|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
accessing Active DirectoryI am developing asp.net application using windows authentication from active directory on a local area network. the domain controller is not on the same machine of the IIS. when trying to get the display name of the logged in user I am getting an error if I try remotly even if user is logged in but it works fine localy on the web server. I am new in using directoryservice namespace and donnt find any document to disccus how to emplement an application like that using active directory hosted on another server. this is my code DirectorySearcher ds = new DirectorySearcher(); ds.SearchRoot = new DirectoryEntry("LDAP://CN=users,DC=TAC,DC=local"); string filter = ""; filter += FormFilter("user", userName); filter = "(|" + filter + ")"; ds.Filter = filter; ds.PropertiesToLoad.Add("*"); System.DirectoryServices.SearchResult res = ds.FindOne(); in the last line I get "An Operations error occurred" both of web server and domain controller are windows 2003 and the domain name is TAC.LOCAL any body can help me ? Regards, This is a double hop issue. Essentially, the security token can go "one
hop" from either the browser to the web server or directly from the web server to the AD if the browser was run from the local server, but it can't go two hops from the browser to the web server to the AD. If you really must access AD with the security context of the current user and you want to use IWA authentication in the web site, you need to also implement Kerberos delegation to overcome the double hop limitation. http://msdn.microsoft.com/vstudio/using/building/web/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT05.asp?FRAME=true#ImplementKerberos http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx If you don't need to use the authenticated user's security context to access AD, then you can use a service account instead. If you specify credentials or change the worker process to use a domain account and disable impersonation, you can do this instead. This arcticle has some suggestions. http://support.microsoft.com/default.aspx?scid=kb;en-us;329986 Joe K. Show quoteHide quote "reda" <r***@discussions.microsoft.com> wrote in message news:70D7BC57-F466-408E-A6A6-C1A18A8FABAE@microsoft.com... > Hi all, > > I am developing asp.net application using windows authentication from > active > directory on a local area network. the domain controller is not on the > same > machine of the IIS. when trying to get the display name of the logged in > user > I am getting an error if I try remotly even if user is logged in but it > works > fine localy on the web server. > > I am new in using directoryservice namespace and donnt find any document > to > disccus how to emplement an application like that using active directory > hosted on another server. > > this is my code > > DirectorySearcher ds = new DirectorySearcher(); > ds.SearchRoot = new DirectoryEntry("LDAP://CN=users,DC=TAC,DC=local"); > string filter = ""; > filter += FormFilter("user", userName); > filter = "(|" + filter + ")"; > ds.Filter = filter; > ds.PropertiesToLoad.Add("*"); > System.DirectoryServices.SearchResult res = ds.FindOne(); > > in the last line I get "An Operations error occurred" > > both of web server and domain controller are windows 2003 and the domain > name is TAC.LOCAL > > any body can help me ? > > Regards, > Dear Joe,
Thank You for your help. I find the document and tried to apply the delegation in the active directory first I made the users accounts to be trusted for delegation, not sensetive, and can be delegated then I made the web server computer to be trusted for delegation but I still have the same error !! is there any other settings should take place in the active directory or in the web server itself ? Thank You, Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > This is a double hop issue. Essentially, the security token can go "one > hop" from either the browser to the web server or directly from the web > server to the AD if the browser was run from the local server, but it can't > go two hops from the browser to the web server to the AD. > > If you really must access AD with the security context of the current user > and you want to use IWA authentication in the web site, you need to also > implement Kerberos delegation to overcome the double hop limitation. > > http://msdn.microsoft.com/vstudio/using/building/web/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT05.asp?FRAME=true#ImplementKerberos > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx > > If you don't need to use the authenticated user's security context to access > AD, then you can use a service account instead. If you specify credentials > or change the worker process to use a domain account and disable > impersonation, you can do this instead. This arcticle has some suggestions. > > http://support.microsoft.com/default.aspx?scid=kb;en-us;329986 > > Joe K. > > "reda" <r***@discussions.microsoft.com> wrote in message > news:70D7BC57-F466-408E-A6A6-C1A18A8FABAE@microsoft.com... > > Hi all, > > > > I am developing asp.net application using windows authentication from > > active > > directory on a local area network. the domain controller is not on the > > same > > machine of the IIS. when trying to get the display name of the logged in > > user > > I am getting an error if I try remotly even if user is logged in but it > > works > > fine localy on the web server. > > > > I am new in using directoryservice namespace and donnt find any document > > to > > disccus how to emplement an application like that using active directory > > hosted on another server. > > > > this is my code > > > > DirectorySearcher ds = new DirectorySearcher(); > > ds.SearchRoot = new DirectoryEntry("LDAP://CN=users,DC=TAC,DC=local"); > > string filter = ""; > > filter += FormFilter("user", userName); > > filter = "(|" + filter + ")"; > > ds.Filter = filter; > > ds.PropertiesToLoad.Add("*"); > > System.DirectoryServices.SearchResult res = ds.FindOne(); > > > > in the last line I get "An Operations error occurred" > > > > both of web server and domain controller are windows 2003 and the domain > > name is TAC.LOCAL > > > > any body can help me ? > > > > Regards, > > > > > I think the best thing to do is follow the standard procedures for trouble
shooting Kerberos delegation errors: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx Additionally, I'd recommend reading the article in the latest MSDN magazine that Keith Brown wrote on delegation and troubleshooting. I'm not sure if its online yet, but it is in the recent issue that was mailed to subscribers. It should be live soon regardless. Also, I think Dominick (who posts here often) has some Kerberos delegation troubleshooting steps on his blog at www.leastprivilege.com. Joe K. Show quoteHide quote "reda" <r***@discussions.microsoft.com> wrote in message news:8AF035F8-16E9-4DFE-884A-01820A9E6368@microsoft.com... > Dear Joe, > > Thank You for your help. > > I find the document and tried to apply the delegation in the active > directory > first I made the users accounts to be trusted for delegation, not > sensetive, > and can be delegated > then I made the web server computer to be trusted for delegation > > but I still have the same error !! > is there any other settings should take place in the active directory or > in > the web server itself ? > > Thank You, > > > > "Joe Kaplan (MVP - ADSI)" wrote: > >> This is a double hop issue. Essentially, the security token can go "one >> hop" from either the browser to the web server or directly from the web >> server to the AD if the browser was run from the local server, but it >> can't >> go two hops from the browser to the web server to the AD. >> >> If you really must access AD with the security context of the current >> user >> and you want to use IWA authentication in the web site, you need to also >> implement Kerberos delegation to overcome the double hop limitation. >> >> http://msdn.microsoft.com/vstudio/using/building/web/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT05.asp?FRAME=true#ImplementKerberos >> >> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx >> >> If you don't need to use the authenticated user's security context to >> access >> AD, then you can use a service account instead. If you specify >> credentials >> or change the worker process to use a domain account and disable >> impersonation, you can do this instead. This arcticle has some >> suggestions. >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;329986 >> >> Joe K. >> >> "reda" <r***@discussions.microsoft.com> wrote in message >> news:70D7BC57-F466-408E-A6A6-C1A18A8FABAE@microsoft.com... >> > Hi all, >> > >> > I am developing asp.net application using windows authentication from >> > active >> > directory on a local area network. the domain controller is not on the >> > same >> > machine of the IIS. when trying to get the display name of the logged >> > in >> > user >> > I am getting an error if I try remotly even if user is logged in but it >> > works >> > fine localy on the web server. >> > >> > I am new in using directoryservice namespace and donnt find any >> > document >> > to >> > disccus how to emplement an application like that using active >> > directory >> > hosted on another server. >> > >> > this is my code >> > >> > DirectorySearcher ds = new DirectorySearcher(); >> > ds.SearchRoot = new DirectoryEntry("LDAP://CN=users,DC=TAC,DC=local"); >> > string filter = ""; >> > filter += FormFilter("user", userName); >> > filter = "(|" + filter + ")"; >> > ds.Filter = filter; >> > ds.PropertiesToLoad.Add("*"); >> > System.DirectoryServices.SearchResult res = ds.FindOne(); >> > >> > in the last line I get "An Operations error occurred" >> > >> > both of web server and domain controller are windows 2003 and the >> > domain >> > name is TAC.LOCAL >> > >> > any body can help me ? >> > >> > Regards, >> > >> >> >> 
Other interesting topics
ASP.NET form-based authentication help
StreamWriter causes SecurityException when attempting to write to network drive..need help Enabling Forms Authentication Stops Button Click Events authentication hangs after security patch .NET 2003 DLL - how secure? XmlSerializer : CS0647 Compilation Error Negative numbers in encryption key what exact registry entries does the installing of a .net windows service create? either with instal is it possible to install multiple copys of the same .net web service on the same computer but with loading web application project suddonly takes 5 mintues and says "Contacting server to open Web pro |
|||||||||||||||||||||||
