We are implementing an ASP.NET application which uses forms authentication
but authenticates using Active Directory in a Windows 2000 domain. (I used
MSDN article 326340 to help me set all of this up.)

I have found that some of my users can log into the new ASP.NET application
just fine, but others cannot. For example, one of my users is Bill and
another is Paul. Bill can log in just fine, but Paul cannot. I went into
Active Directory Users and Computers and took a look at both of them, and I
found that Bill is a member of "Domain Users" and "Providers" (an OU we
have), whereas Paul is a member of "Domain Users", "Providers" and another
OU called "ProvidersMailList". So, even though Paul is a member of more
groups, including all those that Bill is a member of, Paul cannot log in but
Bill can. When Paul tries to log in he gets an error that says:

"Error obtaining group names. Object reference not set to an instance of an
object."

(The error is coming from the LdapAuthentication.vb class, I am sure.)

What could be causing these problems?

Rod

On Wed, 29 Sep 2004 14:34:58 -0600, "Rod" <rodf@newsgroups.nospam>
[quoted text, click to view]

Great questions for the dotnet folks, but likely not going to be
answered in the other groups you crossposted to...

Hi Rod,

Looks like there are several problems in the MSDN sample. I saw
somebody else also meet the exactly same error as yours in the
GetGroups method. The case owner has submitted request to MSDN
support to change the article.

Building Secure ASP.NET Applications: Authentication, Authorization,
and Secure Communication
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnet
sec/html/SecNetHT02.asp

You may bind using credentials to Active Directory before performing
the search to have a try. The GetGroups method need to be changed as:

public string GetGroups(string domain, string username, string pwd)
{
string domainAndUsername = domain + @"\" + username;
DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername,
pwd,
AuthenticationTypes.Secure);
entry.RefreshCache();
DirectorySearcher search = new DirectorySearcher(entry);
...


Also the following are 2 hotfixes related to .net ADSI
DirectoryService programming. You can call PSS to request them at
your convenience(no charge).

IADs::Put/PutEx or IADsPropertyList::PutPropertyItem calls may not
accumulate
http://support.microsoft.com/?kbid=835763

"Handling of this ADS value Type is not yet implemented" error when
you run a Web-aware COM application
http://support.microsoft.com/default.aspx?scid=kb;en-us;835554

Best regards,

WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security

Hi Rod,

I wonder how the issue is going now?

Best regards,

WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security