Account for form authentication to AD

Discussion in 'ASP .Net Security' started by Guest, Jun 4, 2005.

  1. Guest

    Guest Guest

    Hi
    I read a microsoft kb article#Q316748, and it says in order for form
    authentication to work I need to configure IIS for anonymous authentication
    as the followings
    Configure IIS for Anonymous Authentication
    To configure IIS for anonymous authentication, follow these steps: 1. In
    IIS, click to select the Anonymous Authentication check box.
    2. Make the anonymous account for the application an account that has
    permission to the Active Directory.
    3. Click to clear the Allow IIS To Control Password check box.


    just what do we need to do for step 2 please?!

    TIA
    --
    Guest, Jun 4, 2005
    #1
    1. Advertising

  2. June 4, 2005

    Is there a specific reason why you want to use a custom guest account for
    ASP.Net? If not then you don't need to go to all that work. There is an
    account configured by Microsoft to be used for anonymous authentication for
    Forms Auth that almost everybody uses. It is named IUSR_MACHINENAME. Just
    put in IIS that account name IUSR_(MACHINENAME) where machinename = the name
    of the server. IIS SHOULD control the password. Hope this helps!
    --
    Joseph Bittman Beta ID# 678424
    Microsoft Certified Application Developer

    Web Site: http://71.35.110.42
    Dynamic IP -- Check here for future changes

    <dl> wrote in message news:...
    > Hi
    > I read a microsoft kb article#Q316748, and it says in order for form
    > authentication to work I need to configure IIS for anonymous
    > authentication
    > as the followings
    > Configure IIS for Anonymous Authentication
    > To configure IIS for anonymous authentication, follow these steps: 1. In
    > IIS, click to select the Anonymous Authentication check box.
    > 2. Make the anonymous account for the application an account that has
    > permission to the Active Directory.
    > 3. Click to clear the Allow IIS To Control Password check box.
    >
    >
    > just what do we need to do for step 2 please?!
    >
    > TIA
    > --
    >
    >
    >
    Joseph Bittman MCAD, Jun 4, 2005
    #2
    1. Advertising

  3. Guest

    Guest Guest

    I need to have access to AD, ie be able to add / change /delete AD objects!

    "Joseph Bittman MCAD" <> wrote in message
    news:%...
    > June 4, 2005
    >
    > Is there a specific reason why you want to use a custom guest account

    for
    > ASP.Net? If not then you don't need to go to all that work. There is an
    > account configured by Microsoft to be used for anonymous authentication

    for
    > Forms Auth that almost everybody uses. It is named IUSR_MACHINENAME. Just
    > put in IIS that account name IUSR_(MACHINENAME) where machinename = the

    name
    > of the server. IIS SHOULD control the password. Hope this helps!
    > --
    > Joseph Bittman Beta ID# 678424
    > Microsoft Certified Application Developer
    >
    > Web Site: http://71.35.110.42
    > Dynamic IP -- Check here for future changes
    >
    > <dl> wrote in message news:...
    > > Hi
    > > I read a microsoft kb article#Q316748, and it says in order for form
    > > authentication to work I need to configure IIS for anonymous
    > > authentication
    > > as the followings
    > > Configure IIS for Anonymous Authentication
    > > To configure IIS for anonymous authentication, follow these steps: 1. In
    > > IIS, click to select the Anonymous Authentication check box.
    > > 2. Make the anonymous account for the application an account that

    has
    > > permission to the Active Directory.
    > > 3. Click to clear the Allow IIS To Control Password check box.
    > >
    > >
    > > just what do we need to do for step 2 please?!
    > >
    > > TIA
    > > --
    > >
    > >
    > >

    >
    >
    Guest, Jun 5, 2005
    #3
  4. June 4, 2005

    Sorry, I read more of the article and I understand now. You need to
    create a user account that has AD permissions to query AD for users and
    groups, but still has some sort of least privilege. I'm not familiar with
    how you configure AD permissions for LDAP queries so I hope somebody else
    can help you! Sorry, but have a great day!

    --
    Joseph Bittman Beta ID# 678424
    Microsoft Certified Application Developer

    Web Site: http://71.35.110.42
    Dynamic IP -- Check here for future changes

    <dl> wrote in message news:%...
    >I need to have access to AD, ie be able to add / change /delete AD objects!
    >
    > "Joseph Bittman MCAD" <> wrote in message
    > news:%...
    >> June 4, 2005
    >>
    >> Is there a specific reason why you want to use a custom guest account

    > for
    >> ASP.Net? If not then you don't need to go to all that work. There is an
    >> account configured by Microsoft to be used for anonymous authentication

    > for
    >> Forms Auth that almost everybody uses. It is named IUSR_MACHINENAME. Just
    >> put in IIS that account name IUSR_(MACHINENAME) where machinename = the

    > name
    >> of the server. IIS SHOULD control the password. Hope this helps!
    >> --
    >> Joseph Bittman Beta ID# 678424
    >> Microsoft Certified Application Developer
    >>
    >> Web Site: http://71.35.110.42
    >> Dynamic IP -- Check here for future changes
    >>
    >> <dl> wrote in message news:...
    >> > Hi
    >> > I read a microsoft kb article#Q316748, and it says in order for form
    >> > authentication to work I need to configure IIS for anonymous
    >> > authentication
    >> > as the followings
    >> > Configure IIS for Anonymous Authentication
    >> > To configure IIS for anonymous authentication, follow these steps: 1.
    >> > In
    >> > IIS, click to select the Anonymous Authentication check box.
    >> > 2. Make the anonymous account for the application an account that

    > has
    >> > permission to the Active Directory.
    >> > 3. Click to clear the Allow IIS To Control Password check box.
    >> >
    >> >
    >> > just what do we need to do for step 2 please?!
    >> >
    >> > TIA
    >> > --
    >> >
    >> >
    >> >

    >>
    >>

    >
    >
    Joseph Bittman MCAD, Jun 5, 2005
    #4
  5. Get an administrator for the AD to create a user for you. Without the
    required priveleges, you wont be able to do it.

    --

    - Paul Glavich
    ASP.NET MVP
    ASPInsider (www.aspinsiders.com)


    <dl> wrote in message news:...
    > Hi
    > I read a microsoft kb article#Q316748, and it says in order for form
    > authentication to work I need to configure IIS for anonymous

    authentication
    > as the followings
    > Configure IIS for Anonymous Authentication
    > To configure IIS for anonymous authentication, follow these steps: 1. In
    > IIS, click to select the Anonymous Authentication check box.
    > 2. Make the anonymous account for the application an account that

    has
    > permission to the Active Directory.
    > 3. Click to clear the Allow IIS To Control Password check box.
    >
    >
    > just what do we need to do for step 2 please?!
    >
    > TIA
    > --
    >
    >
    >
    Paul Glavich [MVP ASP.NET], Jun 6, 2005
    #5
  6. Guest

    Guest Guest

    I have administrator right on this server, but I am not sure if I need to be
    a member of "domain admin" to do the job, or some other group will do?!

    "Paul Glavich [MVP ASP.NET]" <-NOSPAM> wrote in message
    news:...
    > Get an administrator for the AD to create a user for you. Without the
    > required priveleges, you wont be able to do it.
    >
    > --
    >
    > - Paul Glavich
    > ASP.NET MVP
    > ASPInsider (www.aspinsiders.com)
    >
    >
    > <dl> wrote in message news:...
    > > Hi
    > > I read a microsoft kb article#Q316748, and it says in order for form
    > > authentication to work I need to configure IIS for anonymous

    > authentication
    > > as the followings
    > > Configure IIS for Anonymous Authentication
    > > To configure IIS for anonymous authentication, follow these steps: 1. In
    > > IIS, click to select the Anonymous Authentication check box.
    > > 2. Make the anonymous account for the application an account that

    > has
    > > permission to the Active Directory.
    > > 3. Click to clear the Allow IIS To Control Password check box.
    > >
    > >
    > > just what do we need to do for step 2 please?!
    > >
    > > TIA
    > > --
    > >
    > >
    > >

    >
    >
    Guest, Jun 6, 2005
    #6
  7. June 6, 2005

    hmmm.... If I remember right..... I have accessed the AD Users and
    Computers snapin and viewed everything with a standard account; just
    couldn't change anything.... You should be able to do the same from code
    with a standard account then.

    --
    Joseph Bittman Beta ID# 678424
    Microsoft Certified Application Developer

    Web Site: http://71.35.110.42
    Dynamic IP -- Check here for future changes

    <dl> wrote in message news:%...
    >I have administrator right on this server, but I am not sure if I need to
    >be
    > a member of "domain admin" to do the job, or some other group will do?!
    >
    > "Paul Glavich [MVP ASP.NET]" <-NOSPAM> wrote in message
    > news:...
    >> Get an administrator for the AD to create a user for you. Without the
    >> required priveleges, you wont be able to do it.
    >>
    >> --
    >>
    >> - Paul Glavich
    >> ASP.NET MVP
    >> ASPInsider (www.aspinsiders.com)
    >>
    >>
    >> <dl> wrote in message news:...
    >> > Hi
    >> > I read a microsoft kb article#Q316748, and it says in order for form
    >> > authentication to work I need to configure IIS for anonymous

    >> authentication
    >> > as the followings
    >> > Configure IIS for Anonymous Authentication
    >> > To configure IIS for anonymous authentication, follow these steps: 1.
    >> > In
    >> > IIS, click to select the Anonymous Authentication check box.
    >> > 2. Make the anonymous account for the application an account that

    >> has
    >> > permission to the Active Directory.
    >> > 3. Click to clear the Allow IIS To Control Password check box.
    >> >
    >> >
    >> > just what do we need to do for step 2 please?!
    >> >
    >> > TIA
    >> > --
    >> >
    >> >
    >> >

    >>
    >>

    >
    >
    Joseph Bittman MCAD, Jun 6, 2005
    #7
  8. Guest

    Guest Guest

    I know, that is exactly what I need to do - to add / change / delete AD
    objects!
    TIA

    "Joseph Bittman MCAD" <> wrote in message
    news:...
    > June 6, 2005
    >
    > hmmm.... If I remember right..... I have accessed the AD Users and
    > Computers snapin and viewed everything with a standard account; just
    > couldn't change anything.... You should be able to do the same from code
    > with a standard account then.
    >
    > --
    > Joseph Bittman Beta ID# 678424
    > Microsoft Certified Application Developer
    >
    > Web Site: http://71.35.110.42
    > Dynamic IP -- Check here for future changes
    >
    > <dl> wrote in message news:%...
    > >I have administrator right on this server, but I am not sure if I need to
    > >be
    > > a member of "domain admin" to do the job, or some other group will do?!
    > >
    > > "Paul Glavich [MVP ASP.NET]" <-NOSPAM> wrote in

    message
    > > news:...
    > >> Get an administrator for the AD to create a user for you. Without the
    > >> required priveleges, you wont be able to do it.
    > >>
    > >> --
    > >>
    > >> - Paul Glavich
    > >> ASP.NET MVP
    > >> ASPInsider (www.aspinsiders.com)
    > >>
    > >>
    > >> <dl> wrote in message news:...
    > >> > Hi
    > >> > I read a microsoft kb article#Q316748, and it says in order for form
    > >> > authentication to work I need to configure IIS for anonymous
    > >> authentication
    > >> > as the followings
    > >> > Configure IIS for Anonymous Authentication
    > >> > To configure IIS for anonymous authentication, follow these steps: 1.
    > >> > In
    > >> > IIS, click to select the Anonymous Authentication check box.
    > >> > 2. Make the anonymous account for the application an account

    that
    > >> has
    > >> > permission to the Active Directory.
    > >> > 3. Click to clear the Allow IIS To Control Password check box.
    > >> >
    > >> >
    > >> > just what do we need to do for step 2 please?!
    > >> >
    > >> > TIA
    > >> > --
    > >> >
    > >> >
    > >> >
    > >>
    > >>

    > >
    > >

    >
    >
    Guest, Jun 6, 2005
    #8
  9. The best practice is to use an account with the least privileges as
    possible. For basic provisioning stuff, an account in Account Operators
    should be fine, but you can get it much more granular if you delegate
    permissions for a single container (OU) to a more restricted account.

    I would also suggest not using this account as the anonymous account in IIS.
    That is giving a LOT of privilege in AD for something with such a high
    surface area to the public. Instead, I'd suggest using the minimum
    privileged account for your simple queries and switch to a higher privileged
    account for provisioning activities. You can do this by passing credentials
    directly with the DirectoryEntry or moving the provisioning code to a COM+
    component running under the privileged identity.

    Joe K.

    <dl> wrote in message news:%...
    >I know, that is exactly what I need to do - to add / change / delete AD
    > objects!
    > TIA
    >
    > "Joseph Bittman MCAD" <> wrote in message
    > news:...
    >> June 6, 2005
    >>
    >> hmmm.... If I remember right..... I have accessed the AD Users and
    >> Computers snapin and viewed everything with a standard account; just
    >> couldn't change anything.... You should be able to do the same from code
    >> with a standard account then.
    >>
    >> --
    >> Joseph Bittman Beta ID# 678424
    >> Microsoft Certified Application Developer
    >>
    >> Web Site: http://71.35.110.42
    >> Dynamic IP -- Check here for future changes
    >>
    >> <dl> wrote in message news:%...
    >> >I have administrator right on this server, but I am not sure if I need
    >> >to
    >> >be
    >> > a member of "domain admin" to do the job, or some other group will do?!
    >> >
    >> > "Paul Glavich [MVP ASP.NET]" <-NOSPAM> wrote in

    > message
    >> > news:...
    >> >> Get an administrator for the AD to create a user for you. Without the
    >> >> required priveleges, you wont be able to do it.
    >> >>
    >> >> --
    >> >>
    >> >> - Paul Glavich
    >> >> ASP.NET MVP
    >> >> ASPInsider (www.aspinsiders.com)
    >> >>
    >> >>
    >> >> <dl> wrote in message news:...
    >> >> > Hi
    >> >> > I read a microsoft kb article#Q316748, and it says in order for form
    >> >> > authentication to work I need to configure IIS for anonymous
    >> >> authentication
    >> >> > as the followings
    >> >> > Configure IIS for Anonymous Authentication
    >> >> > To configure IIS for anonymous authentication, follow these steps:
    >> >> > 1.
    >> >> > In
    >> >> > IIS, click to select the Anonymous Authentication check box.
    >> >> > 2. Make the anonymous account for the application an account

    > that
    >> >> has
    >> >> > permission to the Active Directory.
    >> >> > 3. Click to clear the Allow IIS To Control Password check box.
    >> >> >
    >> >> >
    >> >> > just what do we need to do for step 2 please?!
    >> >> >
    >> >> > TIA
    >> >> > --
    >> >> >
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >

    >>
    >>

    >
    >
    Joe Kaplan \(MVP - ADSI\), Jun 7, 2005
    #9
  10. Guest

    Guest Guest

    Hi Joe
    I am trying to implement "impersonation" hoping that would eliminates the
    needs of hard coding credentials information in any of the files and to
    maintain the flexibility for user to change password and of course at the
    same time be able to delegate administration to different authenticated
    users... etc. But I guess this impersonation thing is what giving the
    errors I have in another thead I just post "form authentication - errors"!!!

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:%...
    > The best practice is to use an account with the least privileges as
    > possible. For basic provisioning stuff, an account in Account Operators
    > should be fine, but you can get it much more granular if you delegate
    > permissions for a single container (OU) to a more restricted account.
    >
    > I would also suggest not using this account as the anonymous account in

    IIS.
    > That is giving a LOT of privilege in AD for something with such a high
    > surface area to the public. Instead, I'd suggest using the minimum
    > privileged account for your simple queries and switch to a higher

    privileged
    > account for provisioning activities. You can do this by passing

    credentials
    > directly with the DirectoryEntry or moving the provisioning code to a COM+
    > component running under the privileged identity.
    >
    > Joe K.
    >
    > <dl> wrote in message news:%...
    > >I know, that is exactly what I need to do - to add / change / delete AD
    > > objects!
    > > TIA
    > >
    > > "Joseph Bittman MCAD" <> wrote in message
    > > news:...
    > >> June 6, 2005
    > >>
    > >> hmmm.... If I remember right..... I have accessed the AD Users and
    > >> Computers snapin and viewed everything with a standard account; just
    > >> couldn't change anything.... You should be able to do the same from

    code
    > >> with a standard account then.
    > >>
    > >> --
    > >> Joseph Bittman Beta ID# 678424
    > >> Microsoft Certified Application Developer
    > >>
    > >> Web Site: http://71.35.110.42
    > >> Dynamic IP -- Check here for future changes
    > >>
    > >> <dl> wrote in message news:%...
    > >> >I have administrator right on this server, but I am not sure if I need
    > >> >to
    > >> >be
    > >> > a member of "domain admin" to do the job, or some other group will

    do?!
    > >> >
    > >> > "Paul Glavich [MVP ASP.NET]" <-NOSPAM> wrote in

    > > message
    > >> > news:...
    > >> >> Get an administrator for the AD to create a user for you. Without

    the
    > >> >> required priveleges, you wont be able to do it.
    > >> >>
    > >> >> --
    > >> >>
    > >> >> - Paul Glavich
    > >> >> ASP.NET MVP
    > >> >> ASPInsider (www.aspinsiders.com)
    > >> >>
    > >> >>
    > >> >> <dl> wrote in message news:...
    > >> >> > Hi
    > >> >> > I read a microsoft kb article#Q316748, and it says in order for

    form
    > >> >> > authentication to work I need to configure IIS for anonymous
    > >> >> authentication
    > >> >> > as the followings
    > >> >> > Configure IIS for Anonymous Authentication
    > >> >> > To configure IIS for anonymous authentication, follow these steps:
    > >> >> > 1.
    > >> >> > In
    > >> >> > IIS, click to select the Anonymous Authentication check box.
    > >> >> > 2. Make the anonymous account for the application an account

    > > that
    > >> >> has
    > >> >> > permission to the Active Directory.
    > >> >> > 3. Click to clear the Allow IIS To Control Password check

    box.
    > >> >> >
    > >> >> >
    > >> >> > just what do we need to do for step 2 please?!
    > >> >> >
    > >> >> > TIA
    > >> >> > --
    > >> >> >
    > >> >> >
    > >> >> >
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >>

    > >
    > >

    >
    >
    Guest, Jun 7, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mel
    Replies:
    2
    Views:
    365
  2. JM_newsgroups
    Replies:
    2
    Views:
    823
    JM_newsgroups
    Dec 12, 2008
  3. nilapenn
    Replies:
    3
    Views:
    606
    Joe Kaplan \(MVP - ADSI\)
    Feb 14, 2005
  4. Replies:
    4
    Views:
    622
    Paul Clement
    Sep 15, 2005
  5. Darwinian

    forms authentication with domain account from DMZ?

    Darwinian, Nov 17, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    372
    Joe Kaplan \(MVP - ADSI\)
    Nov 17, 2005
Loading...

Share This Page