Determining whether the current user is logging into Active Directory (or is a valid active directory user)

1
votes

Context: Excel addin needs to test whether the current windows user is a valid active directory user (and determines other permission-based logic based on this)

I set up the Active Directory Membership Provider. With the System.Security.Principal.WindowsIdentity user, I take out the domain name (user account name is \) and then use the username to test against the sAMAccountName in Active Directory (Membership.GetUser()).

Is this a valid way to test whether the current user is logged into active directory?

I get the impression I'm only testing whether the current user account name exists in active directory without actually knowing if the current user is actually logged into active directory.

Then again, I'm not sure what 'logged into active directory' means... I'm pretty new to active directory!

1
c#active-directorymembership-provider
Did you miss some context here? You talked about Excel addin and then you talked about Active Directory Membership Provider. As far as I know, Active Directory Membership Provider is for ASP.NET. How can it be related to your Excel addin?Harvey Kwok
I am missing context! Apologies, I missed an important step in there. The authentication actually happens within a WCF service, the excel addin makes the call through that to the AD provider. However, my testing has been with a simple commandline application. Seems to work fine!genki

1 Answers

1
votes

Perhaps this would help you out:

Once you have retrieved a WindowsIdentity you can read its User property to get the SecurityIdentifier (SID) that uniquely identifies the user.

If you want to determine whether this account exists in an Active Directory store you can search the directory not by user name but instead using the SecurityIdentifier. In this way you don't have to worry about user name mixups.

If you instead want to determine which domain that the user is signed in to; you could read the AccountDomainSid property of the user's SecurityIdentifier. This will give you the SecurityIdentifier that uniquely identifies the domain.