Custom authentication provider for Active Directory via one-way trust

StackOverflow https://stackoverflow.com/questions/14299756

Question

We are writing a custom authentication provider for a website hosted on our DMZ server. The website is built on a CMS called Kentico which runs on .NET 4.0 framework. The Kentico hosting server is located in the DMZ Active Directory forest. There is another, internal Active Directory forest, and DMZ AD has a one-way trust with internal AD (DMZ trusts internal AD, internal AD does not trust DMZ).

We can authenticate DMZ AD users without any problems. But we also need to be able to authenticate internal AD users. The firewall settings are blocking direct access to internal AD domain controllers, so we need to through the trust and send authentication requests to DMZ AD DCs.

When trying to authenticate internal AD users - the LDAP queries sent by the authentication provider to the DMZ DCs are failing with "user not found".

Wondering if anyone has dealt with this issue before and how it was resolved. Thank you in advance for your replies.

Was it helpful?

Solution

The one sure-fire way I've found to authenticate users that are on the other side of a one-way trust is with the LogonUserEx function in the advapi32.dll library. I know for sure that the LOGON32_LOGON_INTERACTIVE logon type works, and that the LOGON32_LOGON_BATCH does not. LogonUserEx accepts both domain and user name as separate arguments or a UPN for the user name with a null domain argument.

Now Kentico is a little weird in that they have two out of the box authentication providers, one for authenticating against the Kentico DB and another for logging onto AD using the ActiveDirectoryMembershipProvider in the System.Web.Security package. That provider does not seem to be able to log in anyone on the other end of a one-way trust. Now Kentico does not let you make a custom provider to use instead, but rather it requires that any custom authentication happen via an event handler.

The Kentico documentation is a little weak on how to make a custom event handler. Here's a link to what they have for Kentico 7 (which is about the same as for Kentico 6) - http://bit.ly/13DXrFA. The only other practical information about making the custom event handler is for Kentico 6, but it should work fine for Kentico 7, and can be found here - http://bit.ly/13DXLEc. As you can see from that link, the event to target is SecurityEvents.Authenticate.Execute.

Hope that helps.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top