Re: AD Login failure when using ActiveDirectoryMembershipProvider
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Feb 2007 23:28:31 +0000 (UTC)
I actually experienced better performance with W2K3 than XP on the same machine (also laptop).
I've been running w2k3 2 years on my 1.8 Ghz Thinkpad - still rocks!
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Earlier today I tried changing one of my Win2003 test servers to
disable impersonation and use the app pool identity (with a fixed
domain account). We are already putting our apps into their own pool,
so this actually simplifies configuring the server (we don't have to
muck with the anonymous user settings or the web.config file). That
will be my recommendation to the powers that be for future deployment.
I am going to mention using Win2003 as our development platform, but I
don't think it'll go very far, so I need to plan for that. I suspect
cost will be an issue. I'm personally a little leery of the idea
because our 'development workstations' are 1.7 GHz laptops with 1 GB
of memory, and they need to run PointSec (a hard drive encryption
layer). As it is they are pretty slow, so I'd be concerned about
trying to run the beefier OS on them. I dunno, maybe Win2003's
resource requirements aren't that much more than XP's. Any feedback on
that?
"Joe Kaplan" wrote:
If you want to use a fixed domain account, you can. I'd just suggest
setting the app pool identity instead of using the anonymous account
with impersonation. For WinXP development, change the processModel
tag in machine.config. I realize that is less flexible, but it gives
you a better simulation of how production will behave. The
alternative is to dev on 2003 server (which is what a lot of us have
ended up doing).
The trick you need to be aware of with using a fixed domain account
for the process account is that it can complicate how things work
with Kerberos authentication. Essentially, you need to manually set
the appropriate service principal name values on the account in AD
for the service account to do Kerberos authentication properly
(assuming you need Kerberos authentication, but it is always a good
idea to use it if possible).
.
- Prev by Date: Re: AD Login failure when using ActiveDirectoryMembershipProvider
- Next by Date: Re: Getting GROUPS from Active Directory by inputing an AD username
- Previous by thread: Re: AD Login failure when using ActiveDirectoryMembershipProvider
- Next by thread: Re: Forms authentication - clean cookie when close browser
- Index(es):
Relevant Pages
|
|
