Ask a Question related to ASP.NET Security, Design and Development.
-
hey #1
Active Directory Authorization Store question
I'm using Authorization and Profile block in my middle tier (.NET Remoting
hosted under IIS) for role-based application security. It's all good when the
authorization store is placed in a local xml file. But this is only good in
development. In production environment the store need to be integrated into
Active Directory.
The middle-tier (ASP.NET) is supposed to be configured to run under a least
privileged local account. But I cannot successfully configure any local
account (neither custom account nor built-in account) to communicate with the
remote AD authorization store.
The steps were:
1. Create an authorization store in AD
2. Assign the computer account of the server running ASP.NET to the Readers
group of the store.
My question is that whether a non-domain account can be used to run open and
query a remote authorization store in Active Directory. If yes then what is
the requirement for this local account (like membership, permissions etc)?
Thanks
Ming
hey Guest
-
question(s) win32::ole and active-directory interaction
hello, i'm curious, could anyone direct me to a half-decent article regarding the Win32::OLE module, and using it to interact with active... -
Active Messaging Error '000004f9' The information store could not be opened.
hi all, i face some problem when i want to send an email to some people b using the codes below. I'm using exhange server and CDO 1.1 and th... -
authorization for sub directory
Hi All, Could anybody advise me for the following.. I want to restrict access to a subdirectory in an web application which has "integrated... -
Active Directory Search fails ("The directory service is unavailab
Hi all, I'm having one of those nerve wrecking errors, when trying to perform a simple search in an Active Directory. The objective of the code... -
Question about removing a computer from XP Active Directory
We have a client who inherited two Windows XP Professional machines from their old office (a larger facility running Active Directory, multiple... -
Joe Kaplan \(MVP - ADSI\) #2 Re: Active Directory Authorization Store question
You'll need a domain account if you want to talk to AD using the credentials
of your current thread. If you can specify credentials somehow then you
have more flexibility.
Can you set up ASP.NET to run as a low privileged domain account?
Joe K.
"hey" <hey@discussions.microsoft.com> wrote in message
news:82C6EA02-1DAB-4CD0-A355-BA278226DCC3@microsoft.com...> I'm using Authorization and Profile block in my middle tier (.NET Remoting
> hosted under IIS) for role-based application security. It's all good when
> the
> authorization store is placed in a local xml file. But this is only good
> in
> development. In production environment the store need to be integrated
> into
> Active Directory.
>
> The middle-tier (ASP.NET) is supposed to be configured to run under a
> least
> privileged local account. But I cannot successfully configure any local
> account (neither custom account nor built-in account) to communicate with
> the
> remote AD authorization store.
>
> The steps were:
> 1. Create an authorization store in AD
> 2. Assign the computer account of the server running ASP.NET to the
> Readers
> group of the store.
>
> My question is that whether a non-domain account can be used to run open
> and
> query a remote authorization store in Active Directory. If yes then what
> is
> the requirement for this local account (like membership, permissions etc)?
>
> Thanks
> Ming
Joe Kaplan \(MVP - ADSI\) Guest
-
hey #3 Re: Active Directory Authorization Store question
Thanks for your reply Joe.
For sure it works by using a domain account.
But the preference is to use a local account, which will be consistent to
the way to communicate with the backend sserver. We have set up mirrored
local account in the middle-tier and backend database server to facilitate
Windows authentication between the two.
Ming
"Joe Kaplan (MVP - ADSI)" wrote:
> You'll need a domain account if you want to talk to AD using the credentials
> of your current thread. If you can specify credentials somehow then you
> have more flexibility.
>
> Can you set up ASP.NET to run as a low privileged domain account?
>
> Joe K.
>
> "hey" <hey@discussions.microsoft.com> wrote in message
> news:82C6EA02-1DAB-4CD0-A355-BA278226DCC3@microsoft.com...>> > I'm using Authorization and Profile block in my middle tier (.NET Remoting
> > hosted under IIS) for role-based application security. It's all good when
> > the
> > authorization store is placed in a local xml file. But this is only good
> > in
> > development. In production environment the store need to be integrated
> > into
> > Active Directory.
> >
> > The middle-tier (ASP.NET) is supposed to be configured to run under a
> > least
> > privileged local account. But I cannot successfully configure any local
> > account (neither custom account nor built-in account) to communicate with
> > the
> > remote AD authorization store.
> >
> > The steps were:
> > 1. Create an authorization store in AD
> > 2. Assign the computer account of the server running ASP.NET to the
> > Readers
> > group of the store.
> >
> > My question is that whether a non-domain account can be used to run open
> > and
> > query a remote authorization store in Active Directory. If yes then what
> > is
> > the requirement for this local account (like membership, permissions etc)?
> >
> > Thanks
> > Ming
>
>hey Guest
-
Joe Kaplan \(MVP - ADSI\) #4 Re: Active Directory Authorization Store question
I'm not a huge fan of the mirrored local account as it is pretty brittle.
Wouldn't it be easier to use a domain account for that purpose too? That
would seem to solve both problems. You can still use a least privilege
account for this purpose.
Joe K.
"hey" <hey@discussions.microsoft.com> wrote in message
news:B288627D-BB4B-4E68-B5B2-78994A963033@microsoft.com...> Thanks for your reply Joe.
>
> For sure it works by using a domain account.
>
> But the preference is to use a local account, which will be consistent to
> the way to communicate with the backend sserver. We have set up mirrored
> local account in the middle-tier and backend database server to facilitate
> Windows authentication between the two.
>
> Ming
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>>> You'll need a domain account if you want to talk to AD using the
>> credentials
>> of your current thread. If you can specify credentials somehow then you
>> have more flexibility.
>>
>> Can you set up ASP.NET to run as a low privileged domain account?
>>
>> Joe K.
>>
>> "hey" <hey@discussions.microsoft.com> wrote in message
>> news:82C6EA02-1DAB-4CD0-A355-BA278226DCC3@microsoft.com...>>>> > I'm using Authorization and Profile block in my middle tier (.NET
>> > Remoting
>> > hosted under IIS) for role-based application security. It's all good
>> > when
>> > the
>> > authorization store is placed in a local xml file. But this is only
>> > good
>> > in
>> > development. In production environment the store need to be integrated
>> > into
>> > Active Directory.
>> >
>> > The middle-tier (ASP.NET) is supposed to be configured to run under a
>> > least
>> > privileged local account. But I cannot successfully configure any local
>> > account (neither custom account nor built-in account) to communicate
>> > with
>> > the
>> > remote AD authorization store.
>> >
>> > The steps were:
>> > 1. Create an authorization store in AD
>> > 2. Assign the computer account of the server running ASP.NET to the
>> > Readers
>> > group of the store.
>> >
>> > My question is that whether a non-domain account can be used to run
>> > open
>> > and
>> > query a remote authorization store in Active Directory. If yes then
>> > what
>> > is
>> > the requirement for this local account (like membership, permissions
>> > etc)?
>> >
>> > Thanks
>> > Ming
>>
>>
Joe Kaplan \(MVP - ADSI\) Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
