Help with A.D. and ASP.Net

[Reas]

Hi, I'm trying to validate the user credentials against an Active Directory,
I've seen some demos around but in the enviroment I'm going to be working on,
most users have restrictions that prohibit them to logon to certain
machines/servers, so, my question is, should I have to do something special
to validate the credentials when the user has these restrictions?

Once I tried to execute LogonUser API on the server, but it always returned
false even if the credentials were right because that user didn't have the
permission to log on to the server, so, In ADSI there would be such problems?
as this executes on the server.

Thanks in advance.
--
Reas

[Joe Kaplan \(MVP - ADSI\)]

It is really better from a security standpoint to use LogonUser (or just use
built-in Windows security in IIS) to do your authentiation. Is it possible
that you could convince the admins to let normal users logon locally? They
don't need interactive logon rights (they can have logon batch for
example).

Joe K.

"Reas" <Reas@discussions.microsoft.com> wrote in message
news:E1EDB140-9C80-49DD-AEFD-65EB23D82058@microsoft.com...

> Hi, I'm trying to validate the user credentials against an Active

Directory,

> I've seen some demos around but in the enviroment I'm going to be working

on,

> most users have restrictions that prohibit them to logon to certain
> machines/servers, so, my question is, should I have to do something

special

> to validate the credentials when the user has these restrictions?
>
> Once I tried to execute LogonUser API on the server, but it always

returned

> false even if the credentials were right because that user didn't have the
> permission to log on to the server, so, In ADSI there would be such

problems?

> as this executes on the server.
>
> Thanks in advance.
> --
> Reas

[Dan Amiga]

A. You can use LDAP or ADSI ( Make sure the ASPNET user or your dedicated
IIS process user has permissions to query the AD ).

B. I think S4U kerberos can help you a-lot. try looking for it at
[url]http://msdn.microsoft.com/msdnmag[/url]

let me know...

Dan Amiga
[email]damiga@inter.net.il[/email]
Ness Technologies
..NET Consultant
Israel


----- Original Message -----
From: "Reas" <Reas@discussions.microsoft.com>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
Sent: Monday, August 23, 2004 3:59 AM
Subject: Help with A.D. and ASP.Net

> Hi, I'm trying to validate the user credentials against an Active

Directory,

> I've seen some demos around but in the enviroment I'm going to be working

on,

> most users have restrictions that prohibit them to logon to certain
> machines/servers, so, my question is, should I have to do something

special

> to validate the credentials when the user has these restrictions?
>
> Once I tried to execute LogonUser API on the server, but it always

returned

> false even if the credentials were right because that user didn't have the
> permission to log on to the server, so, In ADSI there would be such

problems?

> as this executes on the server.
>
> Thanks in advance.
> --
> Reas

[Joe Kaplan \(MVP - ADSI\)]

In the local security policy, you would add whatever groups or users you
need to "Log on as a batch job" as opposed to log on as a service or log on
locally.

Joe K.

"Reas" <Reas@discussions.microsoft.com> wrote in message
news:D9530D21-66AF-4603-A415-5EEC943ED5F9@microsoft.com...

> Joe,
> How do I go about creating a logon batch?
>
>
> Regards,
> Reas
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>

> > It is really better from a security standpoint to use LogonUser (or just

use

> > built-in Windows security in IIS) to do your authentiation. Is it

possible

> > that you could convince the admins to let normal users logon locally?

They

> > don't need interactive logon rights (they can have logon batch for
> > example).
> >
> > Joe K.
> >
> > "Reas" <Reas@discussions.microsoft.com> wrote in message
> > news:E1EDB140-9C80-49DD-AEFD-65EB23D82058@microsoft.com...

> > > Hi, I'm trying to validate the user credentials against an Active

> > Directory,

> > > I've seen some demos around but in the enviroment I'm going to be

working

> > on,

> > > most users have restrictions that prohibit them to logon to certain
> > > machines/servers, so, my question is, should I have to do something

> > special

> > > to validate the credentials when the user has these restrictions?
> > >
> > > Once I tried to execute LogonUser API on the server, but it always

> > returned

> > > false even if the credentials were right because that user didn't have

the

> > > permission to log on to the server, so, In ADSI there would be such

> > problems?

> > > as this executes on the server.
> > >
> > > Thanks in advance.
> > > --
> > > Reas

> >
> >
> >