PrincipalContext Objects And Performance

Using the new namespaces for AD stuff is really nice, but MSFT really dropped the ball when building PrincipalContext objects. PrincipalContext objects are used to encapsulate the server or domain which are going to be subject to the AD operations, so is hydrated when building UserPrincipal or GroupPrincipal objects. So, for example ,they are generally put into static methods such as:

[csharp]

public static PrincipalContext GetGroupPrincipalContext()
{
PrincipalContext principalContext = null;
SPSecurity.RunWithElevatedPrivileges(() => principalContext = new PrincipalContext(ContextType.Domain, ““, ““));
return principalContext;
}

[/csharp]

so that we can use it later for user and group operations:

[csharp]

public static UserPrincipal GetUser(string userName)
{
UserPrincipal userPrincipal = null;
SPSecurity.RunWithElevatedPrivileges(() =>
{
PrincipalContext principalContext = GetUserPrincipalContext();
userPrincipal = UserPrincipal.FindByIdentity(principalContext, userName);
});
return userPrincipal;
}

public static GroupPrincipal GetGroup(string groupName)
{
GroupPrincipal groupPrincipal = null;
SPSecurity.RunWithElevatedPrivileges(() =>
{
PrincipalContext principalContext = GetGroupPrincipalContext();
groupPrincipal = GroupPrincipal.FindByIdentity(principalContext, groupName);
});
return groupPrincipal;
}

[/csharp]

However, it is important that if you experience performance issues to consider two things. I have noticed that with declarative domain controller specific rather than relying on the round-robin default fashion is pretty effective. Otherwise, you are going to be limited to using Attribute Scope Query (ASQ). This involves using the DirectoryEntry and DirectorySearcher objects.

EDIT:

An update to this post is available here.

Share

TeamBuild – Error – Failure: unknown user name or bad password

This particular error can be a pain in the ass to track down, and it will cause Team Build to be unable to create the drop directory. But there are only really two causes for it.

1) You will generally start seeing this error after a problem occurs with a build machine that causes you to recreate the drop location (meaning, it’s the only time I have seen it). Or something dealing with you remaking the drop location.
2) It can also come up with cross-domain development environments.

If you think you are experiencing problem #1
1) check whether the same same build agent for all the builds
2) check whether instead of an alias to refer to the machine you can use the IP

If you think you are experiencing problem #2

1) 9 times out of 10 this is a domain trust problem. Simply put, a TFS user domain doesn’t trust the TFSService account, thus when users are added the TFSService account doesn’t have the read permission on the domain controller. So you can either implement the domain trust or change the TFSService account to use the other domain.

Share

The Basics of Claims – Part 4 – SharePoint Authentication Logic is Simplified with Claims

There is logic found inside of any application out there which supports the various features that it offers. However, applications aren’t always able to successfully rely upon the Windows authentication to help it with the process. You may have web based application that store the names and passwords of users. They may need to be reset when lockouts occur or there is a breach in the system. With enterprise facing applications, there is a domain controller in place that Windows will use to authenticate.

There are plenty of challenges that can occur though in spite of the presence of integrated authentication though. Kerberos tickets are able to give you a list of groups and user accounts. What are you going to do though if you have a need to send an email to them through your application? As you can see, that would become complex in nature to achieve even when you are only working within the framework of a single domain.

While Kerberos does have limitations, you can get around them when you program the Active Directory. This is a complex process though so be ready. Your goal should be to have a very efficient LDAP (Lightweight Directory Access Protocol). This way the queries made aren’t going to slow down your directory server.

You will find that with claims based identity you are able eliminate the authentication logic when you are talking about individual applications. What will happen is that there is an application that verifies the user through the claims process. Therefore, claims is a way for your to get rid of authentication logic in terms of your application.

Don’t let the concept of claims based identity intimidate you because it is used all the time and it is everywhere in society. Let’s take the authentication protocol that is in place at the airport as an example. You aren’t able to just go to a gate to board a plane with your photo ID in hand. You have to go through a process that requires you to check in at the right ticket counter location prior to proceeding to the boarding gate. You will be asked for various information at that time including your name and photo ID.

For those passengers with a flight that takes them out of the country, a passport will be required. All of this pertains to adults traveling but not to minors with them. The only thing you will need to provide for children is their names and so that becomes their authentication. The person behind the ticket counter will also make sure there isn’t any problems with the payment that was processed to pay for the flights. Once all that is done boarding passes are issued and then you can head to the gate for your plane.

All of the information you need to get onto the plane is offered on that boarding pass. The agent at the gate will look at your name and they can even see if you are a frequent flyer member. They will also see your flight number and your seating location. There can be additional information too depending on the specific airline you happen to be flying with. Everything on a given boarding pass allows the process to be a smooth one for customers as well as staff.

If you take a closer look at any airport boarding pass, you will also notice that there is a bar code on it. Some of them have a magnetic strip in lieu of it. There is plenty of information encrypted into those areas too. For example the boarding serial number that shows it to be legitimate as there are ways to make fake boarding passes out there.

All of the information on a given boarding pass is a set of claims that the airline has for identifying you. It verifies that you are authorized to be getting onto a given airplane and assigned a particular seat on it. The agents that are at the gate are going to view your boarding pass, they don’t have to ask you for all the same information that you already gave when you first checked in.

Another scenario though is that you may be able to get the validation you need from another source. For example many airlines now make it convenient to get your boarding pass online and then you can bypass the ticket counter when you arrive at the airport. Which method you used to create your boarding pass won’t alter the end result that it allows you to get on your flight as specified. This is because the claims linked to it have been authenticated.

When it comes to software, the claims involved are referred to as the security tokens. Each one is to be signed by a particular issuer that has created it. In a claims based application, the users are authenticated when they are able to present a signed security token that has been validated by a trusted issuer.

When you are talking about an application developer, they have an advantage with this type of system. You see the application won’t need to have a specific type of credential involved from the user. Of course the person in charge of security for your company is going to create policies and rules that will be evaluated by the user. What your application receives is very similar to the boarding pass information I just shared with you.

What all this means is that regardless of the authentication protocol that is used the application is going to get a set of signed claims. These claims will have the pertinent information on them about the user. This information is in a format that is simplistic in nature and the application will be able to use it immediately.

Share