Re: Calling NetUserGetInfo from ASP.NET app

Right, I'm "cheating" by calling native apis LogonUser and
ImpersonateLoggedOnUser using the username and password passed to the web
site. :)

I can't figure out what permission is missing exactly, but since the LDAP
provider works, I at least have something to go with.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:%23nuA5VCgGHA.2416@xxxxxxxxxxxxxxxxxxxxxxx
Regarding permissions, that could be. Perhaps there is some DCOM thing or
something? I really don't know. I've never tried to use those APIs in an
architecture like this. In web apps, I mostly do delegation stuff with
HTTP, SQL and and LDAP.

Also, when using basic auth, you aren't really using Kerberos delegation
since basic auth performs a local login with plain credentials. There is
only one hop involved there.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:Oi3$pkAgGHA.4304@xxxxxxxxxxxxxxxxxxxxxxx
It does seem to be a permission issue of some kind, since if I
authenticate as an administrator, WinNT and NetUserGetInfo work.

"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:OGJaBjAgGHA.1272@xxxxxxxxxxxxxxxxxxxxxxx
Well, I kind of got it working...
Not sure if I like this method, but I switched to basic authentication
and then used a slightly modified version of this example, using
Request.ServerVariables["AUTH_USER"] and AUTH_PASSWORD:
http://support.microsoft.com/?scid=306158

The LDAP provider works fine now, so it seems delegation is working
correctly, although calling the WinNT provider and NetUserGetInfo both
return Access Denied.

With the WinNT provider, I do get a failed object access (although
nothing with NetUserGetInfo)
The error is:
Object Open:

Object Server: SC Manager

Object Type: SC_MANAGER OBJECT

Object Name: ServicesActive

Handle ID: -

Operation ID: {0,714329947}

Process ID: 532

Image File Name: C:\WINDOWS\system32\services.exe

Primary User Name: BRCAD1$

Primary Domain: PACE

Primary Logon ID: (0x0,0x3E7)

Client User Name: md48497p

Client Domain: PACE

Client Logon ID: (0x0,0x2A93CF3A)

Accesses: READ_CONTROL

Connect to service controller

Enumerate services

Query service database lock state


Privileges: -

Restricted Sid Count: 0

Access Mask: 0x20015


"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:OTRJJx6fGHA.2032@xxxxxxxxxxxxxxxxxxxxxxx
I'm sure it is a delegation issue. The operations error you mentioned
when using LDAP is a classic symptom of an authentication failure
related to a delegation issue.

All of the stuff I suggested earlier will be helpful for you if you
want to get delegation working. I'd also suggest reading the technet
doc "troubleshooting Kerberos errors". It is extremely informative.

From a code perspective, you are doing everything right. When you get
the config right, it will just start working.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:Owwkah3fGHA.2188@xxxxxxxxxxxxxxxxxxxxxxx
I am using Integrated Windows Authentication, and I've seen references
to the "double-hop" issue. The only suggestion I've seen is to turn
off integrated windows authentication, but I need to have it on in
order to enforce local filesystem ACLs.

I thought I got it working by calling ImpersonateSelf, but it still
doesn't seem to be working. The answer seems to lie with doing an
impersonation with SecurityDelegation
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/security_impersonation_level.asp)
but I can't find a good example of how to do it...











.

Relevant Pages

  • Re: Calling NetUserGetInfo from ASP.NET app
    ... I am using Integrated Windows Authentication, ... you wouldn't need delegation to work. ... I also enabled logon auditing in the local ... Co-author of "The .NET Developer's Guide to Directory Services ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Delegation of Control
    ... MVP - Directory Services ... Somewhat of a newbie here with Delegation of Control. ... give them access to active directory from a remote pc to make changes ... They are local administrators on there computer but I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegating control
    ... Microsoft MVP - Directory Services ... Right Click the particular OU where you what the delegation to take place, Click the Security Tab, Click Advanced and grant a security principal Read and Write object to the mail attribute and have it applied to child objects, or only to user objects if you only want to delegate the ability to modify the mail attribute on user accounts. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Trusted for delegation --- Help
    ... If you want to do constrained delegation (which you should use if you ... they'll need access to the msds-allowedToDelegateTo attribute. ... Co-author of "The .NET Developer's Guide to Directory Services ... I need a way to give the OU admin the right to click ...
    (microsoft.public.windows.server.active_directory)