I think I need Kerberos delegation to pass the security context from the web server to the AD server...has anybody done this? Can u help me?
Roger Seielstad <[EMAIL PROTECTED]> wrote:
Taking a wag at it - you're dealing with an impersonation issue. Take a look at the fourth question and answer in:You might also have to set the computer account to be trusted for delegation (I think that's the setting) - but I'm not sure.--------
Roger Seielstad
E-mail Geek
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sergio lera
Sent: Tuesday, April 05, 2005 3:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mappinghello list,I am developing an ASP.NET web application which interacts with AD. Client/User authentication must be via AD certificate mapping, so I have configured IIS to do UPN mapping:-- In the IIS manager ...-- in the properties of the web site...-- under "directory security"..-- under "Secure Communications", select Edit.-- select "Require secure channel"; select "require client certificates" and also select "Enable client certificate mapping".I think the mapping is done ok, because when I get the current user by using Context.User.Identity.Name or WindowsIdentity.GetCurrent().Name the result is the user who is the owner of the certificate used to do the client authentication. So, I suppose the web application is running under the user account credentials.The problem is that i can not access AD via ADSI (using .NET DirectoryServices API). I get an operational error related with authentication.The source code of the DirectoryEntry creation is something like this:DirectoryEntry oDE =
new DirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure);The description of the AuthenticationTypes.Secure flag says that "it requests secure authentication. When the user name and password are a null reference, ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating".
The web application is running under an user account which has got the required permissions to do the operation, but AD server must not permit to do the operation.
I am sure that user account has got the suitable permissions becasue if I enable anonymous access in IIS and I use the user account for the anonymous access, AD server permits to do the operations..
Any idea? What could be the problem? could be the authentication type? problems related with impersonation? I am a bit lost...
Thanks is advance! ...and sorry for my poor english ;)
zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz
throw new Exception("SoftLera!!!");
zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz
250MB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
Abrí tu cuenta aquí
zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz
throw new Exception("SoftLera!!!");
zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz
250MB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
Abrí tu cuenta aquí
