Friday, June 8, 2012

Using Active Directory Web Services in C#/Visual Studio

I recently had a need to communicate with remote Active Directory stores and since most organizations do not want to open their Active Directory repositories directly through the firewall (usually over port 389), Active Directory Web Services is ideal to accommodate this scenario.

Unfortunately, as I quickly discovered, the documentation surrounding Active Directory Web Services (ADWS) is extremely sparse.

These were the only 2 articles that I discovered on it through a quick Google search:



After digging through the Powershell blog, I also came across this article:


However, none of the articles provided any comment or guidance on how to use ADWS via C#/.Net!!

Well, after hours and hours of research and investigation, I finally came up with this article: 

Fortunately, it offered one crucial piece of information: it indicated that ADWS had a Mex endpoint!! (net.tcp://localhost:9389/ActiveDirectoryWebServices/mex)

Well, once I had that piece of information, I could finally create a Service Reference to it in Visual Studio:


Once I clicked OK, Visual Studio was able to generate the resultant proxy class and I could then begin using it in my C# class file.

Now as to figure out how to properly use the API, it does not seem that there is any nice .Net Framework-style documentation and code samples, but I did find some protocol examples which provide WSDL Input and Output:

http://msdn.microsoft.com/en-us/library/dd303811(v=PROT.10).aspx

Unfortunately, it is very difficult to decipher by simply examining the SOAP input messages, but you can get somewhat of a feel for the required parameters.  For example, for the ChangePassword method, the method signature is the following:

ChangePassword(string Server, string AccountDN, string NewPassword, string OldPassword, string PartitionDN)



Now if you look at the AccountManagement examples, in the SOAP request, you will see the following parameters:

  1. Server-ldap:389
  2. AccountDN-CN=Guest,CN=Users,DC=fabrikam,DC=com
  3. NewPassword-Password2
  4. OldPassword-Password1
  5. PartitionDN-DC=fabrikam,DC=com

So while the API documentation is definitely far less than perfect, it is workable (with a lot of effort!! :-( )

After finding this article (http://social.technet.microsoft.com/Forums/zh/winserverDS/thread/4e442df5-7f38-4f3d-9bb0-329bfc7db324), I was also able to get this code working correctly for me:


 NetTcpBinding tcpBind = new NetTcpBinding();
            ADWSSvc.AccountManagementClient acctMgmt = new ADWSSvc.AccountManagementClient(tcpBind, new EndpointAddress("net.tcp://localhost:9389/ActiveDirectoryWebServices/Windows/AccountManagement"));
            acctMgmt.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
            var adPrincipal = acctMgmt.GetADGroupMember("ldap:389", "CN=Domain Admins,CN=Users,DC=corp,DC=claimsauth,DC=com", "DC=corp,DC=claimsauth,DC=com", true);
            foreach (var item in adPrincipal)
            {
                Console.WriteLine(item.Name);
                Console.WriteLine(item.DistinguishedName);
                Console.WriteLine(item.SamAccountName);
                
            }

Hope that helps for all of you venturing out into the world of ADWS!!

10 comments:

  1. Hi,
    I'm in the same case because I referenced the AD Web service in my website with Visual Studio but I don't know to get AD user information.
    Have you got any idea or sample of code?
    Thanks.

    Alexis

    ReplyDelete
    Replies
    1. I have just updated this blog entry with some guidelines on how to use ADWS.

      Let me know if it helps!!

      Delete
  2. Information about ADWS is extremely sparse. Thank you for sharing your research!

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. i would like to use adws to update the AD information e.g. telephone number or department.

    please let me know, please help.

    ReplyDelete
  5. Really great post, Thank you for sharing This knowledge.Excellently written article, if only all bloggers offered the same level of content as you, the internet would be a much better place. Please keep it up! Christian links

    ReplyDelete
  6. Hi,

    Can I create users in AD by using ADWS.
    If yes, then please share some solution.

    ReplyDelete