Double hop reloaded

S

Sharon

Hi to all..
I'm using impersonation, combined with windows authentication.
When the page tries to connect to active directory,
i get login failure, due to double hop issue.
As i understand it, the iis does not receive a
primary token, so how can i authenticate against Active directory?
Is it possible to delegate, when using impersonation and windows
authentication?
Thanks.
Sharon.
 
S

Sharon

Thanks Scott.
This is a "bit" confusing.
As i understand it so far, delegation is only possible using Kerberos,
and all users in Active Directory have to be marked for delegation.
Unfortunately, the fruit basket will not work here, and i've ruled out
pumping laughter gas into the IT room ventilation system.
What if i revert to the IIS identity before the Active Directory query?
Problem is, how do i get the WindowsImpersonationContext, to call Undo
method?
The only other solution is to use Basic authentication, which i don't like.
Sharon.
 
S

Scott Allen

Hi Sharon:

What you'll have to do is use an identity that the AD server
understands. Perhaps you could run the worker process under a domain
account with enough permissions in AD?
 
S

Sharon

No i can't.
This project is for a very large organization,
and the department that controls the domain users,
will never allow it.
As a part of the policy, all users must change their passwords periodically.
So any hard coded user name and password, will eventually fail.
I tried disabling Impersonation, and still login fails.
Thanks.
Sharon.
 
B

Brock Allen

Then you're in a pickle. You either need to 1) setup a domain user for your
ASP.NET application that has the right creds for your AD, 2) enable the delegation
for your AD users if you're using integrated auth, or 3) switch to using
basic auth (over SSL, of course).
 
S

Sharon

Thank you Scott & Brock vary much.
Maybe i'm in a pickle, but i'm out of the confusion.
Another option i have is revert to the old DB based app,
but that means rewriting a large portion of the code.
Basic authentication is becoming more and more appealing.
Thanks again.
Sharon.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Delegation: the usual double hop question... 4
classic IE -> IIS -> SQL Double hop issue - Help needed resolving 2
Two-hop issue 3
Can BackImageUrl cause a double hop? 2
Double Hop Issues 2
double hop issue? Not sure anymore 2
Impersonation and double hop 3
defaultcredentials - double hop? way around this? 0

Members online

Total: 31 (members: 1, guests: 30)
Robots: 511

Forum statistics

Threads
473,769
Messages
2,569,579
Members
45,053
Latest member
BrodieSola

Latest Threads

Top