Impersonating and Windows Authentication

  • Thread starter Thread starter subtile
  • Start date Start date
S

subtile

Hi :-)

I'm having some trouble with LDAP and Active Directory on Win2k3

I use Windows Authentication and the code
System.Threading.Thread.CurrentPrincipal.Identity.Name gives me the correct
credentials when logged in.

When I create user in AD i get an error. I have 4 scenarioes - one work and
one don't. I'm very confused:

1) Does not work
- <identity impersonate="true"/> in web.config
- No impersonating by code
- No credentials are sent together with LDAP string [new
DirectoryEntry("mypath")]

Error message: System.Runtime.InteropServices.COMException: An operations
error occurred.
- I can't read from AD

2) Does not work
- <identity impersonate="true"/> in web.config
- No impersonating by code
- Credentials are sent together with LDAP string [new
DirectoryEntry("mypath", "username", "password", AuthenticationTypes.Secure);]

Error message: An operations error occurred
- I can read from AD

3) Does not work
- <identity impersonate="false"/> in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
- No credentials are sent together with LDAP string

Exception Details: The specified directory service attribute or value does
not exist.
- I can't read from AD

4) Works!
- <identity impersonate="false"/> in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
Credentials are sent together with LDAP string [new DirectoryEntry("mypath",
"username", "password", AuthenticationTypes.Secure);]

What is the difference between <identity impersonate="true"/> in web.config
and manual code impersonation?

What is the correct approch for user to manage AD from asp.net loged in with
Windowd credentials ?
 
with ntlm there are two types of authentication tokens, primary and an
impersonation tokens. to access a network resource a primary token is
required as ntlm does not allow credential forwarding (one hop rule).

if you use ntlm in iis and <identity impersonate="true"/> in web.config, the
the client has the primary token, and the web server has only an
impersonation token. it can be used to access local resources but not network
resources.

if your code creates a login token, then it can be converted to primary and
access network resources. you can can also supply a username and password in
the web config and this will be a primary token.

you have a couple options:

1) set <identity impersonate="false"/> and make the app pool service account
a domain account.

2) set <identity impersonate="true"/> switch to kerberos (which supports
forwarding) and enable credentials forwarding on the web server and ad
server.

3) do impersonate in code like you are.

4) <identity impersonate="true"
userName="domain\account"
password="password" />

-- bruce (sqlwork.com)


subtile said:
Hi :-)

I'm having some trouble with LDAP and Active Directory on Win2k3

I use Windows Authentication and the code
System.Threading.Thread.CurrentPrincipal.Identity.Name gives me the correct
credentials when logged in.

When I create user in AD i get an error. I have 4 scenarioes - one work and
one don't. I'm very confused:

1) Does not work
- <identity impersonate="true"/> in web.config
- No impersonating by code
- No credentials are sent together with LDAP string [new
DirectoryEntry("mypath")]

Error message: System.Runtime.InteropServices.COMException: An operations
error occurred.
- I can't read from AD

2) Does not work
- <identity impersonate="true"/> in web.config
- No impersonating by code
- Credentials are sent together with LDAP string [new
DirectoryEntry("mypath", "username", "password", AuthenticationTypes.Secure);]

Error message: An operations error occurred
- I can read from AD

3) Does not work
- <identity impersonate="false"/> in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
- No credentials are sent together with LDAP string

Exception Details: The specified directory service attribute or value does
not exist.
- I can't read from AD

4) Works!
- <identity impersonate="false"/> in web.config
- I "code-imporsonates" with the _same credentials_ I use for login
Credentials are sent together with LDAP string [new DirectoryEntry("mypath",
"username", "password", AuthenticationTypes.Secure);]

What is the difference between <identity impersonate="true"/> in web.config
and manual code impersonation?

What is the correct approch for user to manage AD from asp.net loged in with
Windowd credentials ?
 
Back
Top