Re: .net Impersonate with integrated authentication client server problem

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 10/28/04


Date: Thu, 28 Oct 2004 13:09:06 -0500

You are experiencing what is known as a "double-hop" issue. If you must use
WIA and impersonation, the only solution to this is Kerberos delegation. I
suggest you read this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

HTH,

Joe K.

"Ajnabi" <rtikai@gmail.com> wrote in message
news:1098976095.205027.318280@z14g2000cwz.googlegroups.com...
> Hi,
> I build a asp.net web application to update user accounts in Active
> Directory (AD). This application works fine on my test server when I
> acces the web application on the server it self and update an user
> account (using an administrator account).
>
> My settings:
> -In all cases I tried with the same Administrator account
> -I enabled impersonate in the web.config (<identity impersonate="true"
> />).
> -IIS - Windows Integrated Authentication is Active (all others are
> inactive)
>
> Here comes the problem I have:
> scenario 1:
> When I try to run the application from a client machine, I can NOT
> update the user account (general access denied error, on the
> CommitChanges() method). I tried using the same administrator account
> as above!
>
> scenario 2:
> I do NOT want to use Basic Authentication for this application, still I
> tried to run it with Basic Authentication using the same settings as
> above and believe and or not it worked fine.
>
> My questions:
> 1. Why can't I update an user account from a client machine while this
> works fine on the server using the same account?
>
> 2. Why does it work using Basic Authentication, while Windows
> Authentication fails?
>
> Please help me out with this. I'm really out of clue.
> Thanks in advance,
> Ajnabi.
>



Relevant Pages

  • Re: Customizing User Profiles in Control Panel
    ... Yet I don't have an account for it set up in my CONTROL ... The Administrator account will not appear in the list of users ... folder, except for the one I'm using, i.e. folder "b)"? ... more than one user account, each would be able to access ...
    (microsoft.public.windowsxp.customize)
  • Re: Welcome Screen Gone
    ... Once you've setup automatic logon for your user account, ... with the Administrator account. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Personal Computer
    ... I'm going to guess that you have XP Pro and you were using the built-in Administrator account for your daily work. ... When you create a second user account with administrative privileges, Windows will hide the built-in Administrator account since it is supposed to be used for emergencies and not daily work anyway. ...
    (microsoft.public.windowsxp.general)
  • Re: Customizing User Profiles in Control Panel
    ... Yet I don't have an account for it set up in my CONTROL ... The Administrator account will not appear in the list of users ... folder, except for the one I'm using, i.e. folder "b)"? ... more than one user account, each would be able to access ...
    (microsoft.public.windowsxp.customize)
  • Re: Cant set OE as default client in User Account
    ... neither OE nor IE show as defaults in the User account. ... Everything is fine in the Administrator account. ... In a User account, however, starting OE gets this error message: ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)