problem accesing Active Directory from an ASP.NET App when user has been authenticated via AD certificate mapping

[Sergio Lera via .NET 247]

hello,

I am developing an ASP.NET web application which interacts withAD. Client/User authentication must be done via AD certificatemapping, so I have configured IIS to do UPN mapping:
-- In the IIS manager ...
-- in the properties of the web site...
-- under "directory security"..
-- under "Secure Communications", select Edit.
-- select "Require secure channel"; select "require clientcertificates" and also select "Enable client certificatemapping".

I think the mapping is done ok, because if I get the current userby using Context.User.Identity.Name orWindowsIdentity.GetCurrent().Name (with <identityimpersonate="true" /> in web.config file) the result is the userowner of the certificate used to do the client authentication.

The problem is that then web application (runnig under useraccount credentials) can not access Active Directory via ADSI(using .NET System.DirectoryServices API). I get an operationalerror ,I think related with authentication.

The source code of the System.DirectoryServices.DirectoryEntryobject creation is something like this:
DirectoryEntry de = newDirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure);

The description of the AuthenticationTypes.Secure flag says that"it requests secure authentication. When the user name andpassword are a null reference, ADSI binds to the object usingthe security context of the calling thread, which is either thesecurity context of the user account under which the applicationis running or of the client user account that the calling threadis impersonating".

Since certificate mapping is donde ok, I suppose the webapplication is running under the user account credentials...andthe user account has got the required permissions to do theoperation, but AD server does not permit to do the operation.

I am sure that user account has got the suitable permissionsbecause if I enable anonymous access in IIS and I use the useraccount for the anonymous access, AD server permits to do theoperations..

Any idea? What could be the problem? could be the authenticationtype? problems related with impersonation? I am a bit lost...

Thanks is advance!



--------------------------------
From: Sergio Lera

-----------------------
Posted by a user from .NET 247 ([url]http://www.dotnet247.com/[/url])

<Id>Z7OL0p+wIUiWVffsDhEXfQ==</Id>

[Joe Kaplan \(MVP - ADSI\)]

This is probably a double hop issue. The security context on the web server
cannot hop to the AD server, so AD gets your security context as anonymous.

To fix this, you'll also need Kerberos delegation. Try doing some searches
on the MS sites to pull down the KBase articles and such.

You may also need protocol transition to make this work since the initial
security context was generated by Schannel, not Kerberos, but I'm actually
not sure about that. I've never done this with certificate mapping. If
anyone else knows, I'd be happy to hear.

Joe K.

"Sergio Lera via .NET 247" <anonymous@dotnet247.com> wrote in message
news:uncJAMpOFHA.3076@tk2msftngp13.phx.gbl...
hello,

I am developing an ASP.NET web application which interacts with AD.
Client/User authentication must be done via AD certificate mapping, so I
have configured IIS to do UPN mapping:
-- In the IIS manager ...
-- in the properties of the web site...
-- under "directory security"..
-- under "Secure Communications", select Edit.
-- select "Require secure channel"; select "require client certificates" and
also select "Enable client certificate mapping".

I think the mapping is done ok, because if I get the current user by using
Context.User.Identity.Name or WindowsIdentity.GetCurrent().Name (with
<identity impersonate="true" /> in web.config file) the result is the user
owner of the certificate used to do the client authentication.

The problem is that then web application (runnig under user account
credentials) can not access Active Directory via ADSI (using .NET
System.DirectoryServices API). I get an operational error ,I think related
with authentication.

The source code of the System.DirectoryServices.DirectoryEntry object
creation is something like this:
DirectoryEntry de = new
DirectoryEntry("LDAP://"+[servername]+":"+[serverport]+"/",null,null,AuthenticationTypes.Secure);

The description of the AuthenticationTypes.Secure flag says that "it
requests secure authentication. When the user name and password are a null
reference, ADSI binds to the object using the security context of the
calling thread, which is either the security context of the user account
under which the application is running or of the client user account that
the calling thread is impersonating".

Since certificate mapping is donde ok, I suppose the web application is
running under the user account credentials...and the user account has got
the required permissions to do the operation, but AD server does not permit
to do the operation.

I am sure that user account has got the suitable permissions because if I
enable anonymous access in IIS and I use the user account for the anonymous
access, AD server permits to do the operations..

Any idea? What could be the problem? could be the authentication type?
problems related with impersonation? I am a bit lost...

Thanks is advance!



--------------------------------
From: Sergio Lera

-----------------------
Posted by a user from .NET 247 ([url]http://www.dotnet247.com/[/url])

<Id>Z7OL0p+wIUiWVffsDhEXfQ==</Id>