Re: Problem establishing SSL connection in code-behind

On Jan 5, 11:24 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
If you just want to use the AD membership provider for authentication, your
service account only needs read access to AD. The highly privileged account
is needed if you want to use any of the provisioning features of the
provider for creating users and such. It is possible to allow the process
account to make the connection (assuming you have a domain member web server
and are running the app pool under a domain account or network service).
I'd seriously look at that.

It is also possible to authenticate users against AD directly without using
the membership provider and without using a service account at all. You can
just call the LogonUser API for instance. Doing something like this would
be much cleaner than what you are trying to do.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--

Indeed we don't need to create any AD user at all. So, I guess we
could try asking for an account that can have read access to the AD.

The web application is going to be run in an Intranet on a domain, and
right now, the web application runs under the ASPNET account.

The Win32 LogonUser API is completely new to me. I just checked the
documentation at http://msdn2.microsoft.com/en-us/library/aa378184.aspx
.. I am not sure if I understand it, but it seems to say that "You
cannot use LogonUser to log on to a remote computer." Isn't this
gonna be an issue for my situation?
.

Relevant Pages

  • Re: accessing emails using owa ... traceable?
    ... "Joe Kaplan" wrote: ... When the user is behind a firewall router, ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... account. ...
    (microsoft.public.dotnet.security)
  • Re: Integrated Windows Authentication Timeout?
    ... "Joe Kaplan" wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... long as they are all on the same account. ... SPN exists on the account that is running the service. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ADAM account store in ADFS
    ... do you have any step by step guide to configure shadow accounts and groups. ... "Joe Kaplan" wrote: ... To add the app pool identity to the readers role in ADAM, ... 3)How to add ADFS app pool account to readers role in ADAM? ...
    (microsoft.public.windows.server.active_directory)
  • Re: ActiveDirectoryMembershipProvider & ChangePassword control
    ... a LDAP call is made to create the account in AD. ... If the ActiveDirectoryMembershipProvider does not support this attribute is ... "Joe Kaplan" wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: accessing emails using owa ... traceable?
    ... "Joe Kaplan" wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... auditing to log more details about the activity in your email account. ... But does this hold true for web access? ...
    (microsoft.public.dotnet.security)