RE: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping

[joseph.e.kaplan]

I answered you on the Microsoft public newsgroup where you posted the same thing.   Like I said, I think you need Kerberos delegation for sure, but you may also need protocol transition in order to get a Kerberos ticket in the first place. This implies 2003 server and 2003 native mode AD.   Joe K.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sergio lera Sent: Friday, April 08, 2005 4:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping   I think I need Kerberos delegation to pass the security context from the web server to the AD server...has anybody done this? Can u help me?   Thanks a lot! Roger Seielstad <[EMAIL PROTECTED]> wrote: Taking a wag at it - you're dealing with an impersonation issue. Take a look at the fourth question and answer in: http://msdn.microsoft.com/msdnmag/issues/05/04/WebQA/default.aspx   You might also have to set the computer account to be trusted for delegation (I think that's the setting)  - but I'm not sure.   -------- Roger Seielstad E-mail Geek     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of sergio lera Sent: Tuesday, April 05, 2005 3:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] problem accesing AD when the user has been authenticated via certificate mapping hello list,   I am developing an ASP.NET web application which interacts with AD. Client/User authentication must be via AD certificate mapping, so  I have configured IIS to do UPN mapping: -- In the IIS manager ...   -- in the properties of the web site... -- under "directory security".. -- under "Secure Communications", select Edit. -- select "Require secure channel"; select "require client certificates" and also select "Enable client certificate mapping".   I think the mapping is done ok, because when I get the current user by using Context.User.Identity.Name or WindowsIdentity.GetCurrent().Name the result is the user who is the owner of the certificate used to do the client authentication. So, I suppose the web application is running under the user account credentials.    The problem is that i can not access AD via ADSI (using .NET DirectoryServices API).  I get an operational error related with authentication.   The source code of the DirectoryEntry creation is something like this: DirectoryEntry oDE = new DirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure); The description of the AuthenticationTypes.Secure flag says that "it requests secure authentication.  When the user name and password are a null reference, ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating". The web application is running under an user account which has got the required permissions to do the operation, but AD server must not permit to do the operation. I am sure that user account has got the suitable permissions becasue if I enable anonymous access in IIS and I use the user account for the anonymous access, AD server permits to do the operations.. Any idea? What could be the problem? could be the authentication type? problems related with impersonation? I am a bit lost... Thanks is advance! ...and sorry for my poor english ;) zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz throw new Exception("SoftLera!!!"); zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz 250MB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo Abrí tu cuenta aquí zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz throw new Exception("SoftLera!!!"); zZz-zZz-zZz-zZz-zZz-zZz-zZz-zZz 250MB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo Abrí tu cuenta aquí This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.