Re: Calling NetUserGetInfo from ASP.NET app

nah I did get it working.
I can query AD using the LDAP provider just fine. As I said, I cheated by
calling LogonUser, DuplicateToken, and ImpersonateLoggenOnUser ;)
It's only NetUserGetInfo that fails, and I narrowed it down to a permission
issue, because it works when the user is in the Pre-Windows 2000 Compatible
group.
I do it in Global.asax in the PreRequestHandlerExecute event, then call
RevertToSelf in PostRequestHandlerExecute. Seems to do the job. I cas
share the code if you like :)

The main thing is that I needed it to work even with non-IE browsers, and
through a firewall. Two things it doesn't seem regular Kerberos-based
delegation work with...

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:%23iJCMhIgGHA.4976@xxxxxxxxxxxxxxxxxxxxxxx
Good deal. It uses the LSA to do the work for you using the machine's
credentials, so you don't necessarily need to do an RPC on the client's
behalf. It is probably a lot easier than getting delegation working and I
think the LSA also provides some built in caching for you. Of course, the
next time you really do need delegation, you still won't know how to get
it working. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:%23oOJcZHgGHA.1856@xxxxxxxxxxxxxxxxxxxxxxx
Finally! I got it to work by using TranslateName. Go figure.
Thanks for mentioning it though, I didn't know about that api :)





.

Relevant Pages

  • Re: Calling NetUserGetInfo from ASP.NET app
    ... I mostly do delegation stuff with ... HTTP, SQL and and LDAP. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Calling NetUserGetInfo from ASP.NET app
    ... ImpersonateLoggedOnUser using the username and password passed to the web ... Also, when using basic auth, you aren't really using Kerberos delegation ... Co-author of "The .NET Developer's Guide to Directory Services ... although calling the WinNT provider and NetUserGetInfo both ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Calling NetUserGetInfo from ASP.NET app
    ... I am using Integrated Windows Authentication, ... you wouldn't need delegation to work. ... I also enabled logon auditing in the local ... Co-author of "The .NET Developer's Guide to Directory Services ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Delegation of Control
    ... MVP - Directory Services ... Somewhat of a newbie here with Delegation of Control. ... give them access to active directory from a remote pc to make changes ... They are local administrators on there computer but I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegating control
    ... Microsoft MVP - Directory Services ... Right Click the particular OU where you what the delegation to take place, Click the Security Tab, Click Advanced and grant a security principal Read and Write object to the mail attribute and have it applied to child objects, or only to user objects if you only want to delegate the ability to modify the mail attribute on user accounts. ...
    (microsoft.public.windows.server.active_directory)