Active Directory Query ASP VB .Net only works in Trusted Sites

I have a ASP .Net web appliaction written in Visual Basic .Net running on Windows Server 2003 (IIS 6) that works like the one described in How to grab AD credentials from client machine in a web application?

A user access our Intranet page and it uses Windows Authentication to identify the user. The application then looks up that user in Active Directory and grabs the attribute value for that user's IpPhone. This number is what we use for Employee ID's.

In IE8 I can access the site and Windows Auth prompts me and it appears to work but the application is unable to get my Active Directory user "IP Phone" 开发者_如何学编程value (AKA my Employee Number). If I add the URL to Trusted Sites, the application works grabs my Employee ID successfully.

That wouldn't be a big deal except it does this in every browser (FireFox, Safari, and Chrome). I found a workaround for Firefox (ntlm-authenticate, google 'about config' for firefox). However this app shouldn't need to be in Trusted Sites, and I believe if I can get this to work without being in Trusted Sites it will work in all browsers.

Does anyone have any idea whats going on? Thanks in advance.

Take a look at the setting in the screenshot below. The automatic logon refers to using your Windows authentication as you access resources via Internet Explorer. In other words, if you access a web page on a server in your directory, the credentials that you logged in on your machine with are automatically passed to the server you're accessing.

The credentials are generally, for some reason unknown to me, passed along to trusted sites as well. I don't know why this is, but I've seen this behavior enough to be confident stating it.

This feature is only available in IE, except for the workaround you found for Firefox, and will not work in other browsers, unless you find similar workarounds.

A better solution would be to specify the username and password in code as shown here:

http://msdn.microsoft.com/en-us/library/wh2h7eed.aspx

This performs a search and passes along a username and password, rather than relying on the Windows Integrated security.

I have a working snippet of code here for getting an email based on username in our domain, that you can modify for your needs:

Public Function GetEmailFromUserName(ByVal UserID As String) As String
    Dim ReturnValue As String = ""


    Dim myAD As New System.DirectoryServices.DirectoryEntry("LDAP://mydomain", System.Configuration.ConfigurationManager.AppSettings("adsearchname"), System.Configuration.ConfigurationManager.AppSettings("adsearchpwd"))
    Dim searcher As New System.DirectoryServices.DirectorySearcher(myAD)
    searcher.Filter = ("(anr= " & UserID & ")")
    searcher.PropertiesToLoad.Add("mail")
    For Each myResult As System.DirectoryServices.SearchResult In searcher.FindAll()
        For Each Key As String In myResult.Properties.PropertyNames
            If InStr(myResult.Properties.Item(Key).Item(0), "@") Then
                ReturnValue = myResult.Properties.Item(Key).Item(0)
            End If
        Next
    Next

    Return ReturnValue
End Function