Active Directory Integration

Posted By JMD Mon 13 Oct 2014
Add to Favorites0
Author Message
JMD
 Posted Mon 13 Oct 2014
Supreme Being

Supreme Being - (740 reputation)Supreme Being - (740 reputation)Supreme Being - (740 reputation)Supreme Being - (740 reputation)Supreme Being - (740 reputation)Supreme Being - (740 reputation)Supreme Being - (740 reputation)Supreme Being - (740 reputation)Supreme Being - (740 reputation)

Group: Forum Members
Last Active: Tue 4 Apr 2017
Posts: 1, Visits: 18
740
Has anyone successfully integrated AD users into Kartris? I'm new to the product and hoping to validate the user credentials against the domain and was hoping someone might have a place to start or direction to point me.
BORNXenon
 Posted Wed 15 Oct 2014
Supreme Being

Supreme Being - (33,325 reputation)Supreme Being - (33,325 reputation)Supreme Being - (33,325 reputation)Supreme Being - (33,325 reputation)Supreme Being - (33,325 reputation)Supreme Being - (33,325 reputation)Supreme Being - (33,325 reputation)Supreme Being - (33,325 reputation)Supreme Being - (33,325 reputation)

Group: Forum Members
Last Active: Mon 23 Apr 2018
Posts: 59, Visits: 291
I haven't done this with Kartris, but have with our in-house database so hopefully I can point you in the right direction.

First you will need to add the following into your web.config under the <ConnectionStrings> tag, depending on your AD organisational units, the following is based on an SBS network with the fictional domain of test.local.


'User connection string
<add name="ADUsersConnectionString" connectionString="LDAP://TEST.local/OU=SBSUsers,OU=Users,OU=MyBusiness,DC=TEST,DC=local" />
'Groups connection string
<add name="ADGroupsConnectionString" connectionString="LDAP://TEST.local/OU=Security Groups,OU=MyBusiness,DC=TEST,DC=local"/>



The two connection strings above allow you connect to both the users OU and also the Security Groups OU so you can restrict or allow access based on groups or individual users.

You also require the following under <system.web>


<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.DirectoryServices.AccountManagement, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</assemblies>
</compilation>
<authentication mode="Forms">
<forms name=".ADAuthCookie" timeout="43200"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<membership defaultProvider="MyADMembershipProvider">
<providers>
<add name="MyADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" attributeMapUsername="sAMAccountName" connectionStringName="ADUsersConnectionString"/>
</providers>
</membership>


You can then put the following in the code behind of your login page:


Public Function CheckADGroup(ByVal Username As String, ByVal GroupToCheck As String) As Boolean
'Function that receives a username to check if it's a member of a specific group in Active Directory.
Try
'Setup the LDAP connection entry string.
Dim adEntry As String
adEntry = ConfigurationManager.ConnectionStrings("ADGroupsConnectionString").ConnectionString

'The groups returned may have different combinations of lowercase and uppercase, so make grouptoCheck lowercase.
GroupToCheck = GroupToCheck.ToLower()

'Define DirectorySearcher
Dim adSearcher As New DirectorySearcher(adEntry)

'Specify to filter our results where sAMAccountName is equal to our username passed in.
adSearcher.Filter = "sAMAccountName=" & Username

'Specify MemberOf Properties to view only the groups the username is a member of
adSearcher.PropertiesToLoad.Add("MemberOf")

'Define SearchResult
Dim adResult As SearchResult
adResult = adSearcher.FindOne()

'Define a variable to hold the number of groups the user is a member of
Dim NumberOfGroups As Integer
NumberOfGroups = adResult.Properties("MemberOf").Count() - 1

'Define a variable to hold only what is needed from the MemberOf string property
Dim tempString As String

'Loop through results until specified group is found
While (NumberOfGroups >= 0)
'Set tempString to first index of "," starting from the 0 element
tempString = adResult.Properties("MemberOf").Item(NumberOfGroups)
tempString = tempString.Substring(0, tempString.IndexOf(",", 0))

'Remove the "CN=" from the beginning of the string
tempString = tempString.Replace("CN=", "")

'Make all letters Lowercase
tempString = tempString.ToLower()

'Trim any blank characters from the ends of the string
tempString = tempString.Trim()

'Check if "GroupToCheck" equals tempString and exit function if True
If (GroupToCheck = tempString) Then
Return True
End If

'Reduce NumberOfGroups variable by 1 and loop again
NumberOfGroups = NumberOfGroups - 1
End While

'If code reaches here, there was no match.
'Return false
Return False

'Catch any errors and return false
Catch ex As Exception

Return False

End Try

End Function



And also:


Protected Sub Login1_LoggingIn(ByVal sender As Object, ByVal e As LoginCancelEventArgs) Handles Login1.LoggingIn

'Invoke CheckADGroup Function to ensure user is a member of the relevant group
If CheckADGroup(Login1.UserName, "Allowed Users") = False Then

'If no match, or error, cancel authentication and return message
e.Cancel = True
Login1.InstructionText = "Access Denied"
Login1.InstructionTextStyle.ForeColor = Drawing.Color.Red
End If

End Sub



The above code checks to see if the login credentials supplied are a member of the AD group 'Allowed Users' and if not, denies the login.

You can then put the following into your master page:


<asp:LoginStatus ID="LoginStatus1" runat="server" />
<asp:LoginName ID="LoginName1" runat="server" />
<asp:TextBox ID="CurrentUserTextBox" runat="server" Visible="False" />



and the following in the code-behind


Protected Property strCurrentUser As String

Protected Sub Page_PreRender(sender As Object, e As System.EventArgs) Handles Me.PreRender
'Call PopulateVersionInfo() function
PopulateVersionInfo()

If Session("CurrentUser") = "" Then
'Retrieve users name from Active directory based on their userID and set strCurrentUser
If Page.User.Identity.Name <> "" Then
'Set up the lookup to AD
Dim adEntry As New DirectoryEntry(System.Web.Configuration.WebConfigurationManager.ConnectionStrings("ADUsersConnectionString").ConnectionString)
'Define which fields to retrieve from AD
Dim adSearcher As New DirectorySearcher(adEntry)
adSearcher.Filter = "(&(objectCategory=Person)(objectClass=User)(sAMAccountName=" & Page.User.Identity.Name & "))"
adSearcher.PropertiesToLoad.Add("cn")

Dim adResults As SearchResult
adResults = adSearcher.FindOne()

'Set strCurrentUser Variable to the search result and then populate CurrentUserTextBox textbox value
strCurrentUser = adResults.Properties("cn")(0).ToString()
Session("CurrentUser") = strCurrentUser

'Set session variable so that we don't need to check the AD everytime the master page loads
CurrentUserTextBox.Text = Session("CurrentUser")

'Invoke CheckADGroup Function to check if user is a member of the admin group and set Session variable accordingly
If CheckADGroup(Page.User.Identity.Name, "Database Admin") = True Then
Session("IsDBAdmin") = True
Else
Session("IsDBAdmin") = False
End If
End If
Else
CurrentUserTextBox.Text = Session("CurrentUser")
If Not Session("IsDBAdmin") = True Then
hyperlink_Admin.Visible = False
End If
End If

End Sub

Public Function CheckADGroup(ByVal Username As String, ByVal GroupToCheck As String) As Boolean
'Function that receives a username to check if it's a member of a specific group in Active Directory.
Try
'Setup the LDAP connection entry string.
Dim adEntry As String
adEntry = ConfigurationManager.ConnectionStrings("ADGroupsConnectionString").ConnectionString

'The groups returned may have different combinations of lowercase and uppercase, so make grouptoCheck lowercase.
GroupToCheck = GroupToCheck.ToLower()

'Define DirectorySearcher
Dim adSearcher As New DirectorySearcher(adEntry)

'Specify to filter our results where sAMAccountName is equal to our username passed in.
adSearcher.Filter = "sAMAccountName=" & Username

'Specify MemberOf Properties to view only the groups the username is a member of
adSearcher.PropertiesToLoad.Add("MemberOf")

'Define SearchResult
Dim adResult As SearchResult
adResult = adSearcher.FindOne()

'Define a variable to hold the number of groups the user is a member of
Dim NumberOfGroups As Integer
NumberOfGroups = adResult.Properties("MemberOf").Count() - 1

'Define a variable to hold only what is needed from the MemberOf string property
Dim tempString As String

'Loop through results until specified group is found
While (NumberOfGroups >= 0)
'Set tempString to first index of "," starting from the 0 element
tempString = adResult.Properties("MemberOf").Item(NumberOfGroups)
tempString = tempString.Substring(0, tempString.IndexOf(",", 0))

'Remove the "CN=" from the beginning of the string
tempString = tempString.Replace("CN=", "")

'Make all letters Lowercase
tempString = tempString.ToLower()

'Trim any blank characters from the ends of the string
tempString = tempString.Trim()

'Check if "GroupToCheck" equals tempString and exit function if True
If (GroupToCheck = tempString) Then
Return True
End If

'Reduce NumberOfGroups variable by 1 and loop again
NumberOfGroups = NumberOfGroups - 1
End While

'If code reaches here, there was no match.
'Return false
Return False

'Catch any errors and return false
Catch ex As Exception

Return False

End Try

End Function

Protected Sub LoginStatus1_LoggedOut(sender As Object, e As EventArgs) Handles LoginStatus1.LoggedOut
'Clear session variables, abandon session and redirect to Login page
Session("CurrentUser") = ""
Session("IsDBAdmin") = ""
Session.Clear()
Session.Abandon()

Response.Redirect("Login.aspx")
End Sub



The above code basically just checks to see if there is a session matching the users login id and if not attempts to re-authenticate the user, checks their group security etc, if the authentication fails, it redirects to the login page.

If authentication is successful, and the user is a member of the 'Database Admin' group, it will display the link to the Admin page.

On the admin page, you can put the following code:


Protected Sub Page_PreInit(sender As Object, e As EventArgs) Handles Me.PreInit
'Check if current user has permission to see this page
If Not Session("IsDBAdmin") = True Then
Response.Redirect("Default.aspx")
End If
End Sub



This checks if the IsDBAdmin session is True and redirects if not.

As I said, the above is what we use on one of our internal applications, but I'm sure it could be adapted for use with Kartris without too many headaches.

Hope it helps.
Wed 15 Oct 2014 by BORNXenon

Similar Topics

Expand / Collapse

Reading This Topic

Expand / Collapse

Back To Top