Re: programmatically login using LDAP and impersonation

Is it possible that you can configure the IIS App Pool identity to use the
domain account you need to log in to both SQL and AD? This is by far the
easiest way and requires no impersonation. Authentication will use Kerberos
as long as proper SPNs for all of the identities are configured, otherwise
it will fail over to NTLM.

Alternately, you can call LogonUser (see SDK docs of
WindowsImpersonationContext for sample) and impersonate or potentially
configure the ASP.NET identity element to impersonate a specific identity.
However, I'd stay away from both of those if possible as you then need to
store the credentials of the identity yourself instead of letting IIS do it
in the metabase.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<bob> wrote in message news:20061113163952rlalley1@xxxxxxxxxxxx
I'm on a network system that has some pretty strict policies that I can
not change. My criteria is to use forms login for extranet users, against
a sql server database and impersonate an account that is on an intranet
Active Directory.

Saying it a different way, I need to impersonate an intranet Active
directory account that must be authenticated using Kerberos
authentication.

I'm stuck at this point trying to figure out how to programticly
impersonate the account that will be used to access the sql server. It
will only allow windows authentication, our system uses LDAP windows auth,
that runs thru a kerberos portal.

*sigh* The only thing I can think of is to programaticly log in the
intranet account, get the authentication ticket assign that ticket to the
user, then using the login name and password they provided check the
database and determine authorization from there. Is there another way, am
I missing something? If I'm not missing something where can I get the
information that I need?

EggHeadCafe.com - .NET Developer Portal of Choice
http://www.eggheadcafe.com


.

Relevant Pages

  • Re: How to use WindowsPrincipal properly??
    ... > If you want to check if the user is in the local computers security group ... > used by the general public you have to use Basic Authentication of course. ... You can logon a set account ... > WindowsIndentity which is then used to Impersonate. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Distributed Query - Linked Servers?
    ... In the case of SQL style accounts, it doesn't seem very secure to me, because the password will be transmitted over the network. ... it should also be able to work by setting up a credential and proxy account on Server1. ... In this case it could work with NTLM authentication. ... we just need to verify that the 2 sql server instances are under sql server and windows authentication mode and the sql account you use has the permission on the 2 sql server instances. ...
    (microsoft.public.sqlserver.server)
  • RE: Integrated Authentication (Kerberos) Problem
    ... Verify the SPN for the SQL service account is registered such as the ... >Thread-Topic: Integrated Authentication Problem ... A Windows XP SP1 with IE6 client machine ...
    (microsoft.public.inetserver.iis.security)
  • Re: How to use WindowsPrincipal properly??
    ... I mixed up the administrator account versus the group. ... used by the general public you have to use Basic Authentication of course. ... WindowsIndentity which is then used to Impersonate. ... You don't have to validate the user at all normally. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Utter madness!
    ... If it's going to be "tricky" to get a trusted connection to my SQL box ... certain authentication scenarios are harder in that set ... To do the service account approach, ...
    (microsoft.public.dotnet.framework.aspnet.security)