Re: DirectoryEntry Impersonate or WindowsIdentity Impersonate?

From: Bill Belliveau (anonymous_at_discussions.microsoft.com)
Date: 01/31/04


Date: Fri, 30 Jan 2004 15:26:09 -0800

After kicking this around for a few days the only thing I'm wondering about is security. When calling DirectoryEntry(path, username, password) does it access resources in a secure context? I assume it probably does something like LogonUser, get a token and then accesses the directory. Although as I'm finding out with ADAM, when using a userProxy object user credentials are sent plain text.

In anycase, I think we've concluded that given the state of the project LogonUser is going to be more viable to impliment at this point.

Bill
     
     ----- Joe Kaplan (MVP - ADSI) wrote: -----
     
     This is an interesting question that I think can only be answered with
     testing. I'm not sure it makes any difference at all if you are using
     AuthenticationTypes.Secure, but it would be interesting to know.
     
     There are a few things to know though:
     The underlying ADSI layer will use a cached handle to the directory if an
     open object exists in memory with the server, credentials and flags.
     Therefore, if you are doing a lot of binds with the same credentials, it
     might make sense to try to hang on to a root object for that user until they
     are finished. This is detailed somewhat here:
     
     http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/connection_caching.asp?frame=true
     
     One the other hand, if you are doing just a few binds for each user, I would
     be surprised if it makes an difference.
     
     My instinct is to use the user's credentials if you have them as I have
     found it to be much easier to debug problems in that situation because it
     eliminates a big variable. That is what I have done in many of my . NET AD
     apps.
     
     Joe K.



Relevant Pages