problem accesing Active Directory from an ASP.NET App when user has been authenticated via AD certif

Discussion in 'ASP .Net Security' started by Sergio Lera via .NET 247, Apr 6, 2005.

  1. hello,

    I am developing an ASP.NET web application which interacts withAD. Client/User authentication must be done via AD certificatemapping, so I have configured IIS to do UPN mapping:
    -- In the IIS manager ...
    -- in the properties of the web site...
    -- under "directory security"..
    -- under "Secure Communications", select Edit.
    -- select "Require secure channel"; select "require clientcertificates" and also select "Enable client certificatemapping".

    I think the mapping is done ok, because if I get the current userby using Context.User.Identity.Name orWindowsIdentity.GetCurrent().Name (with <identityimpersonate="true" /> in web.config file) the result is the userowner of the certificate used to do the client authentication.

    The problem is that then web application (runnig under useraccount credentials) can not access Active Directory via ADSI(using .NET System.DirectoryServices API). I get an operationalerror ,I think related with authentication.

    The source code of the System.DirectoryServices.DirectoryEntryobject creation is something like this:
    DirectoryEntry de = newDirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure);

    The description of the AuthenticationTypes.Secure flag says that"it requests secure authentication. When the user name andpassword are a null reference, ADSI binds to the object usingthe security context of the calling thread, which is either thesecurity context of the user account under which the applicationis running or of the client user account that the calling threadis impersonating".

    Since certificate mapping is donde ok, I suppose the webapplication is running under the user account credentials...andthe user account has got the required permissions to do theoperation, but AD server does not permit to do the operation.

    I am sure that user account has got the suitable permissionsbecause if I enable anonymous access in IIS and I use the useraccount for the anonymous access, AD server permits to do theoperations..

    Any idea? What could be the problem? could be the authenticationtype? problems related with impersonation? I am a bit lost...

    Thanks is advance!



    --------------------------------
    From: Sergio Lera

    -----------------------
    Posted by a user from .NET 247 (http://www.dotnet247.com/)

    <Id>Z7OL0p+wIUiWVffsDhEXfQ==</Id>
     
    Sergio Lera via .NET 247, Apr 6, 2005
    #1
    1. Advertising

  2. This is probably a double hop issue. The security context on the web server
    cannot hop to the AD server, so AD gets your security context as anonymous.

    To fix this, you'll also need Kerberos delegation. Try doing some searches
    on the MS sites to pull down the KBase articles and such.

    You may also need protocol transition to make this work since the initial
    security context was generated by Schannel, not Kerberos, but I'm actually
    not sure about that. I've never done this with certificate mapping. If
    anyone else knows, I'd be happy to hear.

    Joe K.

    "Sergio Lera via .NET 247" <> wrote in message
    news:...
    hello,

    I am developing an ASP.NET web application which interacts with AD.
    Client/User authentication must be done via AD certificate mapping, so I
    have configured IIS to do UPN mapping:
    -- In the IIS manager ...
    -- in the properties of the web site...
    -- under "directory security"..
    -- under "Secure Communications", select Edit.
    -- select "Require secure channel"; select "require client certificates" and
    also select "Enable client certificate mapping".

    I think the mapping is done ok, because if I get the current user by using
    Context.User.Identity.Name or WindowsIdentity.GetCurrent().Name (with
    <identity impersonate="true" /> in web.config file) the result is the user
    owner of the certificate used to do the client authentication.

    The problem is that then web application (runnig under user account
    credentials) can not access Active Directory via ADSI (using .NET
    System.DirectoryServices API). I get an operational error ,I think related
    with authentication.

    The source code of the System.DirectoryServices.DirectoryEntry object
    creation is something like this:
    DirectoryEntry de = new
    DirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure);

    The description of the AuthenticationTypes.Secure flag says that "it
    requests secure authentication. When the user name and password are a null
    reference, ADSI binds to the object using the security context of the
    calling thread, which is either the security context of the user account
    under which the application is running or of the client user account that
    the calling thread is impersonating".

    Since certificate mapping is donde ok, I suppose the web application is
    running under the user account credentials...and the user account has got
    the required permissions to do the operation, but AD server does not permit
    to do the operation.

    I am sure that user account has got the suitable permissions because if I
    enable anonymous access in IIS and I use the user account for the anonymous
    access, AD server permits to do the operations..

    Any idea? What could be the problem? could be the authentication type?
    problems related with impersonation? I am a bit lost...

    Thanks is advance!



    --------------------------------
    From: Sergio Lera

    -----------------------
    Posted by a user from .NET 247 (http://www.dotnet247.com/)

    <Id>Z7OL0p+wIUiWVffsDhEXfQ==</Id>
     
    Joe Kaplan \(MVP - ADSI\), Apr 6, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David Krussow
    Replies:
    2
    Views:
    642
    Richard
    Jan 17, 2005
  2. Kenneth Keeley
    Replies:
    0
    Views:
    665
    Kenneth Keeley
    Aug 30, 2004
  3. asimhg
    Replies:
    0
    Views:
    905
    asimhg
    Feb 4, 2010
  4. Mike Swift
    Replies:
    2
    Views:
    306
    avnrao
    Apr 28, 2004
  5. Tyler Carver
    Replies:
    3
    Views:
    775
    Dominick Baier [DevelopMentor]
    Mar 1, 2006
Loading...

Share This Page