Re: CAS newbie
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 27 Feb 2007 13:48:06 -0600
I can address the S.DS issue. I'm not sure why exactly the CAS stuff is
causing you problems here. It appears that you may need to assert more than
the directory services permission in your code to do what you want, as the
permission demand that is failing is for EnvironmentPermission, which is not
what you said you asserted.
The issue with the credentials for the DirectoryServices call has to do with
the security context under which the current thread is executing. Depending
on how SSRS is configured, it is either running as the process identity or
an impersonated identity of the currently authenticated Windows users in the
application. You can determine this by looking at the value of
System.Security.Principal.WindowsIdentity.GetCurrent().Name before you
create the DirectoryEntry.
If you are impersonating, then you will likely need to implement Kerberos
delegation to get this to work, as users authenticated via Windows
Integrated Authentication in IIS cannot have their credentials used to
access a remote resource by an intermediate service unless that service has
rights to delegate.
If you aren't impersonating, then app pool identity will be used. This is
likely the Network Service account, which will use the machine account in
the domain to access the directory when using the network. It should have
rights to query the directory, so that should work, although you may need to
add a domain name to your binding string to get it to determine what domain
to use. That might look like LDAP://domain.com/RootDSE.
I'm guessing you are impersonating here, so I'd explore that option first.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Supriya" <Supriya@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:22C0A989-2917-473E-A792-1EC70338ED96@xxxxxxxxxxxxxxxx
Hi,
I am facing a problem of failure to assert unrestricted permissions for a
resource from asp.net.
The scenario is like this:
I have a custom assembly which connects to windows active dicrectory using
.Net Directory Services. I plug this into reporting services and create a
code group to give full trust permissions to that dll. This works in our
QA
environment but not in production.
I get an LDAP error, "An operations error occured" in production when I
bind
the LDAP connection with the default identity that is running the report
manager.
DirectoryEntry _RootDSE = new DirectoryEntry("LDAP://RootDSE";);
Now if I give a specific username and password with which to bind the
connection,
DirectoryEntry _RootDSE = new DirectoryEntry("LDAP://RootDSE";, _username,
_password);
I get the following code access security exception at the point in code
where I assert unrestricted permissions to DirectoryServices:
"Request for the permission of type
System.Security.Permissions.EnvironmentPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
failed."
Now I need to achieve one of two things. Either I get enough permissions
for
the default context so that it can bind to Ldap or I give sufficient
rights
to assembly such that the perm.Assert() command does not fail.
I'm swimming in new waters here. I'd appreciate any help.
Thanks a million,
Supriya
.
- Follow-Ups:
- Re: CAS newbie
- From: Supriya
- Re: CAS newbie
- Prev by Date: Re: ActiveDirectoryMembershipProvider & ValidateUser
- Next by Date: Re: ActiveDirectoryMembershipProvider & ValidateUser
- Previous by thread: error of configuration section handler for system.web/authorizatio
- Next by thread: Re: CAS newbie
- Index(es):
Relevant Pages
|
