Re: Calling NetUserGetInfo from ASP.NET app
- From: "Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx>
- Date: Thu, 25 May 2006 10:37:28 -0400
Well, I kind of got it working...
Not sure if I like this method, but I switched to basic authentication and
then used a slightly modified version of this example, using
Request.ServerVariables["AUTH_USER"] and AUTH_PASSWORD:
http://support.microsoft.com/?scid=306158
The LDAP provider works fine now, so it seems delegation is working
correctly, although calling the WinNT provider and NetUserGetInfo both
return Access Denied.
With the WinNT provider, I do get a failed object access (although nothing
with NetUserGetInfo)
The error is:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,714329947}
Process ID: 532
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: BRCAD1$
Primary Domain: PACE
Primary Logon ID: (0x0,0x3E7)
Client User Name: md48497p
Client Domain: PACE
Client Logon ID: (0x0,0x2A93CF3A)
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:OTRJJx6fGHA.2032@xxxxxxxxxxxxxxxxxxxxxxx
I'm sure it is a delegation issue. The operations error you mentioned
when using LDAP is a classic symptom of an authentication failure related
to a delegation issue.
All of the stuff I suggested earlier will be helpful for you if you want
to get delegation working. I'd also suggest reading the technet doc
"troubleshooting Kerberos errors". It is extremely informative.
From a code perspective, you are doing everything right. When you get the
config right, it will just start working.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:Owwkah3fGHA.2188@xxxxxxxxxxxxxxxxxxxxxxx
I am using Integrated Windows Authentication, and I've seen references to
the "double-hop" issue. The only suggestion I've seen is to turn off
integrated windows authentication, but I need to have it on in order to
enforce local filesystem ACLs.
I thought I got it working by calling ImpersonateSelf, but it still
doesn't seem to be working. The answer seems to lie with doing an
impersonation with SecurityDelegation
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/security_impersonation_level.asp)
but I can't find a good example of how to do it...
.
- Follow-Ups:
- Re: Calling NetUserGetInfo from ASP.NET app
- From: Michael D'Angelo
- Re: Calling NetUserGetInfo from ASP.NET app
- References:
- Calling NetUserGetInfo from ASP.NET app
- From: Michael D'Angelo
- Re: Calling NetUserGetInfo from ASP.NET app
- From: Michael D'Angelo
- Re: Calling NetUserGetInfo from ASP.NET app
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Calling NetUserGetInfo from ASP.NET app
- From: Michael D'Angelo
- Re: Calling NetUserGetInfo from ASP.NET app
- From: Joe Kaplan \(MVP - ADSI\)
- Calling NetUserGetInfo from ASP.NET app
- Prev by Date: enumerate local/domain members from local group
- Next by Date: Re: Calling NetUserGetInfo from ASP.NET app
- Previous by thread: Re: Calling NetUserGetInfo from ASP.NET app
- Next by thread: Re: Calling NetUserGetInfo from ASP.NET app
- Index(es):
Relevant Pages
|
|
