Merge pull request #536 from Badgerati/develop

v1.7.1
Badgerati · Apr 17, 2020 · dc9d6ab · dc9d6ab
2 parents 4c5521e + b485f88
commit dc9d6ab
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 14 deletions.
diff --git a/docs/release-notes.md b/docs/release-notes.md
@@ -1,5 +1,12 @@
 # Release Notes
 
+## v1.7.1
+
+```plain
+### Bugs
+* #534: Fixes an issue with IIS Windows Authentication when using foreign trusted domains (thanks @RobinBeismann!)
+```
+
 ## v1.7.0
 
 ```plain

diff --git a/src/Private/Authentication.ps1 b/src/Private/Authentication.ps1
@@ -465,28 +465,37 @@ function Get-PodeAuthWindowsADIISMethod
             if (![string]::IsNullOrWhiteSpace($domain) -and (@('.', $env:COMPUTERNAME) -inotcontains $domain)) {
                 # get the server's fdqn (and name/email)
                 try {
-                    $ad = [adsi]"LDAP://<SID=$($winIdentity.User.Value.ToString())>"
-                    $user.DistinguishedName = @($ad.distinguishedname)[0]
-                    $user.Name = @($ad.name)[0]
-                    $user.Email = @($ad.mail)[0]
+                    # Open ADSISearcher and change context to given domain
+                    $searcher = [adsisearcher]""
+                    $searcher.SearchRoot = [adsi]"LDAP://$($domain)"
+                    $searcher.Filter = "ObjectSid=$($winIdentity.User.Value.ToString())"
+
+                    # Query the ADSISearcher for the above defined SID
+                    $ad = $searcher.FindOne()
+
+                    # Save it to our existing array for later usage
+                    $user.DistinguishedName = @($ad.Properties.distinguishedname)[0]
+                    $user.Name = @($ad.Properties.name)[0]
+                    $user.Email = @($ad.Properties.mail)[0]
                     $user.Fqdn = (Get-PodeADServerFromDistinguishedName -DistinguishedName $user.DistinguishedName)
                 }
                 finally {
-                    Close-PodeDisposable -Disposable $ad -Close
+                    Close-PodeDisposable -Disposable $searcher
                 }
 
                 try {
-                    # open a new connection
-                    $result = (Open-PodeAuthADConnection -Server $user.Fqdn -Domain $domain)
-                    if (!$result.Success) {
-                        return @{ Message = 'Failed to connect to Domain Server' }
-                    }
+                    if (!$options.NoGroups) {
 
-                    # get the connection
-                    $connection = $result.Connection
+                        # open a new connection
+                        $result = (Open-PodeAuthADConnection -Server $user.Fqdn -Domain $domain)
+                        if (!$result.Success) {
+                            return @{ Message = "Failed to connect to Domain Server '$($user.Fqdn)' of $domain for $($user.DistinguishedName)." }
+                        }
 
-                    # get the users groups
-                    if (!$options.NoGroups) {
+                        # get the connection
+                        $connection = $result.Connection
+
+                        # get the users groups
                         $user.Groups = (Get-PodeAuthADGroups -Connection $connection -DistinguishedName $user.DistinguishedName)
                     }
                 }