Re: Windows authentication

From: tbain (tbain_at_discussions.microsoft.com)
Date: 05/16/05 

Date: Mon, 16 May 2005 07:52:01 -0700

Joe,

Thanks for your response. I did not realize that going through a browser on
the same machine as the web server would introduce the double hop. I was
hoping it was a permissions thing. Since it's not an AD domain (at least not
yet), maybe Basic Authentication with SSL is the answer but I was trying to
avoid forcing the user to login again. Thanks again.

:) Thom

"Joe Kaplan (MVP - ADSI)" wrote:

> You are probably running into what's known as a double-hop issue, where your
> credentials will not hop to 2 different machines. In the example where it
> works, the credentials go from the web server to the DC, whereas in the
> second example, the credentials go from the browser machine to the web
> server to the DC. The second hop will only work if Kerberos delegation is
> configured and enabled.
>
> There are plenty of references and articles online about Kerberos
> delegation.
>
> The other alternative is to try supply credentials (username and password)
> to your DirectoryEntry. However, the WinNT provider is notorious for not
> working well with supplied credentials, so you would probably be better off
> using LDAP (if it is an AD domain).
>
> Joe K.
>
> "tbain" <tbain@discussions.microsoft.com> wrote in message
> news:50973729-F34E-4819-BA0A-4E1E864355D3@microsoft.com...
> >I am experiencing a permissions error in a .NET web application trying to
> > find if the user exists in a Domain Group. I am using C#. The web site is
> > configured to use windows Authentication.
> >
> > web.config:
> > <identity impersonate="true"/>
> > <authentication mode="Windows" />
> > and
> > <authorization>
> > <deny users="?" />
> > <allow roles="MYDOMAIN\MYGROUP" />
> > <deny users="*" />
> > </authorization>
> >
> > The code works fine when I run it via the studio (2003) on my local
> > machine's web server (Windows XP SP2). But if I try to access it via
> > Internet
> > Explorer directly by typing in the local web site URL using my machines
> > IP,
> > from my machine or another on the network the application throws an
> > "Access
> > is denied" exception. The web site is configured for Windows
> > authentication
> > only. I presume the error is because it runs at an elevated security level
> > when invoking from the studio. I am an administrator on the machine. The
> > exception occurs on "de.Invoke("Members");". The exception details follow
> > the
> > code snipet below:
> >
> > private bool UserIdExistsInNT4Group()
> > {
> > DirectoryEntry de = new DirectoryEntry();
> >
> > de.Path = @"WinNT://MYDOMAIN/MYGROUP,group";
> >
> > object oRet = de.Invoke("Members");
> > IEnumerable users = (IEnumerable) oRet;
> > foreach(object user in users)
> > {
> > DirectoryEntry det = new DirectoryEntry(user);
> > string tuserid = det.Path;
> > tuserid = tuserid.Replace("WinNT://", "");
> > tuserid = tuserid.Replace("/", "\\");
> > _log.Debug(tuserid);
> > if (tuserid.ToUpper() == this.UserId.ToUpper())
> > {
> > return true;
> > }
> > }
> > return false;
> > }
> >
> > Exception Details
> >
> > Source:System.DirectoryServices
> > Message:Access is denied
> > Stack Trace:
> > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
> > at System.DirectoryServices.DirectoryEntry.Bind()
> > at System.DirectoryServices.DirectoryEntry.get_NativeObject()
> > at System.DirectoryServices.DirectoryEntry.Invoke(String methodName,
> > Object[] args)
> > at CMSBusiness.Staff.UserIdExistsInNT4Group()
> > in C:\CMS\Projects\CMSBusiness\Staff.cs:line 251
> > at CMSBusiness.Staff.Save(Int32 userStaffId)
> > in C:\CMS\Projects\CMSBusiness\Staff.cs:line 232
> > at CMSUIPlumbing.Controllers.CStaffController.DoButton(ButtonTypes bt,
> > Int32 iEntityId)
> > in c:\cms\projects\cmsuiplumbing\controllers\cstaffcontroller.cs:line 113
> >
> > I've found all kinds of coding references on how to do this but nothing on
> > how to configure for it. "filemon" and "regmon" are not giving me any
> > clues
> > either. Does anybody have any ideas of what I'm missing. I am a member of
> > the
> > group and the group has access to the web site folder. I'm thinking it is
> > something on the network that I don't have permission to unless I'm
> > running
> > from the studio, which doesn't make much sense to me. Thanks for your
> > time.
> >
> > --
> > Thom
>
>
>