Re: Calling NetUserGetInfo from ASP.NET app

I am using Integrated Windows Authentication, and I've seen references to
the "double-hop" issue. The only suggestion I've seen is to turn off
integrated windows authentication, but I need to have it on in order to
enforce local filesystem ACLs.

I thought I got it working by calling ImpersonateSelf, but it still doesn't
seem to be working. The answer seems to lie with doing an impersonation
with SecurityDelegation
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/security_impersonation_level.asp)
but I can't find a good example of how to do it...

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:uqy$tP3fGHA.4568@xxxxxxxxxxxxxxxxxxxxxxx
Yep, it sounds like delegation isn't working. I'm not sure of what
service/SPN you need to have delegation rights to in order for
NetUserSetInfo to work (or S.DS with WinNT), but for S.DS with LDAP, you
should just need LDAP with the appropriate DCs in the SPN.

One thing you might consider doing is using a trusted subsystem model and
NOT using impersonation. That way, you wouldn't need delegation to work.
BTW, there are also some other APIs you can look at to do this like the
TranslateName Win32 API and the DsCrackNames DS RPC method (which is
wrapped by the IADsNameTranslate interface in ADSI and can be called from
.NET via COM interop).

On the delegation troubleshooting issue, I'd first check to make sure you
are getting Kerberos authentication in IIS. If you are getting NTLM, then
you'll also need to have protocol transition working. It is probably
easier to troubleshoot first with an end-to-end Kerberos solution first.
The nice thing about this is with a full Kerberos solution, you can first
enable "uncontrained delegation", which means that you can get it working
without knowing which SPNs you need to actually delegate to. Then you can
switch to constrained delegation later and then finally add protocol
transition into the mix last if needed.

I usually start by watching the HTTP traffic and seeing the auth headers
that are being exchanged. I also enabled logon auditing in the local
security policy and watch the events in the security event log on the web
server to see what's actually going on there.

HTH,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:uE6bi32fGHA.324@xxxxxxxxxxxxxxxxxxxxxxx
I also get Access is Denied if I use System.DirectoryServices using WinNT,
or Operations Error using LDAP.

"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:%23Hwzuz2fGHA.4464@xxxxxxxxxxxxxxxxxxxxxxx
I have an ASP.NET 2.0 app with windows authentication and impersonation
enabled. The application pool is running as local system.

I'm trying to call NetUserGetInfo to retrieve the full name of a user
account. The code works when run from a console application. When I
execute it from the ASP.NET page, I can see in the event log on the
domain controller the following failure audit:
Object Open:

Object Server: Security Account Manager

Object Type: SAM_SERVER

Object Name: CN=Server,CN=System,DC=domain,DC=com

Handle ID: -

Operation ID: {0,706132358}

Process ID: 544

Process Name: C:\WINDOWS\system32\lsass.exe

Primary User Name: DC$

Primary Domain: DOMAIN

Primary Logon ID: (0x0,0x3E7)

Client User Name: ANONYMOUS LOGON

Client Domain: NT AUTHORITY

Client Logon ID: (0x0,0x2A16B979)

Accesses: MAX_ALLOWED


Privileges: -

Properties:

---

samServer

Access Mask: 0



So it appears as though delegation is not working...however I've gone
into the properties on teh server, and in the delegation tab, I've added
every service listed on the domain controller, using any authentication
protocol. Despite this it's still failing. Any ideas?








.

Relevant Pages

  • Re: Constrained delegation question!
    ... remote server running the services in terms of the security audits on the ... AUTHORITY\ANONYMOUS LOGON event. ... you won't be able to get Kerb delegation to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Windows Authentication problem with IIS6 (Win2k3)
    ... I believe the problem to be something related to the Kerberos technology, ... Internet Information Services (IIS) ... Shouldn't integrated windows authentication use their ... Windows 2000) that talked about Kerberos and Delegation. ...
    (microsoft.public.inetserver.iis)
  • Windows Authentication problem with IIS6 (Win2k3)
    ... I believe the problem to be something related to the Kerberos technology, ... Internet Information Services (IIS) ... Shouldn't integrated windows authentication use their ... Windows 2000) that talked about Kerberos and Delegation. ...
    (microsoft.public.inetserver.iis.security)
  • Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000
    ... > Strike the comment about the interactive logon. ... I still don't see the need for delegation. ... >>> tested it on two servers with no problems. ... >>> interactive logon - thus WMI to remote machine should be a single hop) ...
    (microsoft.public.win32.programmer.wmi)
  • Re: Calling NetUserGetInfo from ASP.NET app
    ... ImpersonateLoggedOnUser using the username and password passed to the web ... Also, when using basic auth, you aren't really using Kerberos delegation ... Co-author of "The .NET Developer's Guide to Directory Services ... although calling the WinNT provider and NetUserGetInfo both ...
    (microsoft.public.dotnet.framework.aspnet.security)