Webservice IsInRole and LDAP to AD

[Harold]

Can someone explain to me why IsInRole will work, but using
DirectorySearcher will not? The code is running in a business object behind
a webservice. The user's credentials (windows authenication) are being
passed to the webservice. The webservice is configured for "integrated
windows authenication" and no "anonymous access".

The error "An operations error occurred" occurs when FindOne is executed.
The LDAP information is good as it works when it is not behind the
webservice.

If this is because of the double-hop of a token, how can IsInRole use the
token and not DirectorySearcher?

Here's the code:

For using LDAP:

ID = CType(System.Threading.Thread.CurrentPrincipal.Ide ntity,
WindowsIdentity)
ImpersonateContext = ID.Impersonate()
oLDPA = New DirectoryEntry(LDAP://ServerName/DC=name1,DC=name2,DC=net)
oSearch = New DirectorySearcher(oLDPA)
oGroups = New Hashtable
With oSearch
.Filter =
String.Format("(&(objectCategory=person)(objectCla ss=user)(sAMAccountName={0
}))", Split(System.Threading.Thread.CurrentPrincipal.Ide ntity.Name, "\")(1))
.CacheResults = False
.PropertyNamesOnly = True
.ReferralChasing = ReferralChasingOption.All
Dim iSearchResult As SearchResult = .FindOne
End With

For using IsInRole:
If System.Threading.Thread.CurrentPrincipal.IsInRole( sGroup) Then


Thanks,
Harold

[Joe Kaplan \(MVP - ADSI\)]

This is probably an issue related to security context. It is explained
pretty throughly here:

[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;329986[/url]

Essentially, you are probably either running as a local machine account and
your bind to AD will end up being anonymous or you are impersonating a
domain account, but your token can't delegate to another machine, so you
still end up with an anonymous bind.

You can verify this is the problem easily by changing the constructor for
your search root DirectoryEntry to include credentials.

Also, S.DS questions are usually best asked in the adsi.general group
(although this is obviously relevant to ASP.NET too).

Joe K.

"Harold" <hwh@jttb.com> wrote in message
news:%23OQm7ImhEHA.2952@TK2MSFTNGP09.phx.gbl...

> Can someone explain to me why IsInRole will work, but using
> DirectorySearcher will not? The code is running in a business object

behind

> a webservice. The user's credentials (windows authenication) are being
> passed to the webservice. The webservice is configured for "integrated
> windows authenication" and no "anonymous access".
>
> The error "An operations error occurred" occurs when FindOne is executed.
> The LDAP information is good as it works when it is not behind the
> webservice.
>
> If this is because of the double-hop of a token, how can IsInRole use the
> token and not DirectorySearcher?
>
> Here's the code:
>
> For using LDAP:
>
> ID = CType(System.Threading.Thread.CurrentPrincipal.Ide ntity,
> WindowsIdentity)
> ImpersonateContext = ID.Impersonate()
> oLDPA = New DirectoryEntry(LDAP://ServerName/DC=name1,DC=name2,DC=net)
> oSearch = New DirectorySearcher(oLDPA)
> oGroups = New Hashtable
> With oSearch
> .Filter =
>

String.Format("(&(objectCategory=person)(objectCla ss=user)(sAMAccountName={0

> }))", Split(System.Threading.Thread.CurrentPrincipal.Ide ntity.Name,

"\")(1))

> .CacheResults = False
> .PropertyNamesOnly = True
> .ReferralChasing = ReferralChasingOption.All
> Dim iSearchResult As SearchResult = .FindOne
> End With
>
> For using IsInRole:
> If System.Threading.Thread.CurrentPrincipal.IsInRole( sGroup) Then
>
>
> Thanks,
> Harold
>
>
>

[Harold]

Thanks for the article. I understand what is being said about the primary
token and how to get around it. What I'm having a hard time understanding
is how can the IsInRole method access the AD information and not the
DirectorySearcher. Are they not both using the same token?

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:OanhOgnhEHA.2764@TK2MSFTNGP11.phx.gbl...

> This is probably an issue related to security context. It is explained
> pretty throughly here:
>
> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;329986[/url]
>
> Essentially, you are probably either running as a local machine account

and

> your bind to AD will end up being anonymous or you are impersonating a
> domain account, but your token can't delegate to another machine, so you
> still end up with an anonymous bind.
>
> You can verify this is the problem easily by changing the constructor for
> your search root DirectoryEntry to include credentials.
>
> Also, S.DS questions are usually best asked in the adsi.general group
> (although this is obviously relevant to ASP.NET too).
>
> Joe K.
>
> "Harold" <hwh@jttb.com> wrote in message
> news:%23OQm7ImhEHA.2952@TK2MSFTNGP09.phx.gbl...

> > Can someone explain to me why IsInRole will work, but using
> > DirectorySearcher will not? The code is running in a business object

> behind

> > a webservice. The user's credentials (windows authenication) are being
> > passed to the webservice. The webservice is configured for "integrated
> > windows authenication" and no "anonymous access".
> >
> > The error "An operations error occurred" occurs when FindOne is

executed.

> > The LDAP information is good as it works when it is not behind the
> > webservice.
> >
> > If this is because of the double-hop of a token, how can IsInRole use

the

> > token and not DirectorySearcher?
> >
> > Here's the code:
> >
> > For using LDAP:
> >
> > ID = CType(System.Threading.Thread.CurrentPrincipal.Ide ntity,
> > WindowsIdentity)
> > ImpersonateContext = ID.Impersonate()
> > oLDPA = New DirectoryEntry(LDAP://ServerName/DC=name1,DC=name2,DC=net)
> > oSearch = New DirectorySearcher(oLDPA)
> > oGroups = New Hashtable
> > With oSearch
> > .Filter =
> >

>

String.Format("(&(objectCategory=person)(objectCla ss=user)(sAMAccountName={0

> > }))", Split(System.Threading.Thread.CurrentPrincipal.Ide ntity.Name,

> "\")(1))

> > .CacheResults = False
> > .PropertyNamesOnly = True
> > .ReferralChasing = ReferralChasingOption.All
> > Dim iSearchResult As SearchResult = .FindOne
> > End With
> >
> > For using IsInRole:
> > If System.Threading.Thread.CurrentPrincipal.IsInRole( sGroup) Then
> >
> >
> > Thanks,
> > Harold
> >
> >
> >

>
>

[Joe Kaplan \(MVP - ADSI\)]

WindowsPrincipal.IsInRole isn't using LDAP to talk to AD. Windows
authentication uses RPC to authenticate and communicate with the domain
controller.

They also may not be using the same token. Windows authentication happens
down in the lower levels of IIS directly, not in the ASP.NET stack.
Inetinfo.exe will pass the user's token to the aspnet_wp.exe process or your
app pool worker process on IIS 6, and they almost never use the same process
token.

Joe K.

"Harold" <hwh@jttb.com> wrote in message
news:OX61ynrhEHA.592@TK2MSFTNGP11.phx.gbl...

> Thanks for the article. I understand what is being said about the primary
> token and how to get around it. What I'm having a hard time understanding
> is how can the IsInRole method access the AD information and not the
> DirectorySearcher. Are they not both using the same token?
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:OanhOgnhEHA.2764@TK2MSFTNGP11.phx.gbl...

> > This is probably an issue related to security context. It is explained
> > pretty throughly here:
> >
> > [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;329986[/url]
> >
> > Essentially, you are probably either running as a local machine account

> and

> > your bind to AD will end up being anonymous or you are impersonating a
> > domain account, but your token can't delegate to another machine, so you
> > still end up with an anonymous bind.
> >
> > You can verify this is the problem easily by changing the constructor

for

> > your search root DirectoryEntry to include credentials.
> >
> > Also, S.DS questions are usually best asked in the adsi.general group
> > (although this is obviously relevant to ASP.NET too).
> >
> > Joe K.
> >
> > "Harold" <hwh@jttb.com> wrote in message
> > news:%23OQm7ImhEHA.2952@TK2MSFTNGP09.phx.gbl...

> > > Can someone explain to me why IsInRole will work, but using
> > > DirectorySearcher will not? The code is running in a business object

> > behind

> > > a webservice. The user's credentials (windows authenication) are

being

> > > passed to the webservice. The webservice is configured for

"integrated

> > > windows authenication" and no "anonymous access".
> > >
> > > The error "An operations error occurred" occurs when FindOne is

> executed.

> > > The LDAP information is good as it works when it is not behind the
> > > webservice.
> > >
> > > If this is because of the double-hop of a token, how can IsInRole use

> the

> > > token and not DirectorySearcher?
> > >
> > > Here's the code:
> > >
> > > For using LDAP:
> > >
> > > ID = CType(System.Threading.Thread.CurrentPrincipal.Ide ntity,
> > > WindowsIdentity)
> > > ImpersonateContext = ID.Impersonate()
> > > oLDPA = New DirectoryEntry(LDAP://ServerName/DC=name1,DC=name2,DC=net)
> > > oSearch = New DirectorySearcher(oLDPA)
> > > oGroups = New Hashtable
> > > With oSearch
> > > .Filter =
> > >

> >

>

String.Format("(&(objectCategory=person)(objectCla ss=user)(sAMAccountName={0

> > > }))", Split(System.Threading.Thread.CurrentPrincipal.Ide ntity.Name,

> > "\")(1))

> > > .CacheResults = False
> > > .PropertyNamesOnly = True
> > > .ReferralChasing = ReferralChasingOption.All
> > > Dim iSearchResult As SearchResult = .FindOne
> > > End With
> > >
> > > For using IsInRole:
> > > If System.Threading.Thread.CurrentPrincipal.IsInRole( sGroup) Then
> > >
> > >
> > > Thanks,
> > > Harold
> > >
> > >
> > >

> >
> >

>
>