root authentication path.

So, I will post what I did in case someone else runs across this issue.

First - add a web reference to system.directoryservices

next add an import -

Imports System.DirectoryServices

next - after decrypting the username and password, pass it to a function like this:


Private Function PlainTextValidateUser(ByVal username As String, ByVal pwd As String) As Boolean

Dim result As Boolean = False
Dim myLDAPPath As String = "LDAP://-------"

Try

Dim entry As DirectoryEntry = New DirectoryEntry(myLDAPPath, username, pwd)

Dim nativeObject As Object = entry.NativeObject

result = True 'no exception thrown, user must exist

nativeObject = Nothing 'be sure and clean up these object as this service could be used many times

entry = Nothing

Catch ex As Exception

result = False 'exception thrown - no user with that name/pwd combination

End Try

Return result

End Function

I'll credit this site for turning me in the right direction:

http://dotbay.blogspot.com/2009/05/querying-ldap-from-c.html


of course, you will have to provide the name of the server on which your LDAP resides. This runs remotely and returns true/false. Also, doesn't create any logon session or bind any resources or open any security risks or any SQL injection issues.

HTH - Enjoy!
Brian

OK, so after trolling through thousands of pages of blogs, forums, and documentations, I finally found a solution. And, as usual, it is something so unbelieveably simple that the issue was just in how I was crafting the root authentication path.

So, I will post what I did in case someone else runs across this issue.

First - add a web reference to system.directoryservices

next add an import -

Imports System.DirectoryServices

next - after decrypting the username and password, pass it to a function like this:


Private Function PlainTextValidateUser(ByVal username As String, ByVal pwd As String) As Boolean

Dim result As Boolean = False
Dim myLDAPPath As String = "LDAP://-------"

Try

Dim entry As DirectoryEntry = New DirectoryEntry(myLDAPPath, username, pwd)

Dim nativeObject As Object = entry.NativeObject

result = True 'no exception thrown, user must exist

nativeObject = Nothing 'be sure and clean up these object as this service could be used many times

entry = Nothing

Catch ex As Exception

result = False 'exception thrown - no user with that name/pwd combination

End Try

Return result

End Function

I'll credit this site for turning me in the right direction:

http://dotbay.blogspot.com/2009/05/querying-ldap-from-c.html


of course, you will have to provide the name of the server on which your LDAP resides. This runs remotely and returns true/false. Also, doesn't create any logon session or bind any resources or open any security risks or any SQL injection issues.

HTH - Enjoy!
Brian