Re: CAS newbie

It really depends on what you are trying to do. First, CAS is not my
specialty, so take what I say with a grain of salt.

In general, it is hard to use S.DS without full trust. In .NET 1.1, the
assembly that calls S.DS at a minimum must have full trust because S.DS does
not allow partially trusted callers at all. In .NET 2.0, this restriction
is lifted. However, the other problem is that the DirectoryPermission is
not part of any of the default permission sets, so you always have to
customize something to use S.DS under partial trust.

Generally, the easiest way to delegate rights to a specific assembly is with
a URL membership condition pointing to the file system. However, strong
name membership conditions are easier to manage, so signing your assembly
with a strong name key an then building the permission set based on that is
probably the way to go from a CAS perspective. You'll also need to Assert
the DirectoryPermission and all of the other permissions that will be
demanded in order to prevent a stack walk back into the rest of the code.

All in all, it is pretty complicated. I try to stick with full trust for
Directory Services. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Supriya" <Supriya@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:01D87D7B-47C0-4128-95E3-F753A42374FB@xxxxxxxxxxxxxxxx
Thanks again, Joe. I'll go thru' this in the morning.
Have 2 last questions :
1. Does it help to set trust levels of an assembly to full trust using
.Net
framework 1.1 wizard, and
2. Does it make a difference to sign the assembly. Are permissions for
signed assemblies less restrictive? My assembly in production wasn't
signed.

Thanks
Supriya

"Joe Kaplan" wrote:

There is a bunch of stuff on this on TechNet. Here's one link:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

There have also been some good MSDN magazine articles on configuring
Kerberos delegation.

Give it a shot and post back if you get stuck. It can be a little
painful
and difficult to troubleshoot.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net


.

Relevant Pages

  • Re: Confusion about .Net AllowPartiallyTrustedCallers (IE).
    ... To get around the security exceptions that occur; ... The assumption is that strong named assemblies will often have more ... more permissions to perform this task. ... have Full Trust. ...
    (microsoft.public.dotnet.security)
  • Re: Tightening the default CAS policy
    ... years now) that Full Trust is a very bad idea, and that we need to move ... partially trusted applications. ... not in itself be sufficient IMHO to increase an assemblies trust permission. ... information and transmits it to some internet site. ...
    (microsoft.public.dotnet.security)
  • Re: Tightening the default CAS policy
    ... years now) that Full Trust is a very bad idea, and that we need to move ... partially trusted applications. ... not in itself be sufficient IMHO to increase an assemblies trust permission. ... information and transmits it to some internet site. ...
    (microsoft.public.dotnet.security)
  • Re: Tightening the default CAS policy
    ... years now) that Full Trust is a very bad idea, and that we need to move ... partially trusted applications. ... not in itself be sufficient IMHO to increase an assemblies trust permission. ... information and transmits it to some internet site. ...
    (microsoft.public.dotnet.security)
  • Re: Not able to establish trust with another window 2003 domain
    ... MVP - Directory Services ... 2003, 2000 (Early Achiever), NT ... I try to remove the trust that created at my Source and re-create again. ... server cifs/ky-target.TARGET.LOCAL. ...
    (microsoft.public.windows.server.active_directory)