.net Impersonate with integrated authentication client server problem

[Ajnabi]

Hi,
I build a asp.net web application to update user accounts in Active
Directory (AD). This application works fine on my test server when I
acces the web application on the server it self and update an user
account (using an administrator account).

My settings:
-In all cases I tried with the same Administrator account
-I enabled impersonate in the web.config (<identity impersonate="true"
/>).
-IIS - Windows Integrated Authentication is Active (all others are
inactive)

Here comes the problem I have:
scenario 1:
When I try to run the application from a client machine, I can NOT
update the user account (general access denied error, on the
CommitChanges() method). I tried using the same administrator account
as above!

scenario 2:
I do NOT want to use Basic Authentication for this application, still I
tried to run it with Basic Authentication using the same settings as
above and believe and or not it worked fine.

My questions:
1. Why can't I update an user account from a client machine while this
works fine on the server using the same account?

2. Why does it work using Basic Authentication, while Windows
Authentication fails?

Please help me out with this. I'm really out of clue.
Thanks in advance,
Ajnabi.

 

[Joe Kaplan \(MVP - ADSI\)]

You are experiencing what is known as a "double-hop" issue. If you must use
WIA and impersonation, the only solution to this is Kerberos delegation. I
suggest you read this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

HTH,

Joe K.

 

[Ajnabi]

Joe,
Thanks a lot for your help.
The second link helped me out.
I had to set up the computer "trusted for delegation on the network".
This fixed the problem.

Thanks again,
Ajnabi