Re: .net Impersonate with integrated authentication client server problem
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: Thu, 28 Oct 2004 13:09:06 -0500
You are experiencing what is known as a "double-hop" issue. If you must use
WIA and impersonation, the only solution to this is Kerberos delegation. I
suggest you read this:
"Ajnabi" <firstname.lastname@example.org> wrote in message
> I build a asp.net web application to update user accounts in Active
> Directory (AD). This application works fine on my test server when I
> acces the web application on the server it self and update an user
> account (using an administrator account).
> My settings:
> -In all cases I tried with the same Administrator account
> -I enabled impersonate in the web.config (<identity impersonate="true"
> -IIS - Windows Integrated Authentication is Active (all others are
> Here comes the problem I have:
> scenario 1:
> When I try to run the application from a client machine, I can NOT
> update the user account (general access denied error, on the
> CommitChanges() method). I tried using the same administrator account
> as above!
> scenario 2:
> I do NOT want to use Basic Authentication for this application, still I
> tried to run it with Basic Authentication using the same settings as
> above and believe and or not it worked fine.
> My questions:
> 1. Why can't I update an user account from a client machine while this
> works fine on the server using the same account?
> 2. Why does it work using Basic Authentication, while Windows
> Authentication fails?
> Please help me out with this. I'm really out of clue.
> Thanks in advance,