Web 2.0: is it possible to authenticate from an active directory server?

Jean-Yves_Pochez · July 11, 2023, 4:00pm

in a xojo webapp 2.0, I would like to read the authentification from an active directory server
or eventually from an opendirectory server.
are there any example for that ? is it even possible ?
thanks.

Mark_Franzoi · July 25, 2023, 2:24pm

I am interested in doing this as well for my intranet web applications, if anyone can provide an example. Thanks.

Gary_Smith · July 25, 2023, 3:46pm

Yes it can be done. I have 2 webapps running now that do this. Both apps are used in a large corporation with over 1500 employees. It is a complicated process to get it to work. It would take a lot of time to try and explain it here on this forum. We are using Azure, and that is the only one that I have experience with. Here are a couple of things to be aware of. You must allow your specific app in Azure and you must supply a callback URL. There are a lot of options to get the info that you want from the AD. My app simply makes sure that it is a valid current user for our domain. The return URL includes some info about the user, if it is a valid user. Then my app opens the landing page. I can try to answer any specific questions that you might have. Thanks

Mark_Franzoi · July 25, 2023, 4:35pm

Thanks Gary for the information, in my organization we are using Active Directory servers and not Azure AD, but that sounds promising you made it work with the latter.

Jean-Yves_Pochez · July 25, 2023, 5:37pm

this reminds me of a xojo video on some xojo conference where some speaker talked about this, but I can"t recall which one …

Gary_Smith · July 25, 2023, 5:42pm

Yep, I got a lot of info from the example that he supplied. I will look and see if I can find that link. Here is a link that also helped a lot.
Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft Entra | Microsoft Learn

Jean-Yves_Pochez · July 25, 2023, 5:56pm

found it. it was not from a conference…

and the associated code

Mark_Franzoi · July 25, 2023, 6:07pm

Thanks Jean

Gary_Smith · July 25, 2023, 6:23pm

Yes, that was it. I studied that code and it helped a lot.
In session opening I check session.hashtag , If it is empty then I send the user to the Microsoft login url with all of the info required. Once the user logs in, The redirect url opens another session on the same tab but now I have a hashtag. I then decode the id_token to make sure the key matches what I sent. If it is a match I then extract the email address from the token and verify it is my domain. I then send the user to the working page. If I get an invalid type of response, then I disconnect the session. Hope that helps.

Tom_Dixon · November 22, 2023, 3:31pm

If you have MBS plugins then authenticating using AD is fairly easy to do using LDAPMBS, but there are some limitations. I have to have to have users select the OU that they are in based on our corporate OU organization. I suppose I could write code to check all the OUs, but my users don’t seem to mind selecting their location.

Public Sub User_AuthenticateAD(username As String, domainname As String, password As String, ou As String, usrtyp As String, option As string)
  // srchdomain as in "mycompany.com"
  Var l as new LDAPMBS(domainname, 389)
  If l.Lasterror = 0 Then
    
    // Bind user name must be in the format of username@domainname
    l.Bind username + "@" + domainname , password, l.kAuthSimple
    
    If l.Lasterror = 0 Then
      LoggedIn = True
      LoggedInUserName = username // SAM AccountName
      LoggedInUserPassword = password
      LoggedInDomain = domainname
      LoggedInUserPrincipalName = username + "@" + domainname
      'User_UpdateRights
      Login.Close
      
      Var UserType As String
      Select Case usrtyp 
      Case "Full"
        UserType = "Full Time Users"
      Case "Temp"
        UserType = "Temp Users"
      End Select
      
      Var results() As Dictionary = l.Search("OU=" + UserType + ",OU=Users,OU=" + ou + ",DC=jostens,DC=com", l.kScopeSubtree, "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" + username + "))", array("displayName"))
      If Not (l = Nil) Then
        If l.Lasterror = 0 Or l.Lasterror = 1 Then
          If Not (results = Nil) Then
            If results.LastIndex >= 0 Then
              Var r As Dictionary = results(0)
              LoggedInUserDisplayName = r.Value("displayName")
              User_UpdateRights
            End If
          Else
            Alert_PlaySound("bad")
            Alert_ShowDlg("Error","An error occured querying Active Directory for the user 'Display Name'. Please login to the application again by clicking the login button in the menu bar or by refreshing the Web page.","Caution","Cancel","OK",0,False)
            Login.UserLoginCC1.ProgressWheel1.Visible = False
            LoggedIn = False
            User_UpdateRights
          End If
        Else
          Alert_PlaySound("bad")
          Alert_ShowDlg("Error",str(l.Lasterror) + EndOfLine + l.ErrorString(l.Lasterror),"Stop","Cancel","OK",0,False)
        End If
      Else
        Alert_PlaySound("bad")
        Alert_ShowDlg("Error","An error occured querying the user 'Display Name'. Please logout of the application and log back in.","Caution","Cancel","OK",0,False)
        Login.UserLoginCC1.ProgressWheel1.Visible = False
      End If
      // Process any optional commands
      Select Case option 
      Case "prefs"
        Prefs_Authenticate
      End Select 
    Else
      Alert_PlaySound("bad")
      Alert_ShowDlg("Bind Error",str(l.Lasterror) + EndOfLine + l.ErrorString(l.Lasterror),"Stop","Cancel","OK",0,False)
      Login.UserLoginCC1.ProgressWheel1.Visible = False
    End If
  Else
    Alert_PlaySound("bad")
    Alert_ShowDlg("LDAPMBS Error",str(l.Lasterror) + EndOfLine + l.ErrorString(l.Lasterror),"Stop","Cancel","OK",0,False)
    Login.UserLoginCC1.ProgressWheel1.Visible = False
  End If
End Sub