Impersonating and Windows Authentication

Discussion in 'ASP .Net' started by subtile, Jun 11, 2008.

  1. subtile

    subtile Guest

    Hi :)

    I'm having some trouble with LDAP and Active Directory on Win2k3

    I use Windows Authentication and the code
    System.Threading.Thread.CurrentPrincipal.Identity.Name gives me the correct
    credentials when logged in.

    When I create user in AD i get an error. I have 4 scenarioes - one work and
    one don't. I'm very confused:

    1) Does not work
    - <identity impersonate="true"/> in web.config
    - No impersonating by code
    - No credentials are sent together with LDAP string [new
    DirectoryEntry("mypath")]

    Error message: System.Runtime.InteropServices.COMException: An operations
    error occurred.
    - I can't read from AD

    2) Does not work
    - <identity impersonate="true"/> in web.config
    - No impersonating by code
    - Credentials are sent together with LDAP string [new
    DirectoryEntry("mypath", "username", "password", AuthenticationTypes.Secure);]

    Error message: An operations error occurred
    - I can read from AD

    3) Does not work
    - <identity impersonate="false"/> in web.config
    - I "code-imporsonates" with the _same credentials_ I use for login
    - No credentials are sent together with LDAP string

    Exception Details: The specified directory service attribute or value does
    not exist.
    - I can't read from AD

    4) Works!
    - <identity impersonate="false"/> in web.config
    - I "code-imporsonates" with the _same credentials_ I use for login
    Credentials are sent together with LDAP string [new DirectoryEntry("mypath",
    "username", "password", AuthenticationTypes.Secure);]

    What is the difference between <identity impersonate="true"/> in web.config
    and manual code impersonation?

    What is the correct approch for user to manage AD from asp.net loged in with
    Windowd credentials ?

    --

    Jesus Loves You
     
    subtile, Jun 11, 2008
    #1
    1. Advertising

  2. subtile

    bruce barker Guest

    with ntlm there are two types of authentication tokens, primary and an
    impersonation tokens. to access a network resource a primary token is
    required as ntlm does not allow credential forwarding (one hop rule).

    if you use ntlm in iis and <identity impersonate="true"/> in web.config, the
    the client has the primary token, and the web server has only an
    impersonation token. it can be used to access local resources but not network
    resources.

    if your code creates a login token, then it can be converted to primary and
    access network resources. you can can also supply a username and password in
    the web config and this will be a primary token.

    you have a couple options:

    1) set <identity impersonate="false"/> and make the app pool service account
    a domain account.

    2) set <identity impersonate="true"/> switch to kerberos (which supports
    forwarding) and enable credentials forwarding on the web server and ad
    server.

    3) do impersonate in code like you are.

    4) <identity impersonate="true"
    userName="domain\account"
    password="password" />

    -- bruce (sqlwork.com)


    "subtile" wrote:

    > Hi :)
    >
    > I'm having some trouble with LDAP and Active Directory on Win2k3
    >
    > I use Windows Authentication and the code
    > System.Threading.Thread.CurrentPrincipal.Identity.Name gives me the correct
    > credentials when logged in.
    >
    > When I create user in AD i get an error. I have 4 scenarioes - one work and
    > one don't. I'm very confused:
    >
    > 1) Does not work
    > - <identity impersonate="true"/> in web.config
    > - No impersonating by code
    > - No credentials are sent together with LDAP string [new
    > DirectoryEntry("mypath")]
    >
    > Error message: System.Runtime.InteropServices.COMException: An operations
    > error occurred.
    > - I can't read from AD
    >
    > 2) Does not work
    > - <identity impersonate="true"/> in web.config
    > - No impersonating by code
    > - Credentials are sent together with LDAP string [new
    > DirectoryEntry("mypath", "username", "password", AuthenticationTypes.Secure);]
    >
    > Error message: An operations error occurred
    > - I can read from AD
    >
    > 3) Does not work
    > - <identity impersonate="false"/> in web.config
    > - I "code-imporsonates" with the _same credentials_ I use for login
    > - No credentials are sent together with LDAP string
    >
    > Exception Details: The specified directory service attribute or value does
    > not exist.
    > - I can't read from AD
    >
    > 4) Works!
    > - <identity impersonate="false"/> in web.config
    > - I "code-imporsonates" with the _same credentials_ I use for login
    > Credentials are sent together with LDAP string [new DirectoryEntry("mypath",
    > "username", "password", AuthenticationTypes.Secure);]
    >
    > What is the difference between <identity impersonate="true"/> in web.config
    > and manual code impersonation?
    >
    > What is the correct approch for user to manage AD from asp.net loged in with
    > Windowd credentials ?
    >
    > --
    >
    > Jesus Loves You
     
    bruce barker, Jun 11, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jason

    impersonating and LogonUser

    Jason, Dec 30, 2003, in forum: ASP .Net
    Replies:
    7
    Views:
    450
    Jim Cheshire [MSFT]
    Jan 5, 2004
  2. Replies:
    4
    Views:
    492
  3. =?Utf-8?B?SW5kZXB0aA==?=
    Replies:
    1
    Views:
    479
    Bruce Barker
    Apr 1, 2005
  4. =?Utf-8?B?QWxpc3RhaXIgTGFjeQ==?=

    Compilation error when impersonating

    =?Utf-8?B?QWxpc3RhaXIgTGFjeQ==?=, Jul 19, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    555
    Patrice
    Jul 19, 2005
  5. Jamie

    impersonating windows authenticated user?

    Jamie, Feb 9, 2004, in forum: ASP .Net Security
    Replies:
    5
    Views:
    210
    Ken Schaefer
    Feb 11, 2004
Loading...

Share This Page