Re: Server 2003 AD, security context APIs, "operations error" ??

From: "Ollie Jones" <olliejones@xxxxxxxxx>
Date: 30 Jun 2006 07:21:44 -0700

Thanks for the reply, Joe. (I will read your book -- I have mountains
of ignorance to cross). May I ask a couple of n00b questions as
followup?

Joe Kaplan (MVP - ADSI) wrote:

2003 AD doesn't support anonymous searches by default, so that's probably
the difference.

This could indeed be the problem. Are you saying that the NTLM security
context retrieved from the client isn't passed along to the AD? Is the
act of passing along the security context the thing called "delegation"
in Windows security parlance?

My guess is that your code has never been successfully
authenticating with AD and has been binding as the anonymous user all along.

This is probably right. The server AD get call fails another way --
actually it fails trying to read the server machine's local registry
according to sysinternal's regmon -- if the server process doesn't have
local machine administrator privileges.

Since you have a multiple
machine hop in here but can't delegate, you'll end up with anonymous
authentication to AD via NTLM.

So the get function to the AD first tries using the thread's security
context and if that fails it tries anonymous access, is that correct?

Is it important to use the client's security context to hit AD via LDAP?

What I have to do is retrieve an ExtendedRight that is set for the
client on a serviceConnectionPoint underneath the server's computer
directory entry. If the client doesn't have that right set, the
server is to refuse the client's request. The server certainly don't
need the client security context to carry out the operation once it's
authorized. What I am not clear on is whether the server must
impersonate the client to perform the check. Obviously everything
would be simpler if it didn't.

Any wisdom?
Thanks.

Follow-Ups:
- Re: Server 2003 AD, security context APIs, "operations error" ??
  - From: Joe Kaplan \(MVP - ADSI\)

References:
- Server 2003 AD, security context APIs, "operations error" ??
  - From: Ollie Jones
- Re: Server 2003 AD, security context APIs, "operations error" ??
  - From: Joe Kaplan \(MVP - ADSI\)

Prev by Date: WlxQueryConsoleSwitchCredentials failing with ERROR_IO_PENDING
Next by Date: Re: verifying cmd.exe
Previous by thread: Re: Server 2003 AD, security context APIs, "operations error" ??
Next by thread: Re: Server 2003 AD, security context APIs, "operations error" ??
Index(es):
- Date
- Thread

Relevant Pages

Re: UnauthorizedAccessException when using MSDTC
... dispatcher2 is the user logged on the client pc. ... Event Source: Security ... Object Server: SC Manager ... Primary Domain: BLITZ ...
(microsoft.public.data.ado)
Re: Routing and Remote Access - Authentication Failure
... because the real client computer can tunel through it's local NAT router, ... travel the Intrenet, join the VPN and access the server, when this feature ... Their security system decided that the server was trying to steel ...
(microsoft.public.windows.server.networking)
Re: WCF security advice (and clarification) needed
... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
(microsoft.public.dotnet.framework.webservices)
RE: Problems with security requirements in Windows WorkGroups.
... "A remote side security requirement was not fulfilled during authentication. ... small chat application between a client and a server ... When I try to use the TCP channel I get the error (with NO inner exception ...
(microsoft.public.dotnet.languages.csharp)
Re: VPN -- the next consumer "turnkey"?
... I'm not a security expert. ... "A Hamachi system is comprised of backend servers and end-node ... Server nodes track client's locations and provide ... services without providing Hamachi with a list of client IP's. ...
(alt.internet.wireless)