469,578 Members | 1,314 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,578 developers. It's quick & easy.

Impersonating and Windows Authentication

Hi :-)

I'm having some trouble with LDAP and Active Directory on Win2k3

I use Windows Authentication and the code
System.Threading.Thread.CurrentPrincipal.Identity. Name gives me the correct
credentials when logged in.

When I create user in AD i get an error. I have 4 scenarioes - one work and
one don't. I'm very confused:

1) Does not work
- <identity impersonate="true"/in web.config
- No impersonating by code
- No credentials are sent together with LDAP string [new
DirectoryEntry("mypath")]

Error message: System.Runtime.InteropServices.COMException: An operations
error occurred.
- I can't read from AD

2) Does not work
- <identity impersonate="true"/in web.config
- No impersonating by code
- Credentials are sent together with LDAP string [new
DirectoryEntry("mypath", "username", "password", AuthenticationTypes.Secure);]

Error message: An operations error occurred
- I can read from AD

3) Does not work
- <identity impersonate="false"/in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
- No credentials are sent together with LDAP string

Exception Details: The specified directory service attribute or value does
not exist.
- I can't read from AD

4) Works!
- <identity impersonate="false"/in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
Credentials are sent together with LDAP string [new DirectoryEntry("mypath",
"username", "password", AuthenticationTypes.Secure);]

What is the difference between <identity impersonate="true"/in web.config
and manual code impersonation?

What is the correct approch for user to manage AD from asp.net loged in with
Windowd credentials ?

--

Jesus Loves You
Jun 27 '08 #1
1 3074
with ntlm there are two types of authentication tokens, primary and an
impersonation tokens. to access a network resource a primary token is
required as ntlm does not allow credential forwarding (one hop rule).

if you use ntlm in iis and <identity impersonate="true"/in web.config, the
the client has the primary token, and the web server has only an
impersonation token. it can be used to access local resources but not network
resources.

if your code creates a login token, then it can be converted to primary and
access network resources. you can can also supply a username and password in
the web config and this will be a primary token.

you have a couple options:

1) set <identity impersonate="false"/and make the app pool service account
a domain account.

2) set <identity impersonate="true"/switch to kerberos (which supports
forwarding) and enable credentials forwarding on the web server and ad
server.

3) do impersonate in code like you are.

4) <identity impersonate="true"
userName="domain\account"
password="password" />

-- bruce (sqlwork.com)
"subtile" wrote:
Hi :-)

I'm having some trouble with LDAP and Active Directory on Win2k3

I use Windows Authentication and the code
System.Threading.Thread.CurrentPrincipal.Identity. Name gives me the correct
credentials when logged in.

When I create user in AD i get an error. I have 4 scenarioes - one work and
one don't. I'm very confused:

1) Does not work
- <identity impersonate="true"/in web.config
- No impersonating by code
- No credentials are sent together with LDAP string [new
DirectoryEntry("mypath")]

Error message: System.Runtime.InteropServices.COMException: An operations
error occurred.
- I can't read from AD

2) Does not work
- <identity impersonate="true"/in web.config
- No impersonating by code
- Credentials are sent together with LDAP string [new
DirectoryEntry("mypath", "username", "password", AuthenticationTypes.Secure);]

Error message: An operations error occurred
- I can read from AD

3) Does not work
- <identity impersonate="false"/in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
- No credentials are sent together with LDAP string

Exception Details: The specified directory service attribute or value does
not exist.
- I can't read from AD

4) Works!
- <identity impersonate="false"/in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
Credentials are sent together with LDAP string [new DirectoryEntry("mypath",
"username", "password", AuthenticationTypes.Secure);]

What is the difference between <identity impersonate="true"/in web.config
and manual code impersonation?

What is the correct approch for user to manage AD from asp.net loged in with
Windowd credentials ?

--

Jesus Loves You
Jun 27 '08 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

8 posts views Thread by Bob Everland | last post: by
6 posts views Thread by Kevin Yu | last post: by
3 posts views Thread by =?Utf-8?B?RGFuZGFuIFpoYW5n?= | last post: by
reply views Thread by suresh191 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.