accesing AD from an ASP.NET app when user has been authenticated via AD cert. mapping

[ElSerji]

hello forum!

I am developing an ASP.NET web application which interacts with AD.
Client/User authentication must be via AD certificate mapping, so I
have configured IIS to do UPN mapping:
-- In the IIS manager ...
-- in the properties of the web site...
-- under "directory security"..
-- under "Secure Communications", select Edit.
-- select "Require secure channel"; select "require client
certificates" and also select "Enable client certificate mapping".

I think the mapping is done ok, because when I get the current user by
using Context.User.Identity.Name or WindowsIdentity.GetCurrent().Name
the result is the user who is the owner of the certificate used to do
the client authentication. So, I suppose the web application is running
under the user account credentials.

The problem is that i can not access AD via ADSI (using .NET
DirectoryServices API). I get an operational error related with
authentication.

The source code of the DirectoryEntry creation is something like this:
DirectoryEntry oDE = new
DirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure);

The description of the AuthenticationTypes.Secure flag says that "it
requests secure authentication. When the user name and password are a
null reference, ADSI binds to the object using the security context of
the calling thread, which is either the security context of the user
account under which the application is running or of the client user
account that the calling thread is impersonating".

The web application is running under an user account which has got the
required permissions to do the operation, but AD server must not permit
to do the operation.

I am sure that user account has got the suitable permissions becasue if
I enable anonymous access in IIS and I use the user account for the
anonymous access, AD server permits to do the operations..

Any idea? What could be the problem? could be the authentication type?
problems related with impersonation? I am a bit lost...

Thanks is advance! ...and sorry for my poor english ;)



--
ElSerji
------------------------------------------------------------------------
Posted via [url]http://www.codecomments.com[/url]
------------------------------------------------------------------------

[Joe Kaplan \(MVP - ADSI\)]

I just tried to answer a similar question 2 or 3 days ago.

In order for your credentials that were authenticated via SSL to "hop" to
the Active Directory server, you will need to implement Kerberos delegation.
However, given that you were authenticated by the Schannel SSP and not
Kerberos initially, I think you will also need a Kerberos ticket to make
this work. That probably means you need Kerberos Protocol Transition which
implies the need for both Windows 2003 server and 2003 Native mode Active
Directory.

I'm not sure about the latter part, but I don't see how Kerberos delegation
can work here without a Kerberos ticket. Perhaps someone from MS or someone
more deeply versed in Schannel authentication can help.

Your S.DS code is just fine though. That is how you should set it.

Joe K.

"ElSerji" <ElSerji.1n6adq@mail.codecomments.com> wrote in message
news:ElSerji.1n6adq@mail.codecomments.com...

>
> hello forum!
>
> I am developing an ASP.NET web application which interacts with AD.
> Client/User authentication must be via AD certificate mapping, so I
> have configured IIS to do UPN mapping:
> -- In the IIS manager ...
> -- in the properties of the web site...
> -- under "directory security"..
> -- under "Secure Communications", select Edit.
> -- select "Require secure channel"; select "require client
> certificates" and also select "Enable client certificate mapping".
>
> I think the mapping is done ok, because when I get the current user by
> using Context.User.Identity.Name or WindowsIdentity.GetCurrent().Name
> the result is the user who is the owner of the certificate used to do
> the client authentication. So, I suppose the web application is running
> under the user account credentials.
>
> The problem is that i can not access AD via ADSI (using .NET
> DirectoryServices API). I get an operational error related with
> authentication.
>
> The source code of the DirectoryEntry creation is something like this:
> DirectoryEntry oDE = new
> DirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure);
>
> The description of the AuthenticationTypes.Secure flag says that "it
> requests secure authentication. When the user name and password are a
> null reference, ADSI binds to the object using the security context of
> the calling thread, which is either the security context of the user
> account under which the application is running or of the client user
> account that the calling thread is impersonating".
>
> The web application is running under an user account which has got the
> required permissions to do the operation, but AD server must not permit
> to do the operation.
>
> I am sure that user account has got the suitable permissions becasue if
> I enable anonymous access in IIS and I use the user account for the
> anonymous access, AD server permits to do the operations..
>
> Any idea? What could be the problem? could be the authentication type?
> problems related with impersonation? I am a bit lost...
>
> Thanks is advance! ...and sorry for my poor english ;)
>
>
>
> --
> ElSerji
> ------------------------------------------------------------------------
> Posted via [url]http://www.codecomments.com[/url]
> ------------------------------------------------------------------------
>