ASP.NET and integrated Authentication

[Mohamed Zaki]

Dear All,

I developed asp.net application that using integrated security, i'm getting
the logged on username from "User.Identity.name" and using directoryservices
namespace to get the user information from the domain, the problem now that
when i start the machine or restart iis and try to access my web application
through any remote machine i get errors, but if i restarted the iis and
opened the web application locally "using the localhost alias" the web
application opens fine then all the users over the network can open the web
application, however i think it's releated to the account that being used to
access the active directory to retrieve the information.

is any one faced this problem ?!

Regards,
Mohamed

 

[David Jessee]

I had an issue with this once. Here's what I had to to (warning, this might
cause a headache wor your network admins).

I had to have a domain account created that is used for nothing except for
AD lookups. This account has no privelidges to any network resources. The
username/password was placed, encrypted, inside of the web.config file.
Then that account name/password was used when performed LDAP queries.

Depending on how retentive your security people are, they might balk at
this. I ended up having to to a presentation on the reasoning behind this,
and explain the encryption techniques we were using for the AD credentials,
but they were persuaded. We've since encapsulated the query inside of a
WebService and now leverage this lookup in a number of web applications.

 

[Scott Allen]

Hi Mohamed:

Are you using impersonation? There is a one-hop limit for the
credentials when using impersonation unless you enable kerberos
delegation. The credentials make one hop from the browser to a remote
web server, then the web server cannot make a second hop with those
credentials to the AD server. You might consider running the web
application uinder a domain account instead of the local ASPNET
account.