kerberos on .net server rc2 , iis6.0 n ldap with WebSvc

From: nu-k-ar (nospam@plz.com)
Date: 03/13/03 

From: "nu-k-ar" <nospam@plz.com>
Date: Thu, 13 Mar 2003 14:04:39 +0100

okie , winform client 2 WebSvc (Smart Card Authetification) -> not in Domain
ii's aka WebSvc does Certificate Mapping based on AD-Mapping ( works .net
Domain) -> on AD Security Log Mapped Blaa 2 Blaa ....
impersonate is on ...

in web method call to ldap (AD)

the AuthentificationType on DirectoryEntry =
(AuthentificationTypes.Delegation or AuthentificationTypes.Sealing or
AuthentificationTypes.Secure)

so what now happens if i want to commit an new User in The AD , the Request
goes with the SecurityContext ANONYMOUS n NTLM
which means that he takes the Anonymous Context Token from II's Web-Site
instead of the Impersonated User Token from the Smart Card

if i'll give username n password it works ( which is clear , cauze he
get's itself an real sec-context , aka kerberos ticket )

the goal is to get the delegation really running.

i dunnot know if there's any implication , cauze im using standart .Net
Framework against .NET server 2003.
i also mentioned that some AD Schema Constants changed between .NET Server
RC1 and RC2

plz do not mention to set the II's account to a priviledged user account, we
cannot do this.
and we have no password and will not have one , cauze our Authentification
is the smart card.

Any help or suggestion really appreciated

thnx a lot

//________________________

Secure
//snip
Requests secure authentication. When this flag is set, the WinNT provider
uses NTLM to authenticate the client. Active Directory uses Kerberos, and
possibly NTLM, to authenticate the client. When the user name and password
are a null reference (Nothing in Visual Basic), ADSI binds to the object
using the security context of the calling thread, which is either the
security context of the user account under which the application is running
or of the client user account that the calling thread is impersonating.
//Snip

Sealing
//snip
Encrypts data using Kerberos. The Secure flag must also be set to use
sealing.
//snip

Delegation
//snip
Enables Active Directory Services Interface (ADSI) to delegate the user's
security context, which is necessary for moving objects across domains.
//Snip

Relevant Pages

  • .net server RC2 , WebSvc , SmartCard , Ldap
    ... Domain) -> on AD Security Log Mapped Blaa 2 Blaa ... impersonate is on ... ... plz do not mention to set the II's account to a priviledged user account, ... possibly NTLM, to authenticate the client. ...
    (microsoft.public.dotnet.security)
  • net server RC2 , websvc , SmartCard , ldap
    ... Domain) -> on AD Security Log Mapped Blaa 2 Blaa ... impersonate is on ... ... plz do not mention to set the II's account to a priviledged user account, ... possibly NTLM, to authenticate the client. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Role-based security / Impersonation with ASP.NET Question
    ... You really don't need to impersonate or elevate the priviliges of the ASPNET ... Authenticate Against the Active Directory by Using Forms ... Impersonation is less important in ASP.NET, if you use role based security ... > insufficient privileges to call LogonUser. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: linksys media center extender installation error
    ... Is the user account that you're running on the PC a member of the ... Clear all events from the system, security, and application event viewer ... 1:13:28 PM: Verifying Privacy Policy is present. ... 1:13:51 PM: Verifying MCRD users group exists. ...
    (microsoft.public.windows.mediacenter)
  • Re: [ok] [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind
    ... almost all Windows users demand backward compatibility. ... > security upgrades available on MS's site. ... > and authenticate all mail transfer. ...
    (Full-Disclosure)
Quantcast