Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Impersonating and Windows Authentication

Reply
Thread Tools

Impersonating and Windows Authentication

 
 
subtile
Guest
Posts: n/a
 
      06-11-2008
Hi

I'm having some trouble with LDAP and Active Directory on Win2k3

I use Windows Authentication and the code
System.Threading.Thread.CurrentPrincipal.Identity. Name gives me the correct
credentials when logged in.

When I create user in AD i get an error. I have 4 scenarioes - one work and
one don't. I'm very confused:

1) Does not work
- <identity impersonate="true"/> in web.config
- No impersonating by code
- No credentials are sent together with LDAP string [new
DirectoryEntry("mypath")]

Error message: System.Runtime.InteropServices.COMException: An operations
error occurred.
- I can't read from AD

2) Does not work
- <identity impersonate="true"/> in web.config
- No impersonating by code
- Credentials are sent together with LDAP string [new
DirectoryEntry("mypath", "username", "password", AuthenticationTypes.Secure);]

Error message: An operations error occurred
- I can read from AD

3) Does not work
- <identity impersonate="false"/> in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
- No credentials are sent together with LDAP string

Exception Details: The specified directory service attribute or value does
not exist.
- I can't read from AD

4) Works!
- <identity impersonate="false"/> in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
Credentials are sent together with LDAP string [new DirectoryEntry("mypath",
"username", "password", AuthenticationTypes.Secure);]

What is the difference between <identity impersonate="true"/> in web.config
and manual code impersonation?

What is the correct approch for user to manage AD from asp.net loged in with
Windowd credentials ?

--

Jesus Loves You
 
Reply With Quote
 
 
 
 
bruce barker
Guest
Posts: n/a
 
      06-11-2008
with ntlm there are two types of authentication tokens, primary and an
impersonation tokens. to access a network resource a primary token is
required as ntlm does not allow credential forwarding (one hop rule).

if you use ntlm in iis and <identity impersonate="true"/> in web.config, the
the client has the primary token, and the web server has only an
impersonation token. it can be used to access local resources but not network
resources.

if your code creates a login token, then it can be converted to primary and
access network resources. you can can also supply a username and password in
the web config and this will be a primary token.

you have a couple options:

1) set <identity impersonate="false"/> and make the app pool service account
a domain account.

2) set <identity impersonate="true"/> switch to kerberos (which supports
forwarding) and enable credentials forwarding on the web server and ad
server.

3) do impersonate in code like you are.

4) <identity impersonate="true"
userName="domain\account"
password="password" />

-- bruce (sqlwork.com)


"subtile" wrote:

> Hi
>
> I'm having some trouble with LDAP and Active Directory on Win2k3
>
> I use Windows Authentication and the code
> System.Threading.Thread.CurrentPrincipal.Identity. Name gives me the correct
> credentials when logged in.
>
> When I create user in AD i get an error. I have 4 scenarioes - one work and
> one don't. I'm very confused:
>
> 1) Does not work
> - <identity impersonate="true"/> in web.config
> - No impersonating by code
> - No credentials are sent together with LDAP string [new
> DirectoryEntry("mypath")]
>
> Error message: System.Runtime.InteropServices.COMException: An operations
> error occurred.
> - I can't read from AD
>
> 2) Does not work
> - <identity impersonate="true"/> in web.config
> - No impersonating by code
> - Credentials are sent together with LDAP string [new
> DirectoryEntry("mypath", "username", "password", AuthenticationTypes.Secure);]
>
> Error message: An operations error occurred
> - I can read from AD
>
> 3) Does not work
> - <identity impersonate="false"/> in web.config
> - I "code-imporsonates" with the _same credentials_ I use for login
> - No credentials are sent together with LDAP string
>
> Exception Details: The specified directory service attribute or value does
> not exist.
> - I can't read from AD
>
> 4) Works!
> - <identity impersonate="false"/> in web.config
> - I "code-imporsonates" with the _same credentials_ I use for login
> Credentials are sent together with LDAP string [new DirectoryEntry("mypath",
> "username", "password", AuthenticationTypes.Secure);]
>
> What is the difference between <identity impersonate="true"/> in web.config
> and manual code impersonation?
>
> What is the correct approch for user to manage AD from asp.net loged in with
> Windowd credentials ?
>
> --
>
> Jesus Loves You

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Compilation error when impersonating =?Utf-8?B?QWxpc3RhaXIgTGFjeQ==?= ASP .Net 3 07-19-2005 05:23 PM
Impersonating a User and Starting Standalone Processes stop workin =?Utf-8?B?SW5kZXB0aA==?= ASP .Net 1 04-01-2005 09:05 PM
Need Help Impersonating Across Process Boundaries hoochiegooch@hotmail.com ASP .Net 4 02-07-2005 04:40 PM
impersonating windows authenticated user? Jamie ASP .Net Security 5 02-11-2004 11:57 AM
impersonating and LogonUser Jason ASP .Net 7 01-05-2004 03:35 PM



Advertisments