Thanks for your reply Joe.
For sure it works by using a domain account.
But the preference is to use a local account, which will be consistent to
the way to communicate with the backend sserver. We have set up mirrored
local account in the middle-tier and backend database server to facilitate
Windows authentication between the two.
Ming
"Joe Kaplan (MVP - ADSI)" wrote:
> You'll need a domain account if you want to talk to AD using the credentials
> of your current thread. If you can specify credentials somehow then you
> have more flexibility.
>
> Can you set up ASP.NET to run as a low privileged domain account?
>
> Joe K.
>
> "hey" <> wrote in message
> news:82C6EA02-1DAB-4CD0-A355-...
> > I'm using Authorization and Profile block in my middle tier (.NET Remoting
> > hosted under IIS) for role-based application security. It's all good when
> > the
> > authorization store is placed in a local xml file. But this is only good
> > in
> > development. In production environment the store need to be integrated
> > into
> > Active Directory.
> >
> > The middle-tier (ASP.NET) is supposed to be configured to run under a
> > least
> > privileged local account. But I cannot successfully configure any local
> > account (neither custom account nor built-in account) to communicate with
> > the
> > remote AD authorization store.
> >
> > The steps were:
> > 1. Create an authorization store in AD
> > 2. Assign the computer account of the server running ASP.NET to the
> > Readers
> > group of the store.
> >
> > My question is that whether a non-domain account can be used to run open
> > and
> > query a remote authorization store in Active Directory. If yes then what
> > is
> > the requirement for this local account (like membership, permissions etc)?
> >
> > Thanks
> > Ming
>
>
>
|
Similar Threads
