Re: Windows authentication

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 05/16/05


Date: Mon, 16 May 2005 09:13:48 -0500

You are probably running into what's known as a double-hop issue, where your
credentials will not hop to 2 different machines. In the example where it
works, the credentials go from the web server to the DC, whereas in the
second example, the credentials go from the browser machine to the web
server to the DC. The second hop will only work if Kerberos delegation is
configured and enabled.

There are plenty of references and articles online about Kerberos
delegation.

The other alternative is to try supply credentials (username and password)
to your DirectoryEntry. However, the WinNT provider is notorious for not
working well with supplied credentials, so you would probably be better off
using LDAP (if it is an AD domain).

Joe K.

"tbain" <tbain@discussions.microsoft.com> wrote in message
news:50973729-F34E-4819-BA0A-4E1E864355D3@microsoft.com...
>I am experiencing a permissions error in a .NET web application trying to
> find if the user exists in a Domain Group. I am using C#. The web site is
> configured to use windows Authentication.
>
> web.config:
> <identity impersonate="true"/>
> <authentication mode="Windows" />
> and
> <authorization>
> <deny users="?" />
> <allow roles="MYDOMAIN\MYGROUP" />
> <deny users="*" />
> </authorization>
>
> The code works fine when I run it via the studio (2003) on my local
> machine's web server (Windows XP SP2). But if I try to access it via
> Internet
> Explorer directly by typing in the local web site URL using my machines
> IP,
> from my machine or another on the network the application throws an
> "Access
> is denied" exception. The web site is configured for Windows
> authentication
> only. I presume the error is because it runs at an elevated security level
> when invoking from the studio. I am an administrator on the machine. The
> exception occurs on "de.Invoke("Members");". The exception details follow
> the
> code snipet below:
>
> private bool UserIdExistsInNT4Group()
> {
> DirectoryEntry de = new DirectoryEntry();
>
> de.Path = @"WinNT://MYDOMAIN/MYGROUP,group";
>
> object oRet = de.Invoke("Members");
> IEnumerable users = (IEnumerable) oRet;
> foreach(object user in users)
> {
> DirectoryEntry det = new DirectoryEntry(user);
> string tuserid = det.Path;
> tuserid = tuserid.Replace("WinNT://", "");
> tuserid = tuserid.Replace("/", "\\");
> _log.Debug(tuserid);
> if (tuserid.ToUpper() == this.UserId.ToUpper())
> {
> return true;
> }
> }
> return false;
> }
>
> Exception Details
>
> Source:System.DirectoryServices
> Message:Access is denied
> Stack Trace:
> at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
> at System.DirectoryServices.DirectoryEntry.Bind()
> at System.DirectoryServices.DirectoryEntry.get_NativeObject()
> at System.DirectoryServices.DirectoryEntry.Invoke(String methodName,
> Object[] args)
> at CMSBusiness.Staff.UserIdExistsInNT4Group()
> in C:\CMS\Projects\CMSBusiness\Staff.cs:line 251
> at CMSBusiness.Staff.Save(Int32 userStaffId)
> in C:\CMS\Projects\CMSBusiness\Staff.cs:line 232
> at CMSUIPlumbing.Controllers.CStaffController.DoButton(ButtonTypes bt,
> Int32 iEntityId)
> in c:\cms\projects\cmsuiplumbing\controllers\cstaffcontroller.cs:line 113
>
> I've found all kinds of coding references on how to do this but nothing on
> how to configure for it. "filemon" and "regmon" are not giving me any
> clues
> either. Does anybody have any ideas of what I'm missing. I am a member of
> the
> group and the group has access to the web site folder. I'm thinking it is
> something on the network that I don't have permission to unless I'm
> running
> from the studio, which doesn't make much sense to me. Thanks for your
> time.
>
> --
> Thom



Relevant Pages

  • Re: HTTP 401.2 Error resolving FQDN
    ... manually login via the logon box), so i think that you might get better ... Internet Explorer May Prompt You for a Password ... The user should never be prompted for any credentials. ... each user accessing the web site along with their respective NT credentials. ...
    (microsoft.public.inetserver.iis)
  • RE: IIS asks for credentials when using IP address
    ... we should access the default web site directly. ... Please rerun the CEICW wizard to configure the network and IIS ... 40844314-IIS asks for credentials when using IP address. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Integrated Windows Authentication not working
    ... then the dialog comes up to enter their credentials. ... only web site and no one is behind a proxy server. ... log in, the cert comes up, click on yes, and then it goes straight to the ... > Windows Authentication, then IE will FIRST try to send the credentials ...
    (microsoft.public.inetserver.iis.security)
  • Pass credentials from one web site to another for seamless login
    ... I have a partner company that has a web site that I need to gain access ... this other site which uses those credentials to log me in so that I don't ... creates a session for the browser, and authorizes this session as READ ONLY ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Authentication
    ... In Firefox it lets me in to my web site admin pages fine. ... Click the Refresh button to try again with different credentials. ... Internet Information Services (IIS) ... Go to Microsoft Product Support Services and perform a title search ...
    (microsoft.public.inetserver.iis)