Directory Programming .NET

I am new to Directory programming and I am wondering if there is a way to authenticate the user (username & password entered in the login form) against a AD without using LDAP. Our servers do not have LDAP installed and I was trying to find a alternative for it other than turning on the Basic Authentication for the site.

The reason for turning OFF the basic authentication is the site will also be used by external users whose credentials are stored in the DB. Is there a suitable solution for this. Thanks for your time.

-Priyanjit

No need to install LDAP on servers; it is already there as part of .Net.

Thanks for your quick reply. When I tried to use the same code (taken from old server which is working fine) for authentication on the new server, it throwed errors. And when I contacted the Network team on this, they said LDAP has not been installed on the server and asked us to change the authentication code used in all of the projects. Any other ideas?

What errors did it throw? Please try to supply the actual error message.

We do not have an option to debug from the production server. How do I check if the LDAP is open on the production server?

If you want the app to authenticate directly against AD, then you generally either do something LDAP-based with forms auth or you use a built in feature of IIS like basic or integrated. Note that the latter depends on the server being joined to the domain in order for IIS to be able to authenticate them.

If the server is domain joined and you still want to show your own login UI but don't want to do LDAP, you can use p/invoke to call the LogonUser API. This is similar to what IIS does on your behalf when you use Basic auth.

My expectation is that if the machine is a domain member, then the ports required for LDAP would be open to the domain controllers so you should be able to do LDAP-based authentication in that case. If the machine is not domain-joined and also has no LDAP access through firewall, then I don't see how the admins would expect you to be able to authenticate users against the directory.

My suggestion in cases where you may have users from multiple identity realms (you mentioned external users in SQL as well) would be to look at a federation-based approach. There is great info here:

http://claimsid.codeplex.com/

The federation-based approach is also very flexible in that the web server may be deployed in such as way that it has no direct connectivity to the directory at all but can still authenticate users externally due to the federation trust.

As Rich already said, LDAP is built into Windows so there is no chance it isn't "installed". Windows LDAP and ADSI come with the OS and all versions of .NET have shipped with at least one LDAP stack. The question is whether or not you can use it. You haven't really provided enough information about the network deployment of the server in consideration to get a good answer to that question. :)