AD queries. Please, prove me being wrong...

J

JKruza

Hello!

I have intranet web app in ASP.NET 2.0. IIS is set to require "Windows
Integrated" or "Digest against AD" authentication. ASP.NET auth mode is
"Windows", impersonation is set to true.

Up to this moment everything works just fine.

The problem is, that i can't query AD in any way without providing user
credentials.
I tried both direct LDAP queries trough DirectoryEntry and
ActiveDirectoryMembership, in every case username and password was required.
I simply can't find any info or example not using credentials...

Additional info:

Server: Windows Server 2000 with IIS and ASP.NET

User I'm impersonating with is domain user and belongs to "Administrators"
group on this server. (Target is to auth. and impersonate with any domain
user...)

Code security trust level is "Full".

Launching console or windows app reusing the same code on this server works
fine without providing credentials.

Because of the company policy I can't hardcode (or put in config)
credentials of any domain user... :(

Again: Is this possible to query AD trough LDAP without providing
credentials from ASP.NET 2.0 app? I'm starting to doubt...


Thanks in advance,
JK
 
J

Joe Kaplan

Yes, you can do this. If you want to impersonate the authenticated user
from IIS and use those credentials to query AD, then you must configure
Kerberos delegation in AD to allow the web app to have the rights to
delegate the user's credentials to AD. Since you are using Win2K web
server, you cannot use protocol transition (Kerberos S4U), so that also
means that you must ensure that you use IWA auth in IIS and ensure that IWA
is using the Kerberos protocol to authenticate the browser user, not NTLM.

This type of scenario is much easier to get working in IIS 6 than IIS 5, but
it can be made to work on Win2K if you are stuck with that as your web
server platform. There are many documents on MS support, MSDN and TechNet
that explain how to configure Kerberos delegation in a web application and
there are also good troubleshooting guides available. It takes a while to
learn all the details that are required to understand how to configure and
troubleshoot this, but it can be done.

Best of luck!

Joe K.
 
J

JKruza

Thanks, Joe!

I'll pass this to our admins and hope that they will be able to do this for
me.
We have large network and very strict policy, so this may be not easy.

Anyway, than again for help.

JK.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top