Active Directory Domain Name for authentication

active-directory

I have a bit of a code that takes an ldap string, a username, and a password, and then attempts to authenticate with the ldap server. The username may or may not contain the domain name, e.g., "DOMAIN\username" or "username" was valid input to this code.

From the ldap string, I will have a clear url, that may look like this LDAP://servername.com/DC=…etc. If I split out the server name portion, I get "servername.com", or "servername.corp", or whatnot. But if I attempt to login with servername.com\username, it does not authenticate. So one option is to split off the last ".", if there is one. Is this valid from an active directory perspective? What happens if there are subdomains such as xyx.servername.com?

I must admit I don't know enough about active directory to answer the above questions, and I can't find documentation that explains them. Some documentation that supports your answer would really help!

Best Answer

When a login is presented as DOMAIN\user, DOMAIN is the NETBIOS name of the AD domain. This is normally the lowest subdomain of the domain, but it can be anything. The other valid way of presenting the name is with a UPN suffix, i.e. user@domain.com. The problem with this is that an administrator can have multiple UPNs in a domain, though the default is the FQDN.

Basically, if you control the AD you should know this. If you don't, then you can't know for sure.

Related Solutions

Active Directory – How to Find Name of Active Directory Domain Controller

On any computer, that has DNS configured to use AD's DNS server do:

Start -> Run -> nslookup

set type=all
_ldap._tcp.dc._msdcs.DOMAIN_NAME

Replace DOMAIN_NAME with the actual domain name e.g. example.com. Read more here.

LDAP – How to Figure Out LDAP Connection String

The ASP.NET Active Directory Membership Provider does an authenticated bind to the Active Directory using a specified username, password, and "connection string". The connection string is made up of the LDAP server's name, and the fully-qualified path of the container object where the user specified is located.

The connection string begins with the URI LDAP://.

For the server name, you can use the name of a domain controller in that domain-- let's say "dc1.corp.domain.com". That gives us LDAP://dc1.corp.domain.com/ thusfar.

The next bit is the fully qualified path of the container object where the binding user is located. Let's say you're using the "Administrator" account and your domain's name is "corp.domain.com". The "Administrator" account is in a container named "Users" located one level below the root of the domain. Thus, the fully qualified DN of the "Users" container would be: CN=Users,DC=corp,DC=domain,DC=com. If the user you're binding with is in an OU, instead of a container, the path would include "OU=ou-name".

So, using an account in an OU named Service Accounts that's a sub-OU of an OU named Corp Objects that's a sub-OU of a domain named corp.domain.com would have a fully-qualified path of OU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com.

Combine the LDAP://dc1.corp.domain.com/ with the fully qualified path to the container where the binding user is located (like, say, LDAP://dc1.corp.domain.com/OU=Service Accounts,OU=Corp Objects,DC=corp,DC=domain,DC=com) and you've got your "connection string".

(You can use the domain's name in the connection string as opposed to the name of a domain controller. The difference is that the domain's name will resolve to the IP address of any domain controller in the domain. That can be both good and bad. You're not reliant on any single domain controller to be up and running for the membership provider to work, but the name happens to resolve to, say, a DC in a remote location with spotty network connectivity then you may have problems with the membership provider working.)

Best Answer

Related Solutions

Active Directory – How to Find Name of Active Directory Domain Controller

LDAP – How to Figure Out LDAP Connection String

Related Topic