Re: accessing Active Directory
From: reda (reda_at_discussions.microsoft.com)
Date: 08/25/05
- Next message: Nicole Calinoiu: "Re: Sandboxing AppDomain"
- Previous message: Dominick Baier [DevelopMentor]: "Re: Limiting exe permissions"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: accessing Active Directory"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: accessing Active Directory"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: accessing Active Directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Aug 2005 01:21:07 -0700
Dear Joe,
Thank You for your help.
I find the document and tried to apply the delegation in the active directory
first I made the users accounts to be trusted for delegation, not sensetive,
and can be delegated
then I made the web server computer to be trusted for delegation
but I still have the same error !!
is there any other settings should take place in the active directory or in
the web server itself ?
Thank You,
"Joe Kaplan (MVP - ADSI)" wrote:
> This is a double hop issue. Essentially, the security token can go "one
> hop" from either the browser to the web server or directly from the web
> server to the AD if the browser was run from the local server, but it can't
> go two hops from the browser to the web server to the AD.
>
> If you really must access AD with the security context of the current user
> and you want to use IWA authentication in the web site, you need to also
> implement Kerberos delegation to overcome the double hop limitation.
>
> http://msdn.microsoft.com/vstudio/using/building/web/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT05.asp?FRAME=true#ImplementKerberos
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
>
> If you don't need to use the authenticated user's security context to access
> AD, then you can use a service account instead. If you specify credentials
> or change the worker process to use a domain account and disable
> impersonation, you can do this instead. This arcticle has some suggestions.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
>
> Joe K.
>
> "reda" <reda@discussions.microsoft.com> wrote in message
> news:70D7BC57-F466-408E-A6A6-C1A18A8FABAE@microsoft.com...
> > Hi all,
> >
> > I am developing asp.net application using windows authentication from
> > active
> > directory on a local area network. the domain controller is not on the
> > same
> > machine of the IIS. when trying to get the display name of the logged in
> > user
> > I am getting an error if I try remotly even if user is logged in but it
> > works
> > fine localy on the web server.
> >
> > I am new in using directoryservice namespace and donnt find any document
> > to
> > disccus how to emplement an application like that using active directory
> > hosted on another server.
> >
> > this is my code
> >
> > DirectorySearcher ds = new DirectorySearcher();
> > ds.SearchRoot = new DirectoryEntry("LDAP://CN=users,DC=TAC,DC=local");
> > string filter = "";
> > filter += FormFilter("user", userName);
> > filter = "(|" + filter + ")";
> > ds.Filter = filter;
> > ds.PropertiesToLoad.Add("*");
> > System.DirectoryServices.SearchResult res = ds.FindOne();
> >
> > in the last line I get "An Operations error occurred"
> >
> > both of web server and domain controller are windows 2003 and the domain
> > name is TAC.LOCAL
> >
> > any body can help me ?
> >
> > Regards,
> >
>
>
>
- Next message: Nicole Calinoiu: "Re: Sandboxing AppDomain"
- Previous message: Dominick Baier [DevelopMentor]: "Re: Limiting exe permissions"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: accessing Active Directory"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: accessing Active Directory"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: accessing Active Directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
