Re: problem accesing Active Directory from an ASP.NET App when user has been authenticated via AD certificate mapping

From: Joe Kaplan \(MVP - ADSI\) (
Date: 04/06/05

Date: Wed, 6 Apr 2005 12:53:46 -0500

This is probably a double hop issue. The security context on the web server
cannot hop to the AD server, so AD gets your security context as anonymous.

To fix this, you'll also need Kerberos delegation. Try doing some searches
on the MS sites to pull down the KBase articles and such.

You may also need protocol transition to make this work since the initial
security context was generated by Schannel, not Kerberos, but I'm actually
not sure about that. I've never done this with certificate mapping. If
anyone else knows, I'd be happy to hear.

Joe K.

"Sergio Lera via .NET 247" <> wrote in message

I am developing an ASP.NET web application which interacts with AD.
Client/User authentication must be done via AD certificate mapping, so I
have configured IIS to do UPN mapping:
-- In the IIS manager ...
-- in the properties of the web site...
-- under "directory security"..
-- under "Secure Communications", select Edit.
-- select "Require secure channel"; select "require client certificates" and
also select "Enable client certificate mapping".

I think the mapping is done ok, because if I get the current user by using
Context.User.Identity.Name or WindowsIdentity.GetCurrent().Name (with
<identity impersonate="true" /> in web.config file) the result is the user
owner of the certificate used to do the client authentication.

The problem is that then web application (runnig under user account
credentials) can not access Active Directory via ADSI (using .NET
System.DirectoryServices API). I get an operational error ,I think related
with authentication.

The source code of the System.DirectoryServices.DirectoryEntry object
creation is something like this:
DirectoryEntry de = new

The description of the AuthenticationTypes.Secure flag says that "it
requests secure authentication. When the user name and password are a null
reference, ADSI binds to the object using the security context of the
calling thread, which is either the security context of the user account
under which the application is running or of the client user account that
the calling thread is impersonating".

Since certificate mapping is donde ok, I suppose the web application is
running under the user account credentials...and the user account has got
the required permissions to do the operation, but AD server does not permit
to do the operation.

I am sure that user account has got the suitable permissions because if I
enable anonymous access in IIS and I use the user account for the anonymous
access, AD server permits to do the operations..

Any idea? What could be the problem? could be the authentication type?
problems related with impersonation? I am a bit lost...

Thanks is advance!

From: Sergio Lera

Posted by a user from .NET 247 (


Relevant Pages

  • Re: Cant get linked server to AS2000 to work
    ... > chose the option for using the login's current security context. ... server cannot pass a clients credentials to another server. ... "user" that connects to AS will be the user account that the SQL service ...
  • Re: Server 2003 AD, security context APIs, "operations error" ??
    ... since that is a much more common server scenario than ... Are you saying that the NTLM security ... security context to log on remotely, but if it is not forwardable (cannot be ... access AD and read this info if the process' account has the rights in AD to ...
  • Re: ADSI code that will not work in
    ... - You can change the security context so that a domain user is used. ... bind and should get you valid credentials that can be used. ... > AD server is going to be doing the authenticating? ...
  • RE: dcomcnfg.exe interactive user vs launching user
    ... Thanks for your posts. ... The application runs by using the security context of the user who started ... server, then several instances of the server launch, one for each security ... Cannot be used if the server has a User Interface. ...
  • Re: Scheduled DTS package fails even when SQLSERVERAGENT logs on as ow
    ... > And in what DB role on SQL Server is domain\user1? ... > - The site for all your DTS needs. ... >> Successful DTS package fails when scheduled as a SQL Agent job. ... >> between Agent and DTS security context as far as Access is concerned? ...