Are my Active Directory solution supporting disjoint namespace?

I am using Active Directory in my C# Client Server application. The Client and Server uses Active Directory to communicate and this can be done in 2 way.

  1. With built in Windows account, this is a setting in the WCF binding like this

    binding name=”netTcpWindowMessageSecurity” closeTimeout=”00:01:00″ openTimeout=”00:01:00″ receiveTimeout=”infinite” sendTimeout=”01:00:00″ transactionFlow=”false” transferMode=”Buffered” transactionProtocol=”OleTransactions” hostNameComparisonMode=”StrongWildcard” listenBacklog=”1000″ maxBufferPoolSize=”2147483647″ maxBufferSize=”2147483647″ maxConnections=”200″ maxReceivedMessageSize=”2147483647″>

If I can get the current AD account name on the service I take for granted that the user is valid.

  1. Username and password for the AD account is intered in to the client, this are sent to the service with regular TCP(WCF) where it is checked

For example

public static void ValidateUserPasswordWindowsAccount(string loginname, string password)
        {
            ValidationHandler validationHandler = new ValidationHandler();
            PrincipalContext context;

            string ADServer = null;
            string ADUserName = null;
            string ADUserPassword = null;
            string account = null;

            account = loginname.ToLower();
            GetADSettings(out ADServer, out ADUserName, out ADUserPassword);

            if (ADUserName.Length > 0)
                context = new PrincipalContext(ContextType.Domain, ADServer, null, ADUserName, ADUserPassword);
            else
                context = new PrincipalContext(ContextType.Domain, ADServer);

            using (context)
            {
                if (!context.ValidateCredentials(account, password))
                {
                    validationHandler.AddValidation(ValidationKey.Inloggning_OgiltigtNamnLosen, ValidationKey.Inloggning_OgiltigtNamnLosen.ToTranslatedString());
                    validationHandler.ThrowIfInvalid();
                }
            }
        }

        public static string CheckActiveDirectoryAccount(string account)
        {
            UserPrincipal user;
            PrincipalContext context;
            List<string> userPrincipalNameList;
            string ADServer = null;
            string ADUserName = null;
            string ADUserPassword = null;

            string userAccount;

            account = account.ToLower();
            GetADSettings(out ADServer, out ADUserName, out ADUserPassword);

            if (ADUserName.Length > 0)
                context = new PrincipalContext(ContextType.Domain, ADServer, null,  ADUserName, ADUserPassword);
            else
                context = new PrincipalContext(ContextType.Domain, ADServer);

            using (context)
            {
                if((user = UserPrincipal.FindByIdentity(context, account)) == null)
                {
                    if(account.Contains(""))
                    {
                        userPrincipalNameList = user.UserPrincipalName.Split('').ToList();

                        if (userPrincipalNameList.Count > 0)
                            user = UserPrincipal.FindByIdentity(context, userPrincipalNameList[0]);
                    }
                }

                if (user != null)
                {
                    using (user)
                    {
                        userPrincipalNameList = user.UserPrincipalName.Split('@').ToList();

                        userAccount = userPrincipalNameList.First();

                        //if (userPrincipalNameList.Count > 1)
                        //    userAccount = userAccount; //userPrincipalNameList.Last() + "" + userAccount;

                        if (user != null)
                            return userAccount.ToLower();
                    }
                }
            }
            return string.Empty;
        }

I found this article about disjoint : https://technet.microsoft.com/en-us/library/cc731125(v=ws.10).aspx

This says the following

A disjoint namespace occurs when one or more domain member computers
have a primary Domain Name Service (DNS) suffix that does not match
the DNS name of the Active Directory domain of which the computers are
members. For example, a member computer that uses a primary DNS suffix
of corp.fabrikam.com in an Active Directory domain named
na.corp.fabrikam.com is using a disjoint namespace. A disjoint
namespace is more complex to administer, maintain, and troubleshoot
than a contiguous namespace. In a contiguous namespace, the primary
DNS suffix matches the Active Directory domain name. Network
applications that are written to assume that the Active Directory
namespace is identical to the primary DNS suffix for all domain member
computers do not function properly in a disjoint namespace.

The question is how I know if this is suported by my application? I have now way to test it at this point.


Source: .net

Leave a Reply