Re: AD queries. Please, prove me being wrong...
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 17 Jan 2008 09:09:41 -0600
Yes, you can do this. If you want to impersonate the authenticated user
from IIS and use those credentials to query AD, then you must configure
Kerberos delegation in AD to allow the web app to have the rights to
delegate the user's credentials to AD. Since you are using Win2K web
server, you cannot use protocol transition (Kerberos S4U), so that also
means that you must ensure that you use IWA auth in IIS and ensure that IWA
is using the Kerberos protocol to authenticate the browser user, not NTLM.
This type of scenario is much easier to get working in IIS 6 than IIS 5, but
it can be made to work on Win2K if you are stuck with that as your web
server platform. There are many documents on MS support, MSDN and TechNet
that explain how to configure Kerberos delegation in a web application and
there are also good troubleshooting guides available. It takes a while to
learn all the details that are required to understand how to configure and
troubleshoot this, but it can be done.
Best of luck!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"JKruza" <JKruza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:796AE179-A255-4796-A61C-89CB41BC2D2C@xxxxxxxxxxxxxxxx
Hello!
I have intranet web app in ASP.NET 2.0. IIS is set to require "Windows
Integrated" or "Digest against AD" authentication. ASP.NET auth mode is
"Windows", impersonation is set to true.
Up to this moment everything works just fine.
The problem is, that i can't query AD in any way without providing user
credentials.
I tried both direct LDAP queries trough DirectoryEntry and
ActiveDirectoryMembership, in every case username and password was
required.
I simply can't find any info or example not using credentials...
Additional info:
Server: Windows Server 2000 with IIS and ASP.NET
User I'm impersonating with is domain user and belongs to "Administrators"
group on this server. (Target is to auth. and impersonate with any domain
user...)
Code security trust level is "Full".
Launching console or windows app reusing the same code on this server
works
fine without providing credentials.
Because of the company policy I can't hardcode (or put in config)
credentials of any domain user... :(
Again: Is this possible to query AD trough LDAP without providing
credentials from ASP.NET 2.0 app? I'm starting to doubt...
Thanks in advance,
JK
.
- Prev by Date: two sites transfer security
- Next by Date: AD Search: More data is available, or time limit was exceeded
- Previous by thread: two sites transfer security
- Next by thread: AD Search: More data is available, or time limit was exceeded
- Index(es):
Relevant Pages
|
