Re: Calling NetUserGetInfo from ASP.NET app

From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 24 May 2006 22:38:27 -0500

I'm sure it is a delegation issue. The operations error you mentioned when
using LDAP is a classic symptom of an authentication failure related to a
delegation issue.

All of the stuff I suggested earlier will be helpful for you if you want to
get delegation working. I'd also suggest reading the technet doc
"troubleshooting Kerberos errors". It is extremely informative.

From a code perspective, you are doing everything right. When you get the

config right, it will just start working.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:Owwkah3fGHA.2188@xxxxxxxxxxxxxxxxxxxxxxx

I am using Integrated Windows Authentication, and I've seen references to
the "double-hop" issue. The only suggestion I've seen is to turn off
integrated windows authentication, but I need to have it on in order to
enforce local filesystem ACLs.

I thought I got it working by calling ImpersonateSelf, but it still
doesn't seem to be working. The answer seems to lie with doing an
impersonation with SecurityDelegation
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/security_impersonation_level.asp)
but I can't find a good example of how to do it...

Follow-Ups:
- Re: Calling NetUserGetInfo from ASP.NET app
  - From: Michael D'Angelo

References:
- Calling NetUserGetInfo from ASP.NET app
  - From: Michael D'Angelo
- Re: Calling NetUserGetInfo from ASP.NET app
  - From: Michael D'Angelo
- Re: Calling NetUserGetInfo from ASP.NET app
  - From: Joe Kaplan \(MVP - ADSI\)
- Re: Calling NetUserGetInfo from ASP.NET app
  - From: Michael D'Angelo

Prev by Date: URL Authorization does not override File Authorization?
Next by Date: Re: URL Authorization does not override File Authorization?
Previous by thread: Re: Calling NetUserGetInfo from ASP.NET app
Next by thread: Re: Calling NetUserGetInfo from ASP.NET app
Index(es):
- Date
- Thread

Relevant Pages

Re: Double Hop Issue
... Kerberos delegation, constrained delegation and protocol transition up on ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... non-domain member workstations cannot perform Kerberos ... we a non domain user tried to access the site in the same ...
(microsoft.public.windows.server.security)
Re: Trusted for delegation --- Help
... Do they have rights to change userAccountControl? ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... If you want to do constrained delegation (which you should use if you ...
(microsoft.public.windows.server.active_directory)
Re: Double Hop Issue
... you use Kerberos delegation to build a solution to double-hop ... non-domain member workstations cannot perform Kerberos ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... we a non domain user tried to access the site in the same manner ...
(microsoft.public.windows.server.security)
Re: Calling NetUserGetInfo from ASP.NET app
... Also, when using basic auth, you aren't really using Kerberos delegation ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Not sure if I like this method, but I switched to basic authentication ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Impersonation and double hop
... auth, then this would not be true, but you would need kerberos delegation. ... it is a balancing act for the security guys to decide which is less ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... could impersonate the user and do a single hop to the SQL Server ...
(microsoft.public.dotnet.framework.aspnet.security)