Re: AD Login failure when using ActiveDirectoryMembershipProvider

You are correct. The DirectoryEntry code just uses the current security
context. The provider uses DirectoryEntry as well, but they have code that
actually reverts back to the process identity before doing the directory
access.

AD can tell you what happened when the logon failed, but the problem with it
is usually that you don't have any access to the domain controllers if you
are a developer unless this is a test lab, so it makes it much harder. A
network sniffer is very helpful, although they are so low level that it can
take a fair bit of practice to figure out what you are looking at.

The way I figured this out was by using .NET Reflector to reverse compile
the assembly for the provider and looking at the source code. :)

I agree that Windows security can be painful. At least the newsgroups don't
suck when you have questions. :) I've been putting off learning about the
AD membership provider for a while as I haven't needed it in my own work so
far and we never got to it in our book, so the education is useful for me.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Craig Wagner" <MSDNNospam207@xxxxxxxxxxxxx> wrote in message
news:8D6F5F3B-548B-4FBE-A985-7EF9112AED5B@xxxxxxxxxxxxxxxx
That would explain it.

This is one reason I always have trouble with security-related items. If
I've got an app that's misbehaving when it makes database queries I can
always fire up Profiler and see what the heck it's doing when it connects
to
the SQL Server.

Is there any sort of similar tool so that I can monitor what identity my
app
is exposing when it makes resource requests?

It would also explain why the following, running in the same
configuration,
works just fine (and was adding to my confusion):

DirectoryEntry entry =
new DirectoryEntry( "myconnectstring", null, null,
AuthenticationTypes.Secure );

There probably is no 'magic' going on behind the scenes that is disabling
the impersonation.

"Joe Kaplan" wrote:



.

Relevant Pages

  • RE: "Sudden" Active Directory error on ASP.NET
    ... the problem is concerned with your asp.net web application's security ... | hard-coded userID and password in the DirectoryEntry constructor. ... It works on the development desktop but not on the IIS ... |> Hi Patrick, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Problem passing user credentials to AD
    ... Since this is a web application, then passing null credentials will make the ... DirectoryEntry pick up the credentials of the current thread security ... order to delegate the user's security context to a different machine (what ...
    (microsoft.public.dotnet.security)
  • Re: listing Object properties from SearchResult
    ... The directoryentry used for the searchroot object determines the security ... context that the search is performed with. ... >> Joe K. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Why am I getting errors when I want to rebuild the TreeView co
    ... single piece of code in most of my projects that calls the DirectoryEntry ... Joe Kaplan-MS MVP Directory Services Programming ... string newDomain = domainName; ... //Tag the 1st Tree Node ...
    (microsoft.public.dotnet.security)
  • Re: ADSI Query to filter out machine accounts in the domain
    ... the LDAP provider in the domain path when I ... create the DirectoryEntry() object. ... "The provider does not support searching and ...
    (microsoft.public.dotnet.languages.csharp)