Re: Calling NetUserGetInfo from ASP.NET app

Regarding permissions, that could be. Perhaps there is some DCOM thing or
something? I really don't know. I've never tried to use those APIs in an
architecture like this. In web apps, I mostly do delegation stuff with
HTTP, SQL and and LDAP.

Also, when using basic auth, you aren't really using Kerberos delegation
since basic auth performs a local login with plain credentials. There is
only one hop involved there.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:Oi3$pkAgGHA.4304@xxxxxxxxxxxxxxxxxxxxxxx
It does seem to be a permission issue of some kind, since if I
authenticate as an administrator, WinNT and NetUserGetInfo work.

"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:OGJaBjAgGHA.1272@xxxxxxxxxxxxxxxxxxxxxxx
Well, I kind of got it working...
Not sure if I like this method, but I switched to basic authentication
and then used a slightly modified version of this example, using
Request.ServerVariables["AUTH_USER"] and AUTH_PASSWORD:
http://support.microsoft.com/?scid=306158

The LDAP provider works fine now, so it seems delegation is working
correctly, although calling the WinNT provider and NetUserGetInfo both
return Access Denied.

With the WinNT provider, I do get a failed object access (although
nothing with NetUserGetInfo)
The error is:
Object Open:

Object Server: SC Manager

Object Type: SC_MANAGER OBJECT

Object Name: ServicesActive

Handle ID: -

Operation ID: {0,714329947}

Process ID: 532

Image File Name: C:\WINDOWS\system32\services.exe

Primary User Name: BRCAD1$

Primary Domain: PACE

Primary Logon ID: (0x0,0x3E7)

Client User Name: md48497p

Client Domain: PACE

Client Logon ID: (0x0,0x2A93CF3A)

Accesses: READ_CONTROL

Connect to service controller

Enumerate services

Query service database lock state


Privileges: -

Restricted Sid Count: 0

Access Mask: 0x20015


"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:OTRJJx6fGHA.2032@xxxxxxxxxxxxxxxxxxxxxxx
I'm sure it is a delegation issue. The operations error you mentioned
when using LDAP is a classic symptom of an authentication failure
related to a delegation issue.

All of the stuff I suggested earlier will be helpful for you if you want
to get delegation working. I'd also suggest reading the technet doc
"troubleshooting Kerberos errors". It is extremely informative.

From a code perspective, you are doing everything right. When you get
the config right, it will just start working.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:Owwkah3fGHA.2188@xxxxxxxxxxxxxxxxxxxxxxx
I am using Integrated Windows Authentication, and I've seen references
to the "double-hop" issue. The only suggestion I've seen is to turn off
integrated windows authentication, but I need to have it on in order to
enforce local filesystem ACLs.

I thought I got it working by calling ImpersonateSelf, but it still
doesn't seem to be working. The answer seems to lie with doing an
impersonation with SecurityDelegation
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/security_impersonation_level.asp)
but I can't find a good example of how to do it...









.

Relevant Pages

  • Re: Trusted for delegation --- Help
    ... Do they have rights to change userAccountControl? ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... If you want to do constrained delegation (which you should use if you ...
    (microsoft.public.windows.server.active_directory)
  • Re: login control blues
    ... you really don't want to use S.DS for authentication. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... a pre-compiled dll. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ASP.net authentication from external LDAP server
    ... Do you want to do forms authentication? ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: determine trusted domain with windows authentication
    ... Windows authentication will only authenticate users it trusts. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Using WindowsTokenRoleProvider with Forms Authentication ...
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... We have setup forms authentication ... WindowsTokenRoleProvider is possible only if I use Integrated Windows ...
    (microsoft.public.dotnet.framework.aspnet.security)