Overview:
Now a day’s many companies are adopting registration and authentication for their employees for In-House applications at active directory domain level. In-House applications can register only those users which are already working inside companies’ domain.
Here I am writing this blog which will let developer knows that how in house applications can manage below two processes:
- Registration of users using Active directory domain
- Authenticate users inside Active Directory domain
How to Register Users for In-House applications by using Active Directory:
- Create a user registration page.
- Provide search user name textbox which can search the user name inside Active directory domain.
- We can provide pop up with list of AD users that matches with the username.
- User can select any user from pop up and the registration form can automatically fill up the information using AD details.
- Save the user details in database. We do not need to save the password for the user as we are doing AD authentication.
- If the user is already registered than we can prompt a dialog indicating that the user is already registered.
We can search the user based on user name:
Pop up with Search results:
C# Code to fetch users from Active directory:
using System;
using System.DirectoryServices.AccountManagement;
using System.Security.Claims;
using Microsoft.Owin.Security;
using System.DirectoryServices;
using System.Collections.Generic;
namespace ADdemoProject
{
/// <summary>
/// Class AdAuthenticationService
/// </summary>
public class AdAuthenticationService
{
public List<UserMaster> GetUserFromAD(string name)
{
var domainContext = new PrincipalContext(ContextType.Domain);
var groupPrincipal = GroupPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, “Domain Users”);
UserPrincipal user = new UserPrincipal(domainContext);
user.Enabled = true;
user.SamAccountName = name;
PrincipalSearcher pSearch = new PrincipalSearcher();
pSearch.QueryFilter = user;
PrincipalSearchResult<Principal> results = pSearch.FindAll();
List<UserMaster> lstUsers = new List<UserMaster>();
foreach (var item in results)
{
UserMaster objUser = new UserMaster();
objUser.UserName = item.SamAccountName;
objUser.FullName = item.DisplayName;
lstUsers.Add(objUser);
}
return lstUsers;
}
}
}
How can we authenticate users inside ?
- Create a Login page with User Name and Password fields.
- When user enters credentials then we need to check first in our application db that the user name exists or not.
- If user does not exist then we do not need to authenticate in AD.
- If user exists in application db then we need to authenticate the credentials in AD.
- If authentication gets failed from AD then we need to log the wrong attempts made by user because the number of wrong attempts performed in application login page should not be more than actual machine attempts. If we will not log the number of wrong attempts then actual machine will gets locked and then we need to ask Admin to unlock machine.
- Before reaching to maximum wrong attempts we need to set logic in application db so we can avoid machine lock issue. Once the user has performed maximum no. of wrong attempts then we will stop to perform authentication in AD which will avoid machine lock issue.
What is ASP.NET Web API and How it works?
Login with unregistered user in application:
Login with wrong credentials with maximum attempts:
C# code to Authenticate user credentials in AD:
using System;
using System.DirectoryServices.AccountManagement;
using System.Security.Claims;
using Microsoft.Owin.Security;
using System.DirectoryServices;
using System.Collections.Generic;
namespace ADdemoProject
{
/// <summary>
/// Class AdAuthenticationService
/// </summary>
public class AdAuthenticationService
{
public AuthenticationResult SignIn(String username, String password)
{
// authenticates against your Domain AD
ContextType authenticationType = ContextType.Domain;
PrincipalContext principalContext = new PrincipalContext(authenticationType);
bool isAuthenticated = false;
UserPrincipal userPrincipal = null;
try
{
isAuthenticated = principalContext.ValidateCredentials(username, password, ContextOptions.Negotiate);
if (isAuthenticated)
{
userPrincipal = UserPrincipal.FindByIdentity(principalContext, username);
}
}
catch (Exception)
{
isAuthenticated = false;
userPrincipal = null;
}
if (!isAuthenticated || userPrincipal == null)
{
return new AuthenticationResult(“Username or Password is not correct”);
}
if (userPrincipal.IsAccountLockedOut())
{
// here can be a security related discussion weather it is worth
// revealing this information
return new AuthenticationResult(“Your account is locked.”);
}
if (userPrincipal.Enabled.HasValue && userPrincipal.Enabled.Value == false)
{
// here can be a security related discussion weather it is worth
// revealing this information
return new AuthenticationResult(“Your account is disabled”);
}
var identity = CreateIdentity(userPrincipal);
authenticationManager.SignOut(MyAuthentication.ApplicationCookie);
authenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = false }, identity);
return new AuthenticationResult();
}
}
}
Author – Sahil Joshi
Get in Touch