Webservice To Add User Accounts

J

Jessard

Hi all,

I have a webservice which needs to add user accounts to domain A. In order
to do this, I have set impersonation="true" in the web.config file and
specified the username and password of a domain A user which has permissions
to add users to the domain (A). This orginally worked but now is not and
nothing has changed.

I've looked at discussions and found nothing that has worked. People have
suggested changing the machine.config <processModel> tag but this does not
work as I need the user account to mimic the Domain user which has access to
add the accounts.

Any ideas? I would really like any help.

Thanks,
Jesse
 
J

Joe Kaplan \(MVP - ADSI\)

Probably a Kerberos delegation problem. When you use impersonation and also
use IWA in IIS, you have to have Kerberos delegation working in order for
your credentials to hop fromt he browser to the IIS box to the domain
controller. My guess is that this is not happening consistently and you are
being authenticated as anonymous on the DC which is preventing the write
operation.

You also need to make sure that the client that calls the web sevice has the
correct administrative credentials and is actually passing them through the
web service client proxy, but my guess is that you've already looked into
that and are having the delegation issue I referred to above.

There are lots of good Kerberos delegation links. Here are a few I had
handy.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q306158
http://msdn.microsoft.com/vstudio/u...l/SecNetHT05.asp?FRAME=true#ImplementKerberos

Joe K.
 
D

Dominick Baier [DevelopMentor]

Also make sure that your first hop from the client to the web service is
kerberos and not NTLM. That can sometime be tricky and could have to do with
intranet/internet zones in IE.

enable auditing for logon events on the web server and check if the client
is authenticated using kerberos or NTLM. another way to figure that out is
using a sniffer like www.ethereal.com and sniff the auth handshake.

dominick baier - DevelopMentor
www.leastprivilege.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,479
Members
44,900
Latest member
Nell636132

Latest Threads

Top