Re: Delegate user credentials (double-hop issue)

From: Paul Glavich [MVP - ASP.NET] (glav_at_aspalliance.com-NOSPAM)
Date: 06/16/04

Next message: Frank J: "best practice for role-based security"
Previous message: Chris: "Re: RijndaelManaged and Rijndael CryptoTransforms do not support CFB or OFB CrytoModes"
In reply to: morosan liviu via .NET 247: "Delegate user credentials (double-hop issue)"
Next in thread: Rob Teixeira [MVP]: "Re: Delegate user credentials (double-hop issue)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 16 Jun 2004 23:11:01 +1000

I am not too familiar with the sample you mentioned but the process identity
is what you should check, not the thread identity. So
WindowsIdentity.GetCurrent().Name is what you should be looking at. So it
looks like its not actually impersonating in the first place. How are you
performing the impersonation?

-- 
- Paul Glavich
Microsoft MVP - ASP.NET
"morosan liviu via .NET 247" <anonymous@dotnet247.com> wrote in message
news:OLYwqIiUEHA.3332@tk2msftngp13.phx.gbl...
Hi,everyone!
I tried to use the Net security library from "Microsoft Remoting
Security..." sample in order to solve the double-hop problem.I want to
access a database server(situated on computer C) from a windows service
running under Local system account(on computer B) using the credentials of a
client logged on computer A.
When I impersonate the user inside windows service (on comp. B) even if
Thread.CurrentPrincipal.Identity.Name return me the name of the Client
logged on computer A .the connection to the RDB give me the "Logging failed
for user NT_AUTHORITY\SYSTEM".
In Active Directory I have:
Account is sensitive and cannot be delegated? not checked for Comp A (but
?Account is trusted for delegation' is checked);
and for comp B the checkbox "Trusted for delegation" checked.
Could be a problem of Active Directory?
All computer are running under AD domain.(win 2k server)
Thanks Liviu
-----------------------
Posted by a user from .NET 247 (http://www.dotnet247.com/)
<Id>k1j8Wl3fnk2sHg2O+WEVAg==</Id>

Next message: Frank J: "best practice for role-based security"
Previous message: Chris: "Re: RijndaelManaged and Rijndael CryptoTransforms do not support CFB or OFB CrytoModes"
In reply to: morosan liviu via .NET 247: "Delegate user credentials (double-hop issue)"
Next in thread: Rob Teixeira [MVP]: "Re: Delegate user credentials (double-hop issue)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: run ASP pscript as a different user in IIS6
... The "Identities" tab only changes process identity, while ASP requests all ... delegation if you use Integrated/Digest with AD. ...
(microsoft.public.inetserver.iis)
Re: DirectoryServices.AccountManagement
... impersonated user identity, if the current thread is impersonating, else, it ... will hold the process identity. ... In case of IIS and ASP.NET, this will be the user identity of the "base" ... "Authentication and Authorization" ...
(microsoft.public.dotnet.languages.csharp)
Re: Getting the currently logged in user
... Above will return the current process identity or the impersonating identity, however, it will not return the identity of the logon session when the process runs in different account. ... Logon as BOB ...
(microsoft.public.dotnet.languages.csharp)
Re: Worker process on Windows 2003 Server
... You also need to make sure you aren't impersonating in ASP.NET. ... impersonating, then the login failure is the logged in users, not the ... process identity. ... > Network service is machine local. ...
(microsoft.public.dotnet.security)