Thank you all so much, all this is difficult but lot of fun. I will try both ways and see where I get.
Thanks again -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Wednesday, October 11, 2006 10:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: WSS and AD. WebPart user information. How to configure IIS so my asp script can change user's attr in AD See, I told you the security was the hard part. :) This is no different in .NET. Like I said, the first thing to decide is whether you want to use trusted subsystem or delegation as your security architecture. That will determine the settings to use and any additional configuration. Remember that in ASP, impersonation is ALWAYS on (you can't disable it like you can in .NET), so your code will not execute with the permissions of the process account, only the authenticated user. The authenticated user will either be the anonymous IIS user (if you have anonymous checked) or the browser user if you are using IWA or Basic. By default, the anonymous user is a local machine account, so you can't use that to access AD. You'd need to change that to a service account. That would give you a trusted subsystem. Another way to create a trusted subsystem is to just pass in plaintext credentials to ADSI (using OpenDSObject and the equivalent in ADO). This allows you to avoid dealing with the from the Windows security perspective. If you want to use the authenticated user's credentials and use IWA, you must get Kerberos delegation working like Tomasz said. This is fun. :) Joe K. ----- Original Message ----- From: "Tomasz Onyszko" <[EMAIL PROTECTED]> To: <ActiveDir@mail.activedir.org> Sent: Wednesday, October 11, 2006 4:19 PM Subject: Re: [ActiveDir] OT: WSS and AD. WebPart user information. How to configure IIS so my asp script can change user's attr in AD > Ramon Linan wrote: >> I decided to go with asp, I exclude a path from SharePoint and use >> asp, that will make things easier at first. >> >> Now the problem that I am having is, how do I configure IIS so the >> authenticated users can see/modify some of their attributes in AD? >> >> If I use the default AD IUSR for that server (IUSR_<servername>, in >> the directory security under anonymous access, that user cant change >> things in AD, but I cant use an administrator account neither for >> security reason...so how should I configure IIS so it lets query and >> change user's attributes in AD? >> > You have two options: > 1. Configure IIS application pool with account which will have rights > to modify attributes in AD > > 2. Use Kerberos delegation to impersonate user and make changes in > security context of user who is logged on to web page > http://support.microsoft.com/kb/810572/ > > > ad.1. The problem is that You have to put some control mechanisms in > place on web page to protect users from changing other users details > etc. as in this model Your application pool account is capable of > making changes to objects and attributes. This is controlled via ACLs > on directory object > > ad.2 in this case You are using user's context to access DS and to > make changes to attributes which user has right to access. With > Windows 2003 You can use constrained Kerberos delgation. When You wil > use delegation just remember that sensitive accounts (like Ent. > Admins, domain admins) should not be allowed to be delgated (this is option for AD account). > > -- > Tomasz Onyszko > http://www.w2k.pl/ - (PL) > http://blogs.dirteam.com/blogs/tomek/ - (EN) > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
