Hi John,
I am very sorry for the late reply.
The Active Directory (AD) relies on the security mechanism of the Windows
2000 server. To access most information in the AD, you must provide
credentials to the Windows 2000 server when requesting the AD information.
The credentials you provide must be in a primary token, which just means
that the IIS server has a password (not just a hash of the password) to
pass to the AD.
Double-Hop Issue
The double-hop issue is when the ASPX page tries to use resources that are
located on a server that is different from the IIS server. In our case, the
first "hop" is from the web browser client to the IIS ASPX page; the second
hop is to the AD. The AD requires a primary token. Therefore, the IIS
server must know the password for the client to pass a primary token to the
AD. If the IIS server has a secondary token, the NTAUTHORITY\ANONYMOUS
account credentials are used. This account is not a domain account and has
very limited access to the AD.
The double-hop using a secondary token occurs, for example, when the
browser client is authenticated to the IIS ASPX page by using NTLM
authentication. In this example, the IIS server has a hashed version of the
password as a result of using NTLM. If IIS turns around and passes the
credentials to the AD, IIS is passing a hashed password. The AD cannot
verify the password and, instead, authenticates by using the
NTAUTHORITY\ANONYMOUS LOGON.
On the other hand, if your browser client is authenticated to the IIS ASPX
page by using Basic authentication, the IIS server has the client password
and can make a primary token to pass to the AD. The AD can verify the
password and does authenticate as the domain user.
For more information, you may check the following links.
329986 HOW TO: Use the System.DirectoryServices Namespace in ASP.NET
http://support.microsoft.com/?id=329986
323459 INFO: Using System.DirectoryServices in ASP.NET
http://support.microsoft.com/?id=323459
Hope this helps.
Best regards,
Lewis
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "John Boghossian" <
[email protected]>
| References: <
[email protected]>
<
[email protected]>
<O#
[email protected]>
<
[email protected]>
| Subject: Re: Security problems when running code from different machine
| Date: Mon, 1 Sep 2003 10:18:08 +0200
| Lines: 161
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <
[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 212.209.235.35
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:6479
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Looking forward to see if you find any solution for this.
|
| Regards
| Johnny
|
|
| | > Hi John,
| >
| > Thanks for your posting. I am checking this issue, and will get back to
| you
| > with my findings.
| >
| > Best regards,
| > Lewis
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| > --------------------
| > | From: "John Boghossian" <
[email protected]>
| > | References: <
[email protected]>
| > <
[email protected]>
| > | Subject: Re: Security problems when running code from different
machine
| > | Date: Fri, 29 Aug 2003 08:34:04 +0200
| > | Lines: 275
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <O#
[email protected]>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | NNTP-Posting-Host: 212.209.235.35
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| > microsoft.public.dotnet.framework.aspnet.security:6464
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > |
| > | Actually i have come a bit closer to the problem but i am not sure
what
| > | solution i should implement.
| > |
| > | As you indicated there is a problem with authority for the remote
client
| > to
| > | run the code. When I tested, the remote user was logged on with the
same
| > | account as i use to run it locally. When debugging the code i found
that
| > | when the request came from the user requesting the page by localhost
| it´s
| > | System.Security.Principal.WindowsIdentity.Authenticationtype is
| Negotiate
| > | and iwhen the code is run from a remote client the Authenticationtype
| is
| > | NTLM.
| > |
| > | So as a temporary solution I switch user in code by calling LogonUser
in
| > | "advapi32.dll"
| > |
| > | I have attached the file clsad.txt which contains the code in
question.
| In
| > | the function createdatatable you will se the call to findall and the
| > | temporary user switching.
| > |
| > |
| > | | > | > Hi John,
| > | >
| > | > The webmethod "directorysearcher.findall" may not be able to be
| accessed
| > | > from a remote machine. Please open the webservice using IE from
| another
| > | > machine, and click the "findall" method. Does the webservice give
you
| > any
| > | > information like: "The test form is only available for requests from
| the
| > | > local machine"? Please let me know if I misunderstood your concern,
| > | thanks.
| > | >
| > | > To resolve this problem, you may add the following lines in
| web.config:
| > | >
| > | > <system.web>
| > | > . .
| > | > <configuration>
| > | > . .
| > | > <webServices>
| > | > <protocols>
| > | > <add name="HttpSoap"/>
| > | > <add name="HttpPost"/>
| > | > <add name="HttpGet"/>
| > | > <add name="Documentation"/>
| > | > </protocols>
| > | > </webServices>
| > | >
| > | > </system.web>
| > | > </configuration>
| > | >
| > | > The following is an article for your reference.
| > | > Configuration Options for XML Web Services Created Using ASP.NET
| > | >
| > |
| >
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
| > | > l/cpconconfigurationoptionsforaspnetwebservices.asp
| > | >
| > | > Hope this helps.
| > | >
| > | > Best regards,
| > | > Lewis
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | rights.
| > | >
| > | > --------------------
| > | > | From: "John Boghossian" <
[email protected]>
| > | > | Subject: Security problems when running code from different
machine
| > | > | Date: Fri, 22 Aug 2003 14:26:08 +0200
| > | > | Lines: 19
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | Message-ID: <
[email protected]>
| > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | > | NNTP-Posting-Host: 212.209.235.35
| > | > | Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | > | Xref: cpmsftngxa06.phx.gbl
| > | > microsoft.public.dotnet.framework.aspnet.security:6397
| > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > | > |
| > | > | Hi there,
| > | > |
| > | > | On my develop machine i have a virtual root which requires
| integrated
| > | > | security and doesn´t allow anonymous access and in my web.config i
| > have
| > | > | <identity impersonate="true" />.
| > | > |
| > | > | In here i have a small web app that requests a OU list from AD and
| > | > presents
| > | > | it in a grid.
| > | > | When i run it from my develop machine by requesting
| > | > |
http://machine/vroot/page.aspx it works but when i run it from
| another
| > | > | machines IE and open the page by enetering
| > |
http://machine/vroot/page.aspx
| > | > | the result is empty.
| > | > |
| > | > | There is NO runtime error going on because i have debugged the
code
| > and
| > | > the
| > | > | directorysearcher.findall just returns an empty result.
| > | > |
| > | > | Any ideas
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|
