Re: Calling NetUserGetInfo from ASP.NET app

The LogonUser thing isn't delegation, since that's a local logon, but that
is a way to get it working if you have plaintext credentials.

There is a feature in Windows 2003 (with Windows 2003 AD) called protocol
transition (S4U) that you could use as well. PT allows non-Kerberos
authentication on the front end (like basic, NTLM or Digest) and will
"transition" to Kerberos when Kerberos auth is needed. PT can also be
called programmatically by your code. Essentially, you can call
LsaLogonUser with the proper arguments, or in .NET, you can use the
WindowsIdentity constructor that simply takes a UPN as the argument. That
will give you a Windows user token/WindowsIdentity that you can impersonate
and use for remote calls, assuming that the account has the correct rights
for delegation with any protocol and can delegate to the services you need
to visit.

If you are going to have plaintext credentials, then this isn't really
necessary, but it is an option.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:eWFC2PMgGHA.4892@xxxxxxxxxxxxxxxxxxxxxxx
nah I did get it working.
I can query AD using the LDAP provider just fine. As I said, I cheated by
calling LogonUser, DuplicateToken, and ImpersonateLoggenOnUser ;)
It's only NetUserGetInfo that fails, and I narrowed it down to a
permission issue, because it works when the user is in the Pre-Windows
2000 Compatible group.
I do it in Global.asax in the PreRequestHandlerExecute event, then call
RevertToSelf in PostRequestHandlerExecute. Seems to do the job. I cas
share the code if you like :)

The main thing is that I needed it to work even with non-IE browsers, and
through a firewall. Two things it doesn't seem regular Kerberos-based
delegation work with...

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:%23iJCMhIgGHA.4976@xxxxxxxxxxxxxxxxxxxxxxx
Good deal. It uses the LSA to do the work for you using the machine's
credentials, so you don't necessarily need to do an RPC on the client's
behalf. It is probably a lot easier than getting delegation working and
I think the LSA also provides some built in caching for you. Of course,
the next time you really do need delegation, you still won't know how to
get it working. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:%23oOJcZHgGHA.1856@xxxxxxxxxxxxxxxxxxxxxxx
Finally! I got it to work by using TranslateName. Go figure.
Thanks for mentioning it though, I didn't know about that api :)







.

Relevant Pages

  • Re: Double Hop Issue
    ... Kerberos delegation, constrained delegation and protocol transition up on ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... non-domain member workstations cannot perform Kerberos ... we a non domain user tried to access the site in the same ...
    (microsoft.public.windows.server.security)
  • Re: Trusted for delegation --- Help
    ... Do they have rights to change userAccountControl? ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... If you want to do constrained delegation (which you should use if you ...
    (microsoft.public.windows.server.active_directory)
  • Re: Double Hop Issue
    ... you use Kerberos delegation to build a solution to double-hop ... non-domain member workstations cannot perform Kerberos ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... we a non domain user tried to access the site in the same manner ...
    (microsoft.public.windows.server.security)
  • Re: Calling NetUserGetInfo from ASP.NET app
    ... Also, when using basic auth, you aren't really using Kerberos delegation ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Not sure if I like this method, but I switched to basic authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation and double hop
    ... auth, then this would not be true, but you would need kerberos delegation. ... it is a balancing act for the security guys to decide which is less ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... could impersonate the user and do a single hop to the SQL Server ...
    (microsoft.public.dotnet.framework.aspnet.security)