Re: AD Login failure when using ActiveDirectoryMembershipProvider
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Feb 2007 15:40:21 -0600
If you want to use a fixed domain account, you can. I'd just suggest
setting the app pool identity instead of using the anonymous account with
impersonation. For WinXP development, change the processModel tag in
machine.config. I realize that is less flexible, but it gives you a better
simulation of how production will behave. The alternative is to dev on 2003
server (which is what a lot of us have ended up doing).
The trick you need to be aware of with using a fixed domain account for the
process account is that it can complicate how things work with Kerberos
authentication. Essentially, you need to manually set the appropriate
service principal name values on the account in AD for the service account
to do Kerberos authentication properly (assuming you need Kerberos
authentication, but it is always a good idea to use it if possible).
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Craig Wagner" <MSDNNospam207@xxxxxxxxxxxxx> wrote in message
news:B01C48CD-81BD-40D9-95A3-53C33AE95342@xxxxxxxxxxxxxxxx
One other reason I just thought of for using the fixed domain account...
It makes it more consistent when testing on the development workstations,
which are WinXP Pro. We can just set the domain account to be the
anonymous
account and enable impersonation.
"Joe Kaplan" wrote:
I agree with Dominick. Use the app pool identity and create separate app
pools for each app if you need different credentials.
Also, in many cases you don't need to use a fixed domain account for the
app
pool since the app pool runs as network service by default. Network
service
IS a domain account when accessing resources on the network (the
machine's
domain account), so this is often all you need.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Craig Wagner" <MSDNNospam207@xxxxxxxxxxxxx> wrote in message
news:0EFE846A-CDC4-475A-BC84-C217B8A02DD3@xxxxxxxxxxxxxxxx
Let me correct my previous statement.
That IS how we configure machines at the client site, and have been
configuring them for over a year.
Perhaps it is not how we SHOULD be configuring them, but that's a
different
issue.
"Dominick Baier" wrote:
No - thats not how you would configure an IIS6 -
you would configure the app pool to run as a domain account and use no
impersonation.
.
- References:
- Re: AD Login failure when using ActiveDirectoryMembershipProvider
- From: Dominick Baier
- Re: AD Login failure when using ActiveDirectoryMembershipProvider
- From: Dominick Baier
- Re: AD Login failure when using ActiveDirectoryMembershipProvider
- From: Joe Kaplan
- Re: AD Login failure when using ActiveDirectoryMembershipProvider
- Prev by Date: Re: Basic password security question
- Next by Date: Re: AD Login failure when using ActiveDirectoryMembershipProvider
- Previous by thread: Re: AD Login failure when using ActiveDirectoryMembershipProvider
- Next by thread: Re: AD Login failure when using ActiveDirectoryMembershipProvider
- Index(es):
Relevant Pages
|
