Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
DotNet
acad.assignment.mngr
academic
adonet
aspnet
aspnet.announcements
aspnet.build.controls
aspnet.caching
aspnet.datagridcontrol
aspnet.mobile
aspnet.security
aspnet.webcontrols
aspnet.webservices
clr
compactframework
component_services
datatools
distributed_apps
drawing
faqs
framework
framework.wmi
general
internationalization
interop
languages.csharp
languages.jscript
languages.vb
languages.vb.controls
languages.vb.data
languages.vb.upgrade
languages.vc
languages.vc.libraries
myservices
odbcnet
performance
remoting
scripting
sdk
security
setup
vjsharp
vsa
webservi.enhancements
webservices
windowsforms
windowsforms.controls
winforms.databinding
winforms.designtime
xml
  
 
date: Thu, 8 May 2008 19:53:00 -0700,    group: microsoft.public.dotnet.security        back       


Why must credentials be explictly given when user is already logge    
I have the famous General access denied but I can't find someone in a similar 
situation.

I am trying to do something very simple: let each user in the company update 
his own mobile phone number on a web page.  The web application has Anonymous 
off and Integrated Windows authentication.  It works fine retrieving the 
user's own data so it means that the user is authenticated and logged in.

However, .CommitChanges() will only work if I instantiate the DirectoryEntry 
with explictly supplied credentials.  WHY?  WHY?  WHY?  This is not 
acceptable in my situation as no one would trust a web page that asks for a 
password. 

My test code is as follows:

    protected void Page_Load(object sender, EventArgs e)
    {
        string samid = Request.ServerVariables["AUTH_USER"];
       //converts domain\userid to userid
        samid = samid.Substring(samid.IndexOf(@"\") + 1);

        DirectoryEntry searchRoot = 
            new DirectoryEntry(@"LDAP://DC=mydomain,DC=local",
                                         
"thisuser","password",AuthenticationTypes.Secure);

       //The following WON'T WORK at the CommitChanges() line:
       //DirectoryEntry searchRoot = 
       //     new DirectoryEntry(@"LDAP://DC=mydomain,DC=local");


        using (searchRoot)
        {
            DirectorySearcher searcher = 
              new DirectorySearcher(searchRoot, "(sAMAccountName=" + samid + 
")", 
                                                new string[] { 
"displayName", "mobile" });
            using (DirectoryEntry result = 
searcher.FindOne().GetDirectoryEntry())
            {
                Label1.Text = result.Properties["displayName"].Value as 
string;
                txtboxMobile.Text = result.Properties["mobile"][0].ToString();
                result.Properties["mobile"][0] = "00000000";
                result.CommitChanges();
            }
        }
}


The user definitely has rights to change mobile number as GALMOD32 works fine.

Thanks in advance
date: Thu, 8 May 2008 19:53:00 -0700   author:   K Kong

Re: Why must credentials be explictly given when user is already logge    
If you want to use integrated in auth in IIS, you must also enable 
impersonation in ASP.NET AND you must enable Kerberos delegation to give the 
ASP.NET worker process identity rights to delegate the user's credentials to 
Active Directory.

I suggest doing a few searches on Kerberos delegation to get you started. 
It is a frequently discussed topic.

Joe K.
-- 
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"K Kong"  wrote in message 
news:25588344-1824-4DA3-800F-6B7837EBE305@microsoft.com...
>I have the famous General access denied but I can't find someone in a 
>similar
> situation.
>
> I am trying to do something very simple: let each user in the company 
> update
> his own mobile phone number on a web page.  The web application has 
> Anonymous
> off and Integrated Windows authentication.  It works fine retrieving the
> user's own data so it means that the user is authenticated and logged in.
>
> However, .CommitChanges() will only work if I instantiate the 
> DirectoryEntry
> with explictly supplied credentials.  WHY?  WHY?  WHY?  This is not
> acceptable in my situation as no one would trust a web page that asks for 
> a
> password.
>
> My test code is as follows:
>
>    protected void Page_Load(object sender, EventArgs e)
>    {
>        string samid = Request.ServerVariables["AUTH_USER"];
>       //converts domain\userid to userid
>        samid = samid.Substring(samid.IndexOf(@"\") + 1);
>
>        DirectoryEntry searchRoot =
>            new DirectoryEntry(@"LDAP://DC=mydomain,DC=local",
>
> "thisuser","password",AuthenticationTypes.Secure);
>
>       //The following WON'T WORK at the CommitChanges() line:
>       //DirectoryEntry searchRoot =
>       //     new DirectoryEntry(@"LDAP://DC=mydomain,DC=local");
>
>
>        using (searchRoot)
>        {
>            DirectorySearcher searcher =
>              new DirectorySearcher(searchRoot, "(sAMAccountName=" + samid 
> +
> ")",
>                                                new string[] {
> "displayName", "mobile" });
>            using (DirectoryEntry result =
> searcher.FindOne().GetDirectoryEntry())
>            {
>                Label1.Text = result.Properties["displayName"].Value as
> string;
>                txtboxMobile.Text = 
> result.Properties["mobile"][0].ToString();
>                result.Properties["mobile"][0] = "00000000";
>                result.CommitChanges();
>            }
>        }
> }
>
>
> The user definitely has rights to change mobile number as GALMOD32 works 
> fine.
>
> Thanks in advance
>
date: Fri, 9 May 2008 09:05:52 -0500   author:   Joe Kaplan

Re: Why must credentials be explictly given when user is already l    
Thanks for replying.  Can I just clarify one thing: the web user is already  
successful in retrieving information from AD.  Doesn't that mean he is 
already authenticated?

kk

"Joe Kaplan" wrote:

> If you want to use integrated in auth in IIS, you must also enable 
> impersonation in ASP.NET AND you must enable Kerberos delegation to give the 
> ASP.NET worker process identity rights to delegate the user's credentials to 
> Active Directory.
> 
> I suggest doing a few searches on Kerberos delegation to get you started. 
> It is a frequently discussed topic.
> 
> Joe K.
> --
date: Fri, 9 May 2008 10:14:01 -0700   author:   K Kong

Re: Why must credentials be explictly given when user is already l    
It is most likely that authentication was successful as something, although 
that is not necessarily true.  However, if impersonation was not enabled in 
web.config, that would mean that you are authenticating as the process 
account instead of the account of the authenticated browser user.  You can 
find out the account you are attempting to use by examining the value 
returned by System.Security.Principal.WindowsIdentity.GetCurrent().Name.

I say "not necessarily" here because it depends on a bunch of factors.  With 
Win2K3+ AD, authentication is required by default to perform any operations. 
You get an "operations error" is you attempt an operation such as a search 
and are not authenticated.  However, that can be disabled.  If using Win2K 
AD, authentication is not required by default, so if you accidentally 
authenticate as anonymous you can still perform some operations.  However, 
you usually can't see much in the directory because anonymous users don't 
have much read access.  Once again though, those permissions can all be 
changed as well.

So, the bottom line is that without knowing all the details of both your app 
and your AD infrastructure, I can't tell you for sure what is happening.  I 
can say for sure that Kerberos delegation IS required for the web app to 
forward the credentials of the user authenticated via IWA to a remote 
resource.

-- 
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"K Kong"  wrote in message 
news:226FE61A-513A-46D4-B543-B84BEDEFE910@microsoft.com...
> Thanks for replying.  Can I just clarify one thing: the web user is 
> already
> successful in retrieving information from AD.  Doesn't that mean he is
> already authenticated?
>
> kk
>
> "Joe Kaplan" wrote:
>
>> If you want to use integrated in auth in IIS, you must also enable
>> impersonation in ASP.NET AND you must enable Kerberos delegation to give 
>> the
>> ASP.NET worker process identity rights to delegate the user's credentials 
>> to
>> Active Directory.
>>
>> I suggest doing a few searches on Kerberos delegation to get you started.
>> It is a frequently discussed topic.
>>
>> Joe K.
>> --
date: Fri, 9 May 2008 12:45:06 -0500   author:   Joe Kaplan

Re: Why must credentials be explictly given when user is already l    
Thank you.  I understand now.  The browser is having the credentials of 
userA.  The web server authenticates against some domain controller that the 
browser is indeed userA.  But the web server is still running as NT 
AUTHORITY\NETWORK SERVICE.  The mobile number request is retrieved by NETWORK 
SERVICE, which is permitted. Earlier I was mistaken that the credentials of 
userA are passed through to the domain controller.  That requires Kerberos 
delegation as you have pointed out. And from what I read, Kerberos delegation 
requires the domain administrators to come in and permit trust.  So it's not 
something I could spring a surprise to everyone in the company. :(

While we are on this, what is NT AUTHORITY\NETWORK SERVICE?  I can't find 
the NT AUTHORITY folder nor the user NETWORK SERVICE in ADUC although it is 
available when I am assigning access rights to a file.

THanks.

"Joe Kaplan" wrote:

> It is most likely that authentication was successful as something, although 
> that is not necessarily true.  However, if impersonation was not enabled in 
> web.config, that would mean that you are authenticating as the process 
> account instead of the account of the authenticated browser user.  You can 
> find out the account you are attempting to use by examining the value 
> returned by System.Security.Principal.WindowsIdentity.GetCurrent().Name.
> 
> I say "not necessarily" here because it depends on a bunch of factors.  With 
> Win2K3+ AD, authentication is required by default to perform any operations. 
> You get an "operations error" is you attempt an operation such as a search 
> and are not authenticated.  However, that can be disabled.  If using Win2K 
> AD, authentication is not required by default, so if you accidentally 
> authenticate as anonymous you can still perform some operations.  However, 
> you usually can't see much in the directory because anonymous users don't 
> have much read access.  Once again though, those permissions can all be 
> changed as well.
> 
> So, the bottom line is that without knowing all the details of both your app 
> and your AD infrastructure, I can't tell you for sure what is happening.  I 
> can say for sure that Kerberos delegation IS required for the web app to 
> forward the credentials of the user authenticated via IWA to a remote 
> resource.
> 
> -- 
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
date: Sat, 10 May 2008 08:04:00 -0700   author:   K Kong

Re: Why must credentials be explictly given when user is already l    
NETWORK SERVICE is a built-in account introduced as of WinXP that it used to 
run services.  It has a counterpart called LOCAL SERVICE.  They are both 
intended to be used instead of the SYSTEM account for services that do not 
need full system privileges as this reduces the attack surface of the 
machine.

The key difference between network service and local service is that network 
service has network credentials (like the system account) and local service 
does not.  Thus when network service (or system) access the network, they 
use the credentials of the machine account.  For a domain joined machine, 
this the domain computer account for the machine.

So, when you are not impersonating (basically just using the IIS process/app 
pool identity) to access the directory, the net result is that your query to 
AD executes with the privileges of the computer account which generally has 
the same read privileges of a normal user.

HTH,

Joe K.
-- 
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"K Kong"  wrote in message 
news:EF1885B6-7447-4B1D-A4D9-34B11A7441E0@microsoft.com...
> Thank you.  I understand now.  The browser is having the credentials of
> userA.  The web server authenticates against some domain controller that 
> the
> browser is indeed userA.  But the web server is still running as NT
> AUTHORITY\NETWORK SERVICE.  The mobile number request is retrieved by 
> NETWORK
> SERVICE, which is permitted. Earlier I was mistaken that the credentials 
> of
> userA are passed through to the domain controller.  That requires Kerberos
> delegation as you have pointed out. And from what I read, Kerberos 
> delegation
> requires the domain administrators to come in and permit trust.  So it's 
> not
> something I could spring a surprise to everyone in the company. :(
>
> While we are on this, what is NT AUTHORITY\NETWORK SERVICE?  I can't find
> the NT AUTHORITY folder nor the user NETWORK SERVICE in ADUC although it 
> is
> available when I am assigning access rights to a file.
>
> THanks.
>
> "Joe Kaplan" wrote:
>
>> It is most likely that authentication was successful as something, 
>> although
>> that is not necessarily true.  However, if impersonation was not enabled 
>> in
>> web.config, that would mean that you are authenticating as the process
>> account instead of the account of the authenticated browser user.  You 
>> can
>> find out the account you are attempting to use by examining the value
>> returned by System.Security.Principal.WindowsIdentity.GetCurrent().Name.
>>
>> I say "not necessarily" here because it depends on a bunch of factors. 
>> With
>> Win2K3+ AD, authentication is required by default to perform any 
>> operations.
>> You get an "operations error" is you attempt an operation such as a 
>> search
>> and are not authenticated.  However, that can be disabled.  If using 
>> Win2K
>> AD, authentication is not required by default, so if you accidentally
>> authenticate as anonymous you can still perform some operations. 
>> However,
>> you usually can't see much in the directory because anonymous users don't
>> have much read access.  Once again though, those permissions can all be
>> changed as well.
>>
>> So, the bottom line is that without knowing all the details of both your 
>> app
>> and your AD infrastructure, I can't tell you for sure what is happening. 
>> I
>> can say for sure that Kerberos delegation IS required for the web app to
>> forward the credentials of the user authenticated via IWA to a remote
>> resource.
>>
>> -- 
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services 
>> Programming"
>> http://www.directoryprogramming.net
>> --
date: Sun, 11 May 2008 11:30:46 -0500   author:   Joe Kaplan

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us