Re: Calling NetUserGetInfo from ASP.NET app
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 24 May 2006 15:55:02 -0500
Yep, it sounds like delegation isn't working. I'm not sure of what
service/SPN you need to have delegation rights to in order for
NetUserSetInfo to work (or S.DS with WinNT), but for S.DS with LDAP, you
should just need LDAP with the appropriate DCs in the SPN.
One thing you might consider doing is using a trusted subsystem model and
NOT using impersonation. That way, you wouldn't need delegation to work.
BTW, there are also some other APIs you can look at to do this like the
TranslateName Win32 API and the DsCrackNames DS RPC method (which is wrapped
by the IADsNameTranslate interface in ADSI and can be called from .NET via
COM interop).
On the delegation troubleshooting issue, I'd first check to make sure you
are getting Kerberos authentication in IIS. If you are getting NTLM, then
you'll also need to have protocol transition working. It is probably easier
to troubleshoot first with an end-to-end Kerberos solution first. The nice
thing about this is with a full Kerberos solution, you can first enable
"uncontrained delegation", which means that you can get it working without
knowing which SPNs you need to actually delegate to. Then you can switch to
constrained delegation later and then finally add protocol transition into
the mix last if needed.
I usually start by watching the HTTP traffic and seeing the auth headers
that are being exchanged. I also enabled logon auditing in the local
security policy and watch the events in the security event log on the web
server to see what's actually going on there.
HTH,
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:uE6bi32fGHA.324@xxxxxxxxxxxxxxxxxxxxxxx
I also get Access is Denied if I use System.DirectoryServices using WinNT,
or Operations Error using LDAP.
"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:%23Hwzuz2fGHA.4464@xxxxxxxxxxxxxxxxxxxxxxx
I have an ASP.NET 2.0 app with windows authentication and impersonation
enabled. The application pool is running as local system.
I'm trying to call NetUserGetInfo to retrieve the full name of a user
account. The code works when run from a console application. When I
execute it from the ASP.NET page, I can see in the event log on the
domain controller the following failure audit:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: CN=Server,CN=System,DC=domain,DC=com
Handle ID: -
Operation ID: {0,706132358}
Process ID: 544
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: DC$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: ANONYMOUS LOGON
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x2A16B979)
Accesses: MAX_ALLOWED
Privileges: -
Properties:
---
samServer
Access Mask: 0
So it appears as though delegation is not working...however I've gone
into the properties on teh server, and in the delegation tab, I've added
every service listed on the domain controller, using any authentication
protocol. Despite this it's still failing. Any ideas?
.
- Follow-Ups:
- Re: Calling NetUserGetInfo from ASP.NET app
- From: Michael D'Angelo
- Re: Calling NetUserGetInfo from ASP.NET app
- References:
- Calling NetUserGetInfo from ASP.NET app
- From: Michael D'Angelo
- Re: Calling NetUserGetInfo from ASP.NET app
- From: Michael D'Angelo
- Calling NetUserGetInfo from ASP.NET app
- Prev by Date: Re: Calling NetUserGetInfo from ASP.NET app
- Next by Date: Re: Calling NetUserGetInfo from ASP.NET app
- Previous by thread: Re: Calling NetUserGetInfo from ASP.NET app
- Next by thread: Re: Calling NetUserGetInfo from ASP.NET app
- Index(es):
Relevant Pages
|
