S
Sergio Lera via .NET 247
hello,
I am developing an ASP.NET web application which interacts withAD. Client/User authentication must be done via AD certificatemapping, so I have configured IIS to do UPN mapping:
-- In the IIS manager ...
-- in the properties of the web site...
-- under "directory security"..
-- under "Secure Communications", select Edit.
-- select "Require secure channel"; select "require clientcertificates" and also select "Enable client certificatemapping".
I think the mapping is done ok, because if I get the current userby using Context.User.Identity.Name orWindowsIdentity.GetCurrent().Name (with <identityimpersonate="true" /> in web.config file) the result is the userowner of the certificate used to do the client authentication.
The problem is that then web application (runnig under useraccount credentials) can not access Active Directory via ADSI(using .NET System.DirectoryServices API). I get an operationalerror ,I think related with authentication.
The source code of the System.DirectoryServices.DirectoryEntryobject creation is something like this:
DirectoryEntry de = newDirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure);
The description of the AuthenticationTypes.Secure flag says that"it requests secure authentication. When the user name andpassword are a null reference, ADSI binds to the object usingthe security context of the calling thread, which is either thesecurity context of the user account under which the applicationis running or of the client user account that the calling threadis impersonating".
Since certificate mapping is donde ok, I suppose the webapplication is running under the user account credentials...andthe user account has got the required permissions to do theoperation, but AD server does not permit to do the operation.
I am sure that user account has got the suitable permissionsbecause if I enable anonymous access in IIS and I use the useraccount for the anonymous access, AD server permits to do theoperations..
Any idea? What could be the problem? could be the authenticationtype? problems related with impersonation? I am a bit lost...
Thanks is advance!
I am developing an ASP.NET web application which interacts withAD. Client/User authentication must be done via AD certificatemapping, so I have configured IIS to do UPN mapping:
-- In the IIS manager ...
-- in the properties of the web site...
-- under "directory security"..
-- under "Secure Communications", select Edit.
-- select "Require secure channel"; select "require clientcertificates" and also select "Enable client certificatemapping".
I think the mapping is done ok, because if I get the current userby using Context.User.Identity.Name orWindowsIdentity.GetCurrent().Name (with <identityimpersonate="true" /> in web.config file) the result is the userowner of the certificate used to do the client authentication.
The problem is that then web application (runnig under useraccount credentials) can not access Active Directory via ADSI(using .NET System.DirectoryServices API). I get an operationalerror ,I think related with authentication.
The source code of the System.DirectoryServices.DirectoryEntryobject creation is something like this:
DirectoryEntry de = newDirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure);
The description of the AuthenticationTypes.Secure flag says that"it requests secure authentication. When the user name andpassword are a null reference, ADSI binds to the object usingthe security context of the calling thread, which is either thesecurity context of the user account under which the applicationis running or of the client user account that the calling threadis impersonating".
Since certificate mapping is donde ok, I suppose the webapplication is running under the user account credentials...andthe user account has got the required permissions to do theoperation, but AD server does not permit to do the operation.
I am sure that user account has got the suitable permissionsbecause if I enable anonymous access in IIS and I use the useraccount for the anonymous access, AD server permits to do theoperations..
Any idea? What could be the problem? could be the authenticationtype? problems related with impersonation? I am a bit lost...
Thanks is advance!