Trying to authenticate users against the AD - ASP.NET MVC

Question

A web application where people can view their SSRS reports internally or externally.

I'm trying to authenticate users logging in against the active directory groups using custom authorize roles, so the reports can be secured down based on if they are in a particular AD Group or not.

Now I know this works out the box with windows auth/form auth, but I'm using a custom authentication due to other reasons but what I do have is a table which has the custom usernames that the users are logging with mapped against their windows credentials.

I've been following this blog to test out this method of authenticating against the active directory groups and customized it to pass in the windows credentials mapped to the custom user login but having no luck so far.

With regards to the custom authentication, when I go find the matching domain name out of my table and store that domain name into the session variable, which then is passed into this AD authentication process for checking if the user exists in the group or not, see code below.

Custom authorize attribute,

using Helpers;
using Models;
using System;
using System.Web;
using System.Web.Mvc;

namespace Application.Validators
{
public class AuthorizeADAttribute : AuthorizeAttribute
{
    public string Group { get; set; }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
            if (string.IsNullOrEmpty(Group))
            {
                return true;
            }

            var logOnInfo = httpContext.Session["LogOnInfo"] as LogOnModel;
            var username = logOnInfo.DomainName;

            try
            {
                return LDAPHelper.UserIsMemberOfGroups(username, Group);
            }
            catch (Exception ex)
            {
                return false;
            }
    }
}
}

LDAP Helper,

using System;
using System.Configuration;
using System.DirectoryServices.AccountManagement;
using System.Web;

namespace Application.Helpers
{
public  class LDAPHelper 
{
    public static string GetLDAPContainer()
    {
        Uri ldapUri;
        ParseLDAPConnectionString(out ldapUri);
        return HttpUtility.UrlDecode(ldapUri.PathAndQuery.TrimStart('/'));
    }

    public static bool ParseLDAPConnectionString(out Uri ldapUri)
    {
        string connString = 
    ConfigurationManager.ConnectionStrings["ADConnectionString"]
   .ConnectionString;
        return Uri.TryCreate(connString, UriKind.Relative, out ldapUri);
    }
    public static bool UserIsMemberOfGroups(string username, string Group)
    {
        if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(Group))
        {
            return false;
        }

        // Verify that the user is in the given AD group (if any)   
        using (var context = BuildPrincipalContext())
        {
            var userPrincipal = UserPrincipal.FindByIdentity(context,
            IdentityType.SamAccountName,
            username); 

            return userPrincipal.IsMemberOf(context, IdentityType.Name, Group);
        }
    }

    public static PrincipalContext BuildPrincipalContext()
    {
        string container = GetLDAPContainer();
        return new PrincipalContext(ContextType.Domain, null, container);
    }
}
}

LDAP Connection string in the web.config (can confirm is correct),

 <add name="ADConnectionString" connectionString="LDAP://CN=Managers;OU=Groups,OU=Users,DC=domain"/>

My issue I think is when I'm trying to return the container (GetLDAPHelper Method) from the LDAP conn string back to the PrincipalContext it justs returning null and throwing an error.

I'm looking to see if anyone has done anything remotely similar or is there a more suitable method for trying to achieve what i'm doing?

Answer 1

The issue is that the LDAP connection string is not a valid Uri, so when you attempt to make it one, ldapUri remains null. If you need to parse the connection string, for some reason, you'll need to do it another way. You can't use Uri.