 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / May 2008Why must credentials be explictly given when user is already logge
I have the famous General access denied but I can't find someone in a similar situation. I am trying to do something very simple: let each user in the company update his own mobile phone number on a web page. The web application has Anonymous off and Integrated Windows authentication. It works fine retrieving the user's own data so it means that the user is authenticated and logged in. However, .CommitChanges() will only work if I instantiate the DirectoryEntry with explictly supplied credentials. WHY? WHY? WHY? This is not acceptable in my situation as no one would trust a web page that asks for a password. My test code is as follows: protected void Page_Load(object sender, EventArgs e) { string samid = Request.ServerVariables["AUTH_USER"]; //converts domain\userid to userid samid = samid.Substring(samid.IndexOf(@"\") + 1); DirectoryEntry searchRoot = new DirectoryEntry(@"LDAP://DC=mydomain,DC=local", "thisuser","password",AuthenticationTypes.Secure); //The following WON'T WORK at the CommitChanges() line: //DirectoryEntry searchRoot = // new DirectoryEntry(@"LDAP://DC=mydomain,DC=local"); using (searchRoot) { DirectorySearcher searcher = new DirectorySearcher(searchRoot, "(sAMAccountName=" + samid + ")", new string[] { "displayName", "mobile" }); using (DirectoryEntry result = searcher.FindOne().GetDirectoryEntry()) { Label1.Text = result.Properties["displayName"].Value as string; txtboxMobile.Text = result.Properties["mobile"][0].ToString(); result.Properties["mobile"][0] = "00000000"; result.CommitChanges(); } } } The user definitely has rights to change mobile number as GALMOD32 works fine. Thanks in advance If you want to use integrated in auth in IIS, you must also enable impersonation in ASP.NET AND you must enable Kerberos delegation to give the ASP.NET worker process identity rights to delegate the user's credentials to Active Directory. I suggest doing a few searches on Kerberos delegation to get you started. It is a frequently discussed topic. Joe K.  SignatureJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- >I have the famous General access denied but I can't find someone in a >similar [quoted text clipped - 56 lines] > > Thanks in advance Thanks for replying. Can I just clarify one thing: the web user is already successful in retrieving information from AD. Doesn't that mean he is already authenticated? kk > If you want to use integrated in auth in IIS, you must also enable > impersonation in ASP.NET AND you must enable Kerberos delegation to give the [quoted text clipped - 6 lines] > Joe K. > -- It is most likely that authentication was successful as something, although that is not necessarily true. However, if impersonation was not enabled in web.config, that would mean that you are authenticating as the process account instead of the account of the authenticated browser user. You can find out the account you are attempting to use by examining the value returned by System.Security.Principal.WindowsIdentity.GetCurrent().Name. I say "not necessarily" here because it depends on a bunch of factors. With Win2K3+ AD, authentication is required by default to perform any operations. You get an "operations error" is you attempt an operation such as a search and are not authenticated. However, that can be disabled. If using Win2K AD, authentication is not required by default, so if you accidentally authenticate as anonymous you can still perform some operations. However, you usually can't see much in the directory because anonymous users don't have much read access. Once again though, those permissions can all be changed as well. So, the bottom line is that without knowing all the details of both your app and your AD infrastructure, I can't tell you for sure what is happening. I can say for sure that Kerberos delegation IS required for the web app to forward the credentials of the user authenticated via IWA to a remote resource. SignatureJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- > Thanks for replying. Can I just clarify one thing: the web user is > already [quoted text clipped - 15 lines] >> Joe K. >> -- Thank you. I understand now. The browser is having the credentials of userA. The web server authenticates against some domain controller that the browser is indeed userA. But the web server is still running as NT AUTHORITY\NETWORK SERVICE. The mobile number request is retrieved by NETWORK SERVICE, which is permitted. Earlier I was mistaken that the credentials of userA are passed through to the domain controller. That requires Kerberos delegation as you have pointed out. And from what I read, Kerberos delegation requires the domain administrators to come in and permit trust. So it's not something I could spring a surprise to everyone in the company. :( While we are on this, what is NT AUTHORITY\NETWORK SERVICE? I can't find the NT AUTHORITY folder nor the user NETWORK SERVICE in ADUC although it is available when I am assigning access rights to a file. THanks. > It is most likely that authentication was successful as something, although > that is not necessarily true. However, if impersonation was not enabled in [quoted text clipped - 18 lines] > forward the credentials of the user authenticated via IWA to a remote > resource. NETWORK SERVICE is a built-in account introduced as of WinXP that it used to run services. It has a counterpart called LOCAL SERVICE. They are both intended to be used instead of the SYSTEM account for services that do not need full system privileges as this reduces the attack surface of the machine. The key difference between network service and local service is that network service has network credentials (like the system account) and local service does not. Thus when network service (or system) access the network, they use the credentials of the machine account. For a domain joined machine, this the domain computer account for the machine. So, when you are not impersonating (basically just using the IIS process/app pool identity) to access the directory, the net result is that your query to AD executes with the privileges of the computer account which generally has the same read privileges of a normal user. HTH, Joe K. SignatureJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- > Thank you. I understand now. The browser is having the credentials of > userA. The web server authenticates against some domain controller that [quoted text clipped - 50 lines] >> forward the credentials of the user authenticated via IWA to a remote >> resource.
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.