Re: Windows authentication

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 05/16/05


Date: Mon, 16 May 2005 09:13:48 -0500

You are probably running into what's known as a double-hop issue, where your
credentials will not hop to 2 different machines. In the example where it
works, the credentials go from the web server to the DC, whereas in the
second example, the credentials go from the browser machine to the web
server to the DC. The second hop will only work if Kerberos delegation is
configured and enabled.

There are plenty of references and articles online about Kerberos
delegation.

The other alternative is to try supply credentials (username and password)
to your DirectoryEntry. However, the WinNT provider is notorious for not
working well with supplied credentials, so you would probably be better off
using LDAP (if it is an AD domain).

Joe K.

"tbain" <tbain@discussions.microsoft.com> wrote in message
news:50973729-F34E-4819-BA0A-4E1E864355D3@microsoft.com...
>I am experiencing a permissions error in a .NET web application trying to
> find if the user exists in a Domain Group. I am using C#. The web site is
> configured to use windows Authentication.
>
> web.config:
> <identity impersonate="true"/>
> <authentication mode="Windows" />
> and
> <authorization>
> <deny users="?" />
> <allow roles="MYDOMAIN\MYGROUP" />
> <deny users="*" />
> </authorization>
>
> The code works fine when I run it via the studio (2003) on my local
> machine's web server (Windows XP SP2). But if I try to access it via
> Internet
> Explorer directly by typing in the local web site URL using my machines
> IP,
> from my machine or another on the network the application throws an
> "Access
> is denied" exception. The web site is configured for Windows
> authentication
> only. I presume the error is because it runs at an elevated security level
> when invoking from the studio. I am an administrator on the machine. The
> exception occurs on "de.Invoke("Members");". The exception details follow
> the
> code snipet below:
>
> private bool UserIdExistsInNT4Group()
> {
> DirectoryEntry de = new DirectoryEntry();
>
> de.Path = @"WinNT://MYDOMAIN/MYGROUP,group";
>
> object oRet = de.Invoke("Members");
> IEnumerable users = (IEnumerable) oRet;
> foreach(object user in users)
> {
> DirectoryEntry det = new DirectoryEntry(user);
> string tuserid = det.Path;
> tuserid = tuserid.Replace("WinNT://", "");
> tuserid = tuserid.Replace("/", "\\");
> _log.Debug(tuserid);
> if (tuserid.ToUpper() == this.UserId.ToUpper())
> {
> return true;
> }
> }
> return false;
> }
>
> Exception Details
>
> Source:System.DirectoryServices
> Message:Access is denied
> Stack Trace:
> at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
> at System.DirectoryServices.DirectoryEntry.Bind()
> at System.DirectoryServices.DirectoryEntry.get_NativeObject()
> at System.DirectoryServices.DirectoryEntry.Invoke(String methodName,
> Object[] args)
> at CMSBusiness.Staff.UserIdExistsInNT4Group()
> in C:\CMS\Projects\CMSBusiness\Staff.cs:line 251
> at CMSBusiness.Staff.Save(Int32 userStaffId)
> in C:\CMS\Projects\CMSBusiness\Staff.cs:line 232
> at CMSUIPlumbing.Controllers.CStaffController.DoButton(ButtonTypes bt,
> Int32 iEntityId)
> in c:\cms\projects\cmsuiplumbing\controllers\cstaffcontroller.cs:line 113
>
> I've found all kinds of coding references on how to do this but nothing on
> how to configure for it. "filemon" and "regmon" are not giving me any
> clues
> either. Does anybody have any ideas of what I'm missing. I am a member of
> the
> group and the group has access to the web site folder. I'm thinking it is
> something on the network that I don't have permission to unless I'm
> running
> from the studio, which doesn't make much sense to me. Thanks for your
> time.
>
> --
> Thom