Re: Query AD using Integrated Authentication?
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 07/28/04
- Next message: AVance: "Re: Forms Authentication - Not timing out, not redirecting."
- Previous message: MarkMurphy: "Getting forms auth challenge"
- In reply to: Dave: "Re: Query AD using Integrated Authentication?"
- Next in thread: HG: "Re: Query AD using Integrated Authentication?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 Jul 2004 14:05:26 -0500
That is possible. You definitely only want to impersonate a domain account.
You can ensure that only domain accounts get in to the site by setting your
authorization element in web.config to:
<allow roles="yourdomain\domain users"/><deny users="*"/>
That said, impersonation may not be enough. You may also need Kerberos
delegation in order for the multiple machine hops to work:
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
Joe K.
"Dave" <Dave@discussions.microsoft.com> wrote in message
news:BBB77B50-89C6-4C5E-8D30-7D1C58F6D49D@microsoft.com...
> Joe,
>
> I got as far as setting the impersonation to "true", setting everything to
integrated and testing the site on my local machine which is part of the
domain. I'm logged in the machine with my domain account and password.
Everything worked.
>
> When I move the app to our dev server (same configuration) which is also
part of the domain I get the error below. Could it be that the
"Administrator" account used when logging in to our dev server when it
booted isn't a domain account? It's the only difference I see between the
two..
>
> System.Runtime.InteropServices.COMException: An operations error occurred
when executing...
>
> System.DirectoryServices.SearchResult result = search.FindOne();
>
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
> > You don't have a password with integrated auth, so essentially, you are
> > trying to do a bind with a username and a blank password. That won't
work
> > for sure and if you try it very often, you'll lock out that poor user.
> >
> > The way you have to do this with WIA is to impersonate the logged on
user
> > (via your web.config) and don't supply any credentials. Then, ADSI will
use
> > the credentials of the current security context (the user you are
> > impersonating) to contact AD.
> >
> > The trick here is that if the AD server is on a different machine (very
> > likely), you'll need to Kerberos Delegation to get this impersonation to
> > work. Read these articles:
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
> >
> > Good luck,
> >
> > Joe K.
> >
> >
> > "Dave" <Dave@discussions.microsoft.com> wrote in message
> > news:0FAA654B-B390-416D-99F8-18F0E39D226C@microsoft.com...
> > > Hi,
> > >
> > > I want to query AD for user's information once they are logged in.
> > >
> > > Under Basic authentication, this worked fine using the code below.
> > >
> > > However, when I switched to Integrated for an intranet site, the
FindOne()
> > bombs with "Logon failure: unknown user name or bad password". I don't
know
> > how to pass the username/password information while using Integrated
> > Security. Is there a way to do this?
> > >
> > > System.DirectoryServices.DirectoryEntry entry = new
> > System.DirectoryServices.DirectoryEntry("GC://mycompanydomain.com",
> > HttpContext.Current.Request.ServerVariables["AUTH_USER"],
> > HttpContext.Current.Request.ServerVariables["AUTH_PASSWORD"]);
> > > System.DirectoryServices.DirectorySearcher search = new
> > System.DirectoryServices.DirectorySearcher(entry);
> > >
> > > search.Filter = "(sAMAccountName=" + sSAMAccountName + ")";
> > > search.PropertiesToLoad.Add("sAMAccountName");
> > > search.PropertiesToLoad.Add("cn");
> > > search.PropertiesToLoad.Add("givenName");
> > > search.PropertiesToLoad.Add("sn");
> > > search.PropertiesToLoad.Add("mail");
> > > search.PropertiesToLoad.Add("telephoneNumber");
> > >
> > > System.DirectoryServices.SearchResult result = search.FindOne();
> > >
> > >
> >
> >
> >
- Next message: AVance: "Re: Forms Authentication - Not timing out, not redirecting."
- Previous message: MarkMurphy: "Getting forms auth challenge"
- In reply to: Dave: "Re: Query AD using Integrated Authentication?"
- Next in thread: HG: "Re: Query AD using Integrated Authentication?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
