DirectoryEntry Impersonate or WindowsIdentity Impersonate?

From: Bill Belliveau (anonymous_at_discussions.microsoft.com)
Date: 01/28/04

Next message: Ken Schaefer: "Re: Network Credentials not passing in Authentication mode"
Previous message: Shriop: "Re: Network Credentials not passing in Authentication mode"
Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: DirectoryEntry Impersonate or WindowsIdentity Impersonate?"
Reply: Joe Kaplan \(MVP - ADSI\): "Re: DirectoryEntry Impersonate or WindowsIdentity Impersonate?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 27 Jan 2004 16:21:06 -0800

Another security question.
Our project interfaces with the Active Directory. To satisfy the security issues, we have a couple options when we talk to the Directory.

1. Use the WindowsIdentity to impersonate the current user either by impersonating the User.Identity where available or by using UserLogon.
2. Making a DirectoryEntry for each query/edit and send the username and password per request as part of the DE.

My questions are what are the security and performance impact of these methods?

Thanks,
Bill

Next message: Ken Schaefer: "Re: Network Credentials not passing in Authentication mode"
Previous message: Shriop: "Re: Network Credentials not passing in Authentication mode"
Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: DirectoryEntry Impersonate or WindowsIdentity Impersonate?"
Reply: Joe Kaplan \(MVP - ADSI\): "Re: DirectoryEntry Impersonate or WindowsIdentity Impersonate?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Grant Administrative Access to a Domain Controller
... Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. ... Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins. ... Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. ...
(microsoft.public.windows.server.active_directory)
Re: Grant Administrative Access to a Domain Controller
... MPerrault suggested security, you said "IT CAN BE DONE WITHOUT ANY FANCY ... Joe Richards Microsoft MVP Windows Server Directory Services ... Author of O'Reilly Active Directory Third Edition ... Controller Security Policy are also options to log on as a service, ...
(microsoft.public.windows.server.active_directory)
[NT] Active Directory Stack Overflow
... Beyond Security in Canada ... Active Directory, which is an essential component of the Windows 2000 ... A vulnerability in Active Directory allows an attacker to crash and force ... The vulnerability can be triggered when an LDAP version 3 search request ...
(Securiteam)
RE: LDAP + Active Directory
... Subject: LDAP + Active Directory ... current article series on Sfocus (An Audit of Active Directory Security)... ... that security in AD can get ... For more information on SecurityFocus' SIA service which ...
(Pen-Test)
Re: I did a dumb thing
... security question and answer. ... If not an IMMEDIATE email to support should get you fixed up. ... You'd logged into an account recently. ...
(microsoft.public.security)