Active Directory Authorization Store question

Discussion in 'ASP .Net Security' started by hey, Mar 2, 2005.

  1. hey

    hey Guest

    I'm using Authorization and Profile block in my middle tier (.NET Remoting
    hosted under IIS) for role-based application security. It's all good when the
    authorization store is placed in a local xml file. But this is only good in
    development. In production environment the store need to be integrated into
    Active Directory.

    The middle-tier (ASP.NET) is supposed to be configured to run under a least
    privileged local account. But I cannot successfully configure any local
    account (neither custom account nor built-in account) to communicate with the
    remote AD authorization store.

    The steps were:
    1. Create an authorization store in AD
    2. Assign the computer account of the server running ASP.NET to the Readers
    group of the store.

    My question is that whether a non-domain account can be used to run open and
    query a remote authorization store in Active Directory. If yes then what is
    the requirement for this local account (like membership, permissions etc)?

    Thanks
    Ming
     
    hey, Mar 2, 2005
    #1
    1. Advertising

  2. You'll need a domain account if you want to talk to AD using the credentials
    of your current thread. If you can specify credentials somehow then you
    have more flexibility.

    Can you set up ASP.NET to run as a low privileged domain account?

    Joe K.

    "hey" <> wrote in message
    news:...
    > I'm using Authorization and Profile block in my middle tier (.NET Remoting
    > hosted under IIS) for role-based application security. It's all good when
    > the
    > authorization store is placed in a local xml file. But this is only good
    > in
    > development. In production environment the store need to be integrated
    > into
    > Active Directory.
    >
    > The middle-tier (ASP.NET) is supposed to be configured to run under a
    > least
    > privileged local account. But I cannot successfully configure any local
    > account (neither custom account nor built-in account) to communicate with
    > the
    > remote AD authorization store.
    >
    > The steps were:
    > 1. Create an authorization store in AD
    > 2. Assign the computer account of the server running ASP.NET to the
    > Readers
    > group of the store.
    >
    > My question is that whether a non-domain account can be used to run open
    > and
    > query a remote authorization store in Active Directory. If yes then what
    > is
    > the requirement for this local account (like membership, permissions etc)?
    >
    > Thanks
    > Ming
     
    Joe Kaplan \(MVP - ADSI\), Mar 2, 2005
    #2
    1. Advertising

  3. hey

    hey Guest

    Thanks for your reply Joe.

    For sure it works by using a domain account.

    But the preference is to use a local account, which will be consistent to
    the way to communicate with the backend sserver. We have set up mirrored
    local account in the middle-tier and backend database server to facilitate
    Windows authentication between the two.

    Ming

    "Joe Kaplan (MVP - ADSI)" wrote:

    > You'll need a domain account if you want to talk to AD using the credentials
    > of your current thread. If you can specify credentials somehow then you
    > have more flexibility.
    >
    > Can you set up ASP.NET to run as a low privileged domain account?
    >
    > Joe K.
    >
    > "hey" <> wrote in message
    > news:...
    > > I'm using Authorization and Profile block in my middle tier (.NET Remoting
    > > hosted under IIS) for role-based application security. It's all good when
    > > the
    > > authorization store is placed in a local xml file. But this is only good
    > > in
    > > development. In production environment the store need to be integrated
    > > into
    > > Active Directory.
    > >
    > > The middle-tier (ASP.NET) is supposed to be configured to run under a
    > > least
    > > privileged local account. But I cannot successfully configure any local
    > > account (neither custom account nor built-in account) to communicate with
    > > the
    > > remote AD authorization store.
    > >
    > > The steps were:
    > > 1. Create an authorization store in AD
    > > 2. Assign the computer account of the server running ASP.NET to the
    > > Readers
    > > group of the store.
    > >
    > > My question is that whether a non-domain account can be used to run open
    > > and
    > > query a remote authorization store in Active Directory. If yes then what
    > > is
    > > the requirement for this local account (like membership, permissions etc)?
    > >
    > > Thanks
    > > Ming

    >
    >
    >
     
    hey, Mar 2, 2005
    #3
  4. I'm not a huge fan of the mirrored local account as it is pretty brittle.
    Wouldn't it be easier to use a domain account for that purpose too? That
    would seem to solve both problems. You can still use a least privilege
    account for this purpose.

    Joe K.

    "hey" <> wrote in message
    news:...
    > Thanks for your reply Joe.
    >
    > For sure it works by using a domain account.
    >
    > But the preference is to use a local account, which will be consistent to
    > the way to communicate with the backend sserver. We have set up mirrored
    > local account in the middle-tier and backend database server to facilitate
    > Windows authentication between the two.
    >
    > Ming
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> You'll need a domain account if you want to talk to AD using the
    >> credentials
    >> of your current thread. If you can specify credentials somehow then you
    >> have more flexibility.
    >>
    >> Can you set up ASP.NET to run as a low privileged domain account?
    >>
    >> Joe K.
    >>
    >> "hey" <> wrote in message
    >> news:...
    >> > I'm using Authorization and Profile block in my middle tier (.NET
    >> > Remoting
    >> > hosted under IIS) for role-based application security. It's all good
    >> > when
    >> > the
    >> > authorization store is placed in a local xml file. But this is only
    >> > good
    >> > in
    >> > development. In production environment the store need to be integrated
    >> > into
    >> > Active Directory.
    >> >
    >> > The middle-tier (ASP.NET) is supposed to be configured to run under a
    >> > least
    >> > privileged local account. But I cannot successfully configure any local
    >> > account (neither custom account nor built-in account) to communicate
    >> > with
    >> > the
    >> > remote AD authorization store.
    >> >
    >> > The steps were:
    >> > 1. Create an authorization store in AD
    >> > 2. Assign the computer account of the server running ASP.NET to the
    >> > Readers
    >> > group of the store.
    >> >
    >> > My question is that whether a non-domain account can be used to run
    >> > open
    >> > and
    >> > query a remote authorization store in Active Directory. If yes then
    >> > what
    >> > is
    >> > the requirement for this local account (like membership, permissions
    >> > etc)?
    >> >
    >> > Thanks
    >> > Ming

    >>
    >>
    >>
     
    Joe Kaplan \(MVP - ADSI\), Mar 3, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UnVkeQ==?=

    to store or not to store an image

    =?Utf-8?B?UnVkeQ==?=, Mar 29, 2005, in forum: ASP .Net
    Replies:
    6
    Views:
    665
    =?Utf-8?B?UnVkeQ==?=
    Mar 30, 2005
  2. Gnic
    Replies:
    2
    Views:
    4,857
  3. Miika Parvio
    Replies:
    0
    Views:
    1,789
    Miika Parvio
    Jan 14, 2005
  4. ejcosta
    Replies:
    2
    Views:
    897
    Eurico Costa
    Oct 8, 2004
  5. SeanRW
    Replies:
    1
    Views:
    393
    Dominick Baier [DevelopMentor]
    May 25, 2006
Loading...

Share This Page