Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Webservice To Add User Accounts

Reply
Thread Tools

Webservice To Add User Accounts

 
 
Jessard
Guest
Posts: n/a
 
      03-01-2005
Hi all,

I have a webservice which needs to add user accounts to domain A. In order
to do this, I have set impersonation="true" in the web.config file and
specified the username and password of a domain A user which has permissions
to add users to the domain (A). This orginally worked but now is not and
nothing has changed.

I've looked at discussions and found nothing that has worked. People have
suggested changing the machine.config <processModel> tag but this does not
work as I need the user account to mimic the Domain user which has access to
add the accounts.

Any ideas? I would really like any help.

Thanks,
Jesse
 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      03-01-2005
Probably a Kerberos delegation problem. When you use impersonation and also
use IWA in IIS, you have to have Kerberos delegation working in order for
your credentials to hop fromt he browser to the IIS box to the domain
controller. My guess is that this is not happening consistently and you are
being authenticated as anonymous on the DC which is preventing the write
operation.

You also need to make sure that the client that calls the web sevice has the
correct administrative credentials and is actually passing them through the
web service client proxy, but my guess is that you've already looked into
that and are having the delegation issue I referred to above.

There are lots of good Kerberos delegation links. Here are a few I had
handy.

http://www.microsoft.com/technet/pro.../tkerberr.mspx
http://support.microsoft.com/default...;EN-US;q306158
http://msdn.microsoft.com/vstudio/us...lementKerberos

Joe K.

"Jessard" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi all,
>
> I have a webservice which needs to add user accounts to domain A. In
> order
> to do this, I have set impersonation="true" in the web.config file and
> specified the username and password of a domain A user which has
> permissions
> to add users to the domain (A). This orginally worked but now is not and
> nothing has changed.
>
> I've looked at discussions and found nothing that has worked. People have
> suggested changing the machine.config <processModel> tag but this does not
> work as I need the user account to mimic the Domain user which has access
> to
> add the accounts.
>
> Any ideas? I would really like any help.
>
> Thanks,
> Jesse



 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      03-02-2005
Also make sure that your first hop from the client to the web service is
kerberos and not NTLM. That can sometime be tricky and could have to do with
intranet/internet zones in IE.

enable auditing for logon events on the web server and check if the client
is authenticated using kerberos or NTLM. another way to figure that out is
using a sniffer like www.ethereal.com and sniff the auth handshake.

dominick baier - DevelopMentor
www.leastprivilege.com


> Probably a Kerberos delegation problem. When you use impersonation
> and also use IWA in IIS, you have to have Kerberos delegation working
> in order for your credentials to hop fromt he browser to the IIS box
> to the domain controller. My guess is that this is not happening
> consistently and you are being authenticated as anonymous on the DC
> which is preventing the write operation.
>
> You also need to make sure that the client that calls the web sevice
> has the correct administrative credentials and is actually passing
> them through the web service client proxy, but my guess is that you've
> already looked into that and are having the delegation issue I
> referred to above.
>
> There are lots of good Kerberos delegation links. Here are a few I
> had handy.
>
> http://www.microsoft.com/technet/pro...er2003/technol
> ogies/security/tkerberr.mspx
>
> http://support.microsoft.com/default...;EN-US;q306158
>
> http://msdn.microsoft.com/vstudio/us...ault.aspx?pull
> =/library/en-us/dnnetsec/html/SecNetHT05.asp?FRAME=true#ImplementKerbe
> ros
>
> Joe K.
>
> "Jessard" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>> Hi all,
>>
>> I have a webservice which needs to add user accounts to domain A. In
>> order
>> to do this, I have set impersonation="true" in the web.config file
>> and
>> specified the username and password of a domain A user which has
>> permissions
>> to add users to the domain (A). This orginally worked but now is not
>> and
>> nothing has changed.
>> I've looked at discussions and found nothing that has worked. People
>> have
>> suggested changing the machine.config <processModel> tag but this
>> does not
>> work as I need the user account to mimic the Domain user which has
>> access
>> to
>> add the accounts.
>> Any ideas? I would really like any help.
>>
>> Thanks,
>> Jesse




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
wireless network only works in some of my User accounts =?Utf-8?B?Q3JhaWcgV2Fyd2ljaw==?= Wireless Networking 2 11-20-2005 05:08 PM
Restarting IIS every time I add accounts to local machine.... Thomas Smith ASP .Net Security 1 06-22-2005 03:00 AM
NX9010 Laptop connection on XP Pro limited user accounts =?Utf-8?B?Sm9lIEJhcnJldHQ=?= Wireless Networking 1 03-10-2005 11:01 PM
HP Compaq nx9010 XP Pro Laptop (FTL) work limited user accounts =?Utf-8?B?Sm9lIEJhcnJldHQ=?= Wireless Networking 0 03-10-2005 10:27 PM
Multiple User Accounts Drude Firefox 6 01-03-2005 04:47 AM



Advertisments