Re: Double hop reloaded

Then you're in a pickle. You either need to 1) setup a domain user for your ASP.NET application that has the right creds for your AD, 2) enable the delegation for your AD users if you're using integrated auth, or 3) switch to using basic auth (over SSL, of course).

-Brock
DevelopMentor
http://staff.develop.com/ballen



No i can't.
This project is for a very large organization,
and the department that controls the domain users,
will never allow it.
As a part of the policy, all users must change their passwords
periodically.
So any hard coded user name and password, will eventually fail.
I tried disabling Impersonation, and still login fails.
Thanks.
Sharon.
"Scott Allen" <scott@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:3kvn41hbe3npv05n25mki022qg2a0tnda7@xxxxxxxxxx

Hi Sharon:

What you'll have to do is use an identity that the AD server
understands. Perhaps you could run the worker process under a domain
account with enough permissions in AD?

--
Scott
http://www.OdeToCode.com/blogs/scott/
On Thu, 31 Mar 2005 13:29:58 +0200, "Sharon" <sharon@xxxxxxxxx>
wrote:

Thanks Scott.
This is a "bit" confusing.
As i understand it so far, delegation is only possible using
Kerberos,
and all users in Active Directory have to be marked for delegation.
Unfortunately, the fruit basket will not work here, and i've ruled
out
pumping laughter gas into the IT room ventilation system.
What if i revert to the IIS identity before the Active Directory
query?
Problem is, how do i get the WindowsImpersonationContext, to call
Undo
method?
The only other solution is to use Basic authentication, which i
don't

like.

Sharon.

"Scott Allen" <scott@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:n84m41p0vmrvmegj4rnmrr10go4lsv65a5@xxxxxxxxxx

Yes, I have some links to delegation resources on my blog:

http://odetocode.com/Blogs/scott/archive/2005/02/24/1053.aspx

--
Scott
http://www.OdeToCode.com/blogs/scott/
On Wed, 30 Mar 2005 22:32:02 +0200, "Sharon" <sharon@xxxxxxxxx>
wrote:

Hi to all..
I'm using impersonation, combined with windows authentication.
When the page tries to connect to active directory,
i get login failure, due to double hop issue.
As i understand it, the iis does not receive a
primary token, so how can i authenticate against Active directory?
Is it possible to delegate, when using impersonation and windows
authentication?
Thanks.
Sharon.




.

Relevant Pages

  • Re: Administrator rights...
    ... A second option involves using our own NeoExec for Active Directory: ... > we give them administrator rights, ... > third party software to run for that domain user? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Double Hop Issue
    ... you use Kerberos delegation to build a solution to double-hop ... non-domain member workstations cannot perform Kerberos ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... we a non domain user tried to access the site in the same manner ...
    (microsoft.public.windows.server.security)
  • RE: Help With Migration from NT
    ... Restructuring Windows NT 4.0 Domains to an Active Directory Forest ... As for the error during Computer migration, would you please let me know ... > just doubt that the new domain user did not use the original user ...
    (microsoft.public.windows.server.migration)
  • Windows Auth Problem
    ... I have an intranet site that uses Windows Authentication. ... I give it the same domain user name and password I used to log into Windows ... Windows with proper credentials it should not ask me for them again, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: SIDs
    ... Can I restore the Active directory ... the clients from the ... >old domain user to then new domain user. ...
    (microsoft.public.windows.server.sbs)