Impersonating and Windows Authentication

S

subtile

Hi :)

I'm having some trouble with LDAP and Active Directory on Win2k3

I use Windows Authentication and the code
System.Threading.Thread.CurrentPrincipal.Identity.Name gives me the correct
credentials when logged in.

When I create user in AD i get an error. I have 4 scenarioes - one work and
one don't. I'm very confused:

1) Does not work
- <identity impersonate="true"/> in web.config
- No impersonating by code
- No credentials are sent together with LDAP string [new
DirectoryEntry("mypath")]

Error message: System.Runtime.InteropServices.COMException: An operations
error occurred.
- I can't read from AD

2) Does not work
- <identity impersonate="true"/> in web.config
- No impersonating by code
- Credentials are sent together with LDAP string [new
DirectoryEntry("mypath", "username", "password", AuthenticationTypes.Secure);]

Error message: An operations error occurred
- I can read from AD

3) Does not work
- <identity impersonate="false"/> in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
- No credentials are sent together with LDAP string

Exception Details: The specified directory service attribute or value does
not exist.
- I can't read from AD

4) Works!
- <identity impersonate="false"/> in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
Credentials are sent together with LDAP string [new DirectoryEntry("mypath",
"username", "password", AuthenticationTypes.Secure);]

What is the difference between <identity impersonate="true"/> in web.config
and manual code impersonation?

What is the correct approch for user to manage AD from asp.net loged in with
Windowd credentials ?
 
B

bruce barker

with ntlm there are two types of authentication tokens, primary and an
impersonation tokens. to access a network resource a primary token is
required as ntlm does not allow credential forwarding (one hop rule).

if you use ntlm in iis and <identity impersonate="true"/> in web.config, the
the client has the primary token, and the web server has only an
impersonation token. it can be used to access local resources but not network
resources.

if your code creates a login token, then it can be converted to primary and
access network resources. you can can also supply a username and password in
the web config and this will be a primary token.

you have a couple options:

1) set <identity impersonate="false"/> and make the app pool service account
a domain account.

2) set <identity impersonate="true"/> switch to kerberos (which supports
forwarding) and enable credentials forwarding on the web server and ad
server.

3) do impersonate in code like you are.

4) <identity impersonate="true"
userName="domain\account"
password="password" />

-- bruce (sqlwork.com)


subtile said:
Hi :)

I'm having some trouble with LDAP and Active Directory on Win2k3

I use Windows Authentication and the code
System.Threading.Thread.CurrentPrincipal.Identity.Name gives me the correct
credentials when logged in.

When I create user in AD i get an error. I have 4 scenarioes - one work and
one don't. I'm very confused:

1) Does not work
- <identity impersonate="true"/> in web.config
- No impersonating by code
- No credentials are sent together with LDAP string [new
DirectoryEntry("mypath")]

Error message: System.Runtime.InteropServices.COMException: An operations
error occurred.
- I can't read from AD

2) Does not work
- <identity impersonate="true"/> in web.config
- No impersonating by code
- Credentials are sent together with LDAP string [new
DirectoryEntry("mypath", "username", "password", AuthenticationTypes.Secure);]

Error message: An operations error occurred
- I can read from AD

3) Does not work
- <identity impersonate="false"/> in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
- No credentials are sent together with LDAP string

Exception Details: The specified directory service attribute or value does
not exist.
- I can't read from AD

4) Works!
- <identity impersonate="false"/> in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
Credentials are sent together with LDAP string [new DirectoryEntry("mypath",
"username", "password", AuthenticationTypes.Secure);]

What is the difference between <identity impersonate="true"/> in web.config
and manual code impersonation?

What is the correct approch for user to manage AD from asp.net loged in with
Windowd credentials ?
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Impersonating 2
Windows authentication bug? 7
Compilation error when impersonating 3
User to query ad 0
Windows Authentication 4
Occasional SecurityException when impersonating a user on a new thread 4
web.config and Anonymous Authentication problems ??? 0
ASP.NET Integrated Windows Authentication 2

Members online

Total: 32 (members: 1, guests: 31)
Robots: 263

Forum statistics

Threads
473,756
Messages
2,569,535
Members
45,008
Latest member
obedient dusk

Latest Threads

Top