Webservice To Add User Accounts

Discussion in 'ASP .Net Security' started by Jessard, Mar 1, 2005.

  1. Jessard

    Jessard Guest

    Hi all,

    I have a webservice which needs to add user accounts to domain A. In order
    to do this, I have set impersonation="true" in the web.config file and
    specified the username and password of a domain A user which has permissions
    to add users to the domain (A). This orginally worked but now is not and
    nothing has changed.

    I've looked at discussions and found nothing that has worked. People have
    suggested changing the machine.config <processModel> tag but this does not
    work as I need the user account to mimic the Domain user which has access to
    add the accounts.

    Any ideas? I would really like any help.

    Thanks,
    Jesse
     
    Jessard, Mar 1, 2005
    #1
    1. Advertising

  2. Probably a Kerberos delegation problem. When you use impersonation and also
    use IWA in IIS, you have to have Kerberos delegation working in order for
    your credentials to hop fromt he browser to the IIS box to the domain
    controller. My guess is that this is not happening consistently and you are
    being authenticated as anonymous on the DC which is preventing the write
    operation.

    You also need to make sure that the client that calls the web sevice has the
    correct administrative credentials and is actually passing them through the
    web service client proxy, but my guess is that you've already looked into
    that and are having the delegation issue I referred to above.

    There are lots of good Kerberos delegation links. Here are a few I had
    handy.

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;q306158
    http://msdn.microsoft.com/vstudio/u...l/SecNetHT05.asp?FRAME=true#ImplementKerberos

    Joe K.

    "Jessard" <> wrote in message
    news:...
    > Hi all,
    >
    > I have a webservice which needs to add user accounts to domain A. In
    > order
    > to do this, I have set impersonation="true" in the web.config file and
    > specified the username and password of a domain A user which has
    > permissions
    > to add users to the domain (A). This orginally worked but now is not and
    > nothing has changed.
    >
    > I've looked at discussions and found nothing that has worked. People have
    > suggested changing the machine.config <processModel> tag but this does not
    > work as I need the user account to mimic the Domain user which has access
    > to
    > add the accounts.
    >
    > Any ideas? I would really like any help.
    >
    > Thanks,
    > Jesse
     
    Joe Kaplan \(MVP - ADSI\), Mar 1, 2005
    #2
    1. Advertising

  3. Also make sure that your first hop from the client to the web service is
    kerberos and not NTLM. That can sometime be tricky and could have to do with
    intranet/internet zones in IE.

    enable auditing for logon events on the web server and check if the client
    is authenticated using kerberos or NTLM. another way to figure that out is
    using a sniffer like www.ethereal.com and sniff the auth handshake.

    dominick baier - DevelopMentor
    www.leastprivilege.com


    > Probably a Kerberos delegation problem. When you use impersonation
    > and also use IWA in IIS, you have to have Kerberos delegation working
    > in order for your credentials to hop fromt he browser to the IIS box
    > to the domain controller. My guess is that this is not happening
    > consistently and you are being authenticated as anonymous on the DC
    > which is preventing the write operation.
    >
    > You also need to make sure that the client that calls the web sevice
    > has the correct administrative credentials and is actually passing
    > them through the web service client proxy, but my guess is that you've
    > already looked into that and are having the delegation issue I
    > referred to above.
    >
    > There are lots of good Kerberos delegation links. Here are a few I
    > had handy.
    >
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technol
    > ogies/security/tkerberr.mspx
    >
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;q306158
    >
    > http://msdn.microsoft.com/vstudio/using/building/web/default.aspx?pull
    > =/library/en-us/dnnetsec/html/SecNetHT05.asp?FRAME=true#ImplementKerbe
    > ros
    >
    > Joe K.
    >
    > "Jessard" <> wrote in message
    > news:...
    >
    >> Hi all,
    >>
    >> I have a webservice which needs to add user accounts to domain A. In
    >> order
    >> to do this, I have set impersonation="true" in the web.config file
    >> and
    >> specified the username and password of a domain A user which has
    >> permissions
    >> to add users to the domain (A). This orginally worked but now is not
    >> and
    >> nothing has changed.
    >> I've looked at discussions and found nothing that has worked. People
    >> have
    >> suggested changing the machine.config <processModel> tag but this
    >> does not
    >> work as I need the user account to mimic the Domain user which has
    >> access
    >> to
    >> add the accounts.
    >> Any ideas? I would really like any help.
    >>
    >> Thanks,
    >> Jesse
     
    Dominick Baier [DevelopMentor], Mar 2, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GSK

    User Accounts difference

    GSK, Oct 30, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    413
  2. Steffen Loringer

    IIS and user accounts

    Steffen Loringer, Jan 13, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    327
    Peter O'Reilly
    Jan 13, 2004
  3. David Quinn

    ASP.NET User Accounts

    David Quinn, Jan 29, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    469
    David Quinn
    Jan 29, 2004
  4. Ryan Ternier
    Replies:
    5
    Views:
    472
    Marina
    Jun 23, 2004
  5. Thomas Smith
    Replies:
    1
    Views:
    159
    Mathew Uthup
    Jun 22, 2005
Loading...

Share This Page