Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Security / October 2004

Tip: Looking for answers? Try searching our database.

.net Impersonate with integrated authentication client server problem

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Ajnabi - 28 Oct 2004 16:08 GMT
Hi,
I build a asp.net web application to update user accounts in Active
Directory (AD). This application works fine on my test server when I
acces the web application on the server it self and update an user
account (using an administrator account).

My settings:
-In all cases I tried with the same Administrator account
-I enabled impersonate in the web.config (<identity impersonate="true"
/>).
-IIS - Windows Integrated Authentication is Active (all others are
inactive)

Here comes the problem I have:
scenario 1:
When I try to run the application from a client machine, I can NOT
update the user account (general access denied error, on the
CommitChanges() method). I tried using the same administrator account
as above!

scenario 2:
I do NOT want to use Basic Authentication for this application, still I
tried to run it with Basic Authentication using the same settings as
above and believe and or not it worked fine.

My questions:
1. Why can't I update an user account from a client machine while this
works fine on the server using the same account?

2. Why does it work using Basic Authentication, while Windows
Authentication fails?

Please help me out with this. I'm really out of clue.
Thanks in advance,
Ajnabi.
Reply to this Message
Joe Kaplan \(MVP - ADSI\) - 28 Oct 2004 19:09 GMT
You are experiencing what is known as a "double-hop" issue.  If you must use
WIA and impersonation, the only solution to this is Kerberos delegation.  I
suggest you read this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/secu
rity/tkerberr.mspx

HTH,

Joe K.

> Hi,
> I build a asp.net web application to update user accounts in Active
[quoted text clipped - 31 lines]
> Thanks in advance,
> Ajnabi.
Reply to this Message
Ajnabi - 29 Oct 2004 09:15 GMT
Joe,
Thanks a lot for your help.
The second link helped me out.
I had to set up the computer "trusted for delegation on the network".
This fixed the problem.

Thanks again,
Ajnabi
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.