Wrapper API for using Microsoft Active Directory Services
Overview
Applies To:
Microsoft® ASP.NET 1.x
Microsoft® Visual Studio® .NET 2003
Microsoft® Active Directory® Services
Summary:
If you are developing web applications utilizing Microsoft® ASP.NET and have the need to secure your site from unauthorized access, you have surely investigated the various authentication and authorization techniques that ASP.NET 1.x enables. This article discusses how to use Microsoft Active Directory Services by using developed wrapper API
Contents
Introduction
What is this article about?
How Does Active Directory Work?
What’s inside Wrapper API for Active Directory?
Platforms Tested
Conclusion
Introduction
Active Directory provides the ability to authenticate and authorize the users from a centralized location, so users don’t need to remember the password for every application, if they use Active Directory for authentication. Microsoft is using Active Directory in almost all of their application servers like Microsoft Content Management Server, Microsoft Share Point Portal Server, Microsoft CRM, and Microsoft Exchange Server etc for centralized authentication and authorization purpose. As Active Directory integrated with Windows Operating System, which means very intrinsic support is available at a very low level.
Active Directory Services Interface (ADSI) has always been a very effective way of dealing with users in a Windows network. The System.DirectoryServices namespace gives users access to some rudimentary user administration via ASP.NET. ADSI classes in Directory Services namespace which enables programmers to access ADSI objects using System.DirectoryServices namespace.
How Does Active Directory Work?
Active Directory is simply a hierarchical, object-orientated database that represents all of your network resources. At the top there's typically the Organization (O), beneath that Organizational Units (OU) as containers, and finally objects that consist of your actual resources. This hierarchical format creates a very familiar and easy-to-administrate tree for systems administrators. For example, if you assign an OU access to a given resource, that access will also be persisted to the objects that are contained within it.
What is this article about?
Active Directory Services is a bit complex, so to make it more users friendly I created a wrapper API in VB.NET and C#.NET, which performs all the operations as developer needs in order to navigate the active directory.
By using wrapper API, developer can do the following operations:
Add User To Group
Create Active Directory Group
Create Active Directory User
Delete Active Directory Group Account
Delete Active Directory User Account
Enable Active Directory User Account
Group Exist
IsUserValid
Load All Users
Load All Groups
Load Group
Load User
Login
Remove User From Group
User Exist
Set Password
Update User
Update Group
What’s Inside Wrapper API for Active Directory?
As shown in the figure#1, the wrapper API consists of following classes:
ADManager Class
ADManager is a singleton class responsible for managing the users and groups in the Active Directory.
How to Use
To add the user in the particular Active directory group, following code will be used.
Dim _ADUser As ADUser
_ADUser = ADManager.Instance.LoadUser("adnan")
Dim _ADGroup As ADGroup
_ADGroup = ADManager.Instance.LoadGroup("DeveloperGroup")
ADManager.Instance.AddUserToGroup(_ADUser.DistinguishedName,
_ADGroup.DistinguishedName)
To check, whether the user exist in the Active Directory, the following simple code will be used.
If ADManager.Instance.UserExists("adnan") Then
MsgBox("User Exist in the Active Directory")
End If
ADGroup Class
ADGroup class consists of properties and method responsible for dealing with Active directory groups.
I mapped the following properties with Active Directory Group in order to make the properties simple.
“Name” Mapped With "cn"
“DisplayName” Mapped With “DisplayName”
“DistinguishedName” Mapped With “DistinguishedName”
“Description” Mapped With “Description”
How to Use
The ADGroup class is used to create/update the group in the Active Directory.
Below are the codes snipped for creating the group in Active Directory.
Dim _AdGroup As New ADGroup
_AdGroup.Name = “DeveloperGroup”
_AdGroup.Description =”All developers in the company”
_AdGroup = ADManager.Instance.CreateADGroup(_AdGroup)
ADUser Class
ADUser class consists of properties and method responsible for dealing with Active directory users. The ADUser properties and the corresponding property in Active Directory are given below:
“FirstName” Mapped With “givenName”
‘MiddleInitial” Mapped With “initials”
“LastName” Mapped With “sn”
“UserPrincipalName” Mapped With “UserPrincipalName”
“PostalAddress” Mapped With “PostalAddress”
“MailingAddress” Mapped With “MailingAddress”
“ResidentialAddress” Mapped With “HomePostalAddress”
“Title” Mapped With “Title”
“HomePhone” Mapped With “HomePhone”
“OfficePhone” Mapped With “TelephoneNumber”
“Mobile” Mapped With “Mobile”
“HomePhone” Mapped With “HomePhone”
“Fax” Mapped With “FacsimileTelephoneNumber”
“Email” Mapped With “Email”
“Url” Mapped With “Url”
“UserName” Mapped With “sAMAccountName”
“DistinguishedName” Mapped With “DistinguishedName”
“IsAccountActive” to check the user status in the active directory.
How to Use
1. The ADUser class is used to create the user. The code snipped to create the user is given below:
Dim _AdUser As New ActiveDirectory.ADUser
_AdUser.FirstName = "Syed"
_AdUser.MiddleInitial = "Adnan"
_AdUser.LastName = "Ahmed" '
_AdUser.Email = "[email]adnanahmed235@yahoo.com[/email]"
_AdUser.UserName = "adnan"
_AdUser.Password = "123456"
_AdUser.IsAccountActive = True
_AdUser.MailingAddress = "Riyadh, Saudi Arabia"
_AdUser.Title = "Software Engineer"
_AdUser = ADManager.Instance.CreateADUser(_AdUser)
2. If you want to update the user in the Active Directory use the following code snipped.
Dim _AdUser As ADUser
_AdUser = ADManager.Instance.LoadUser("adnan")
_AdUser.MailingAddress = "Jeddah, Saudi Arabia"
_AdUser.Title = "Senior Software Engineer"
_AdUser.Update()
3. You can use ADUser class to reset the user password.
Dim _AdUser As ADUser
_AdUser = ADManager.Instance.LoadUser("adnan")
_AdUser.SetPassword("654321")
Utility Class
Utility class is responsible for general options.
Configuration Changes
Before using the wrapper API, You have to follow the following instructions for windows and web based applications.
Web Based Application
Add the following line inside the <system.web> tag in the web.config file.
<identity impersonate="true" />
Add the following lines of tags inside the <appSettings> tags.
<add key="Domain" value="MyDomain.com" />
<add key="ADPAth" value="LDAP://MyDomain " />
<add key="ADUser" value="administrator" />
<add key="ADPassword" value="123" />
<add key="ADUsersPath" value="OU=DeveloperDepartment," />
Note: Here in ‘ADUsersPath’ Key, value (“OU=DeveloperDepartment,") shows the OU= Organizational Unit in the Active Directory as an example. You can write any of your organizational unit or create new one for testing.
Go to IIS select the website, In the properties windows, select the Directory Service Tab, In the Authentication and access control option, Click Edit Button, It will Open Authentication Methods window, select Anonymous access and enter Domain Administrator Account User Name, Password and select Integrated Windows Authentication as shown in the following figures.
Figure #2
Figure #3
Windows Based Application
Add the following lines of tags inside the <configuration> tags.
<appSettings>
<add key="Domain" value="MyDomain.com" />
<add key="ADPAth" value="LDAP://MyDomain " />
<add key="ADUser" value="administrator" />
<add key="ADPassword" value="123" />
<add key="ADUsersPath" value="OU=DeveloperDepartment," />
</appSettings>
Note: Sample App.config file is included in the download API.
Platforms Tested
I have tested the included project on following platforms
Windows Server 2003
Windows XP SP1 or SP2
Conclusion
I have demonstrated, how easy it is to navigate the Active Directory Objects by using the wrapper API which is using System.DirectoryServices. In the next release of my wrapper API, I will demonstrate how to manage Active Directory Roles and Permission by using the wrapper API. I have given the API in both VB.NET and C#.NET and you can use it in both windows and web based applications.
About Syed Adnan Ahmed
As an ISV Worker & MS SharePoint Consultant with solid experience in Enterprise SharePoint Implementation, Adnan spends considerable time on performance, scalability, availability, maintainability, globalization/localization and security on SharePoint Portal Server 2003. He has been involved in from large organisation in Ireland.
Adnan calls Galway, Ireland his home at the moment. His next big goal is passing the Microsoft Competency Exams on SharePoint Portal Server 2003. Adnan is interested in guest speaking opportunities or as an author for SharePoint magazines or Web sites. He can be contacted at [email]adnan.pk@gmail.com[/email]
If you want to hear more about it contact me! Involve me in your projects and I will make a difference for you. Contact me if you have an idea for an article or research project. Also contact me if you want to co-author an article or join future research projects!
My Blog: [url]http://www.sharepointblogs.com/adnan/[/url]
Click here to view Syed Adnan Ahmed's online profile.
Other popular articles:
The 30 Minute Regex Tutorial
Learn how to use regular expressions in 30 minutes with Expresso.
Methods for a location proximity search using GPS (WGS-84) mathematics
Unsatisfied with the accuracy of code online that assumes the Earth is a sphere, I have implemented the oblate spheroid model used in GPS.
Floating Point in .NET part 1: Concepts and Formats
Introducing the basic concepts of floating-point arithmetic: number formats, accuracy and precision, and round-off error. Includes a discussion of the .NET floating-point types.
Expresso - A Tool for Building and Testing Regular Expressions
For learning, building, and debugging .NET Framework regular expressions
