See, I told you the security was the hard part. :) This is no different in
.NET.
Like I said, the first thing to decide is whether you want to use trusted
subsystem or delegation as your security architecture. That will determine
the settings to use and any additional configuration.
Remember that in ASP, impersonation is ALWAYS on (you can't disable it like
you can in .NET), so your code will not execute with the permissions of the
process account, only the authenticated user.
The authenticated user will either be the anonymous IIS user (if you have
anonymous checked) or the browser user if you are using IWA or Basic. By
default, the anonymous user is a local machine account, so you can't use
that to access AD. You'd need to change that to a service account. That
would give you a trusted subsystem.
Another way to create a trusted subsystem is to just pass in plaintext
credentials to ADSI (using OpenDSObject and the equivalent in ADO). This
allows you to avoid dealing with the from the Windows security perspective.
If you want to use the authenticated user's credentials and use IWA, you
must get Kerberos delegation working like Tomasz said. This is fun. :)
Joe K.
----- Original Message -----
From: "Tomasz Onyszko" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Wednesday, October 11, 2006 4:19 PM
Subject: Re: [ActiveDir] OT: WSS and AD. WebPart user information. How to
configure IIS so my asp script can change user's attr in AD
Ramon Linan wrote:
I decided to go with asp, I exclude a path from SharePoint and use asp,
that will make things easier at first.
Now the problem that I am having is, how do I configure IIS so the
authenticated users can see/modify some of their attributes in AD?
If I use the default AD IUSR for that server (IUSR_<servername>, in the
directory security under anonymous access, that user cant change things
in AD, but I cant use an administrator account neither for security
reason...so how should I configure IIS so it lets query and change
user's attributes in AD?
You have two options:
1. Configure IIS application pool with account which will have rights to
modify attributes in AD
2. Use Kerberos delegation to impersonate user and make changes in
security context of user who is logged on to web page
http://support.microsoft.com/kb/810572/
ad.1. The problem is that You have to put some control mechanisms in place
on web page to protect users from changing other users details etc. as in
this model Your application pool account is capable of making changes to
objects and attributes. This is controlled via ACLs on directory object
ad.2 in this case You are using user's context to access DS and to make
changes to attributes which user has right to access. With Windows 2003
You can use constrained Kerberos delgation. When You wil use delegation
just remember that sensitive accounts (like Ent. Admins, domain admins)
should not be allowed to be delgated (this is option for AD account).
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
