Re: CAS newbie
- From: Supriya <Supriya@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 27 Feb 2007 20:43:08 -0800
Thanks very much for your response, Joe.
The only thing that concerns me is that my assembly works on our integration
machine and fails only in production. The production web site is a two server
cluster. Would this affect security levels in any way?
Thanks again,
Supriya
"Joe Kaplan" wrote:
I can address the S.DS issue. I'm not sure why exactly the CAS stuff is.
causing you problems here. It appears that you may need to assert more than
the directory services permission in your code to do what you want, as the
permission demand that is failing is for EnvironmentPermission, which is not
what you said you asserted.
The issue with the credentials for the DirectoryServices call has to do with
the security context under which the current thread is executing. Depending
on how SSRS is configured, it is either running as the process identity or
an impersonated identity of the currently authenticated Windows users in the
application. You can determine this by looking at the value of
System.Security.Principal.WindowsIdentity.GetCurrent().Name before you
create the DirectoryEntry.
If you are impersonating, then you will likely need to implement Kerberos
delegation to get this to work, as users authenticated via Windows
Integrated Authentication in IIS cannot have their credentials used to
access a remote resource by an intermediate service unless that service has
rights to delegate.
If you aren't impersonating, then app pool identity will be used. This is
likely the Network Service account, which will use the machine account in
the domain to access the directory when using the network. It should have
rights to query the directory, so that should work, although you may need to
add a domain name to your binding string to get it to determine what domain
to use. That might look like LDAP://domain.com/RootDSE.
I'm guessing you are impersonating here, so I'd explore that option first.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Supriya" <Supriya@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:22C0A989-2917-473E-A792-1EC70338ED96@xxxxxxxxxxxxxxxx
Hi,
I am facing a problem of failure to assert unrestricted permissions for a
resource from asp.net.
The scenario is like this:
I have a custom assembly which connects to windows active dicrectory using
.Net Directory Services. I plug this into reporting services and create a
code group to give full trust permissions to that dll. This works in our
QA
environment but not in production.
I get an LDAP error, "An operations error occured" in production when I
bind
the LDAP connection with the default identity that is running the report
manager.
DirectoryEntry _RootDSE = new DirectoryEntry("LDAP://RootDSE";);
Now if I give a specific username and password with which to bind the
connection,
DirectoryEntry _RootDSE = new DirectoryEntry("LDAP://RootDSE";, _username,
_password);
I get the following code access security exception at the point in code
where I assert unrestricted permissions to DirectoryServices:
"Request for the permission of type
System.Security.Permissions.EnvironmentPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
failed."
Now I need to achieve one of two things. Either I get enough permissions
for
the default context so that it can bind to Ldap or I give sufficient
rights
to assembly such that the perm.Assert() command does not fail.
I'm swimming in new waters here. I'd appreciate any help.
Thanks a million,
Supriya
- Follow-Ups:
- Re: CAS newbie
- From: Joe Kaplan
- Re: CAS newbie
- References:
- Re: CAS newbie
- From: Joe Kaplan
- Re: CAS newbie
- Prev by Date: Re: How to start/stop windows service on a remote machine?
- Next by Date: Re: CAS newbie
- Previous by thread: Re: CAS newbie
- Next by thread: Re: CAS newbie
- Index(es):
Relevant Pages
|
|
