Account Permissions to query Active Directory

Discussion in 'ASP .Net Security' started by Keith F., Apr 24, 2006.

  1. Keith F.

    Keith F. Guest

    I'm working with my windows tech support guy on trying to give an ASP.NET 2.0
    web app I built, adequate permissions so it can query active directory for
    user roles created using Authorization Manager.
    If we go into the application pool properties on the web server, and on the
    Identity tab, select configurable identity, and put in my tech guy's username
    and password, the app works fine. I can use the IsInRole method, etc.
    We've tried creating a special account just for this, but we haven't been
    able to figure out exactly what permission this account needs to access
    active directory.
    Can anyone tell me how to set the permissions to allow a least privledge
    account to query active directory? or point me to a link that would help?
    (Note: I'm using the AuthorizationStoreRoleProvider in my web.config)
    Thanks,
    KF
     
    Keith F., Apr 24, 2006
    #1
    1. Advertising

  2. Keith F.

    MikeS Guest

    Have you checked the security settings on the AzMan store or
    application?
     
    MikeS, Apr 25, 2006
    #2
    1. Advertising

  3. This is a difficult question in general because AD allows such flexible
    delegation of permissions. Typically, I'd expect someone in the
    Authenticated Users group in AD to be able to read the AzMan objects in the
    directory. However, your admins might have delegated the permissions such
    that only specific users can read them. As such, a solution that works for
    me might not work for you.

    Assuming that the app works fine when used with a domain user who doesn't
    have any special permissions but does not work when configured with Network
    Service (which uses the computer account when accessing the network), it may
    be the case that Domain Users have rights to read these objects, but not
    Domain Computers. You might try examining the ACLs on the AzMan objects and
    containers and see what you can tell.

    Best of luck,

    Joe K.

    "Keith F." <> wrote in message
    news:...
    > I'm working with my windows tech support guy on trying to give an ASP.NET
    > 2.0
    > web app I built, adequate permissions so it can query active directory for
    > user roles created using Authorization Manager.
    > If we go into the application pool properties on the web server, and on
    > the
    > Identity tab, select configurable identity, and put in my tech guy's
    > username
    > and password, the app works fine. I can use the IsInRole method, etc.
    > We've tried creating a special account just for this, but we haven't been
    > able to figure out exactly what permission this account needs to access
    > active directory.
    > Can anyone tell me how to set the permissions to allow a least privledge
    > account to query active directory? or point me to a link that would help?
    > (Note: I'm using the AuthorizationStoreRoleProvider in my web.config)
    > Thanks,
    > KF
     
    Joe Kaplan \(MVP - ADSI\), Apr 25, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    444
  2. David C. Barber
    Replies:
    0
    Views:
    323
    David C. Barber
    Oct 14, 2007
  3. Alan Lambert
    Replies:
    3
    Views:
    421
    Alan Lambert
    Feb 11, 2009
  4. Nathan Smith
    Replies:
    10
    Views:
    375
    Joe Kaplan \(MVP - ADSI\)
    Jan 14, 2005
  5. Jay Armstrong

    Active Directory Machine Account Permissions

    Jay Armstrong, Feb 28, 2005, in forum: ASP .Net Security
    Replies:
    4
    Views:
    413
    Jay Armstrong
    Mar 15, 2005
Loading...

Share This Page