Unless you are using Basic (Clear text password) authentication, Impersonation only works in an environment supporting delegation when binding with a remote server (using the WinNT or LDAP providers), but I (and many others) have tried this without any success in a distributed environment.
When binding to a local machine (the same as running IIS) you don't have to authenticate (you aren't even challenged) and the 'aspnet' process token can be used to query the LSA. When binding to a remote server (using WinNT or LDAP), you have to specify explicit credentials in the DirectoryEntry constructor, or much better move the Directory access code bits to an out-proc COM+ application, use a fixed identity and implement Role based security to control directory access. Willy. ----- Original Message ----- From: "Pradeep Tapadiya" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 24, 2002 11:35 PM Subject: Re: [DOTNET] Retrieving user properties from a WinNT provider using .Net > Sorry for jumping in the middle. Under ASP.NET, authentication > does little to change the credentials under which a call to directory > services. What you are looking for is impersonation. > > By default, ASP.NET uses "ASPNET" as the user account which > has limited permissions. Under Web.Config, set your ASP.NET > application to impersonate (either the caller or a specific account). > This way, the thread upon which the request comes in will use > the specified credentials. > > Note that to impersonate the caller, you still need to set IIS > for integrated or basic authentication. > > Hope this helps. > > Pradeep > http://www.tapadiya.net/pradeep > > ----- Original Message ----- > From: "george antony" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, April 24, 2002 2:36 AM > Subject: Re: [DOTNET] Retrieving user properties from a WinNT provider using > .Net > > > > It works with Secure authentication as a console app > > and it works there even without any username and pwd. > > There are no messages logged in the event viewer > > related to the Access denied error in ASP .Net > > > > George > > --- Willy Denoyette <[EMAIL PROTECTED]> > > wrote: > > > Not really, but you have to specify the > > > authentication type in ASP.NET, it works for me. > > > Did you try to specify the same credentials with > > > authentication type secure in your Console > > > application? > > > Did you inspect the eventlogs? > > > > > > Willy. > > > > > > ----- Original Message ----- > > > From: "george antony" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Wednesday, April 24, 2002 10:55 AM > > > Subject: Re: [DOTNET] Retrieving user properties > > > from a WinNT provider using .Net > > > > > > > > > > We intially tried with Secure authenticationtype > > > but > > > > it didn't work. so we thought of trying without it > > > > later. Any other suggestions ? > > > > George > > > > --- Willy Denoyette <[EMAIL PROTECTED]> > > > > wrote: > > > > > Ok, I see you didn't specify any authentication > > > type > > > > > when binding, If you don't set the Authetication > > > > > type, the > > > > > credentials of the current process will be used. > > > > > Change your binding to: > > > > > > > > > > > > > > > DirectoryEntry("WinNT://nttest/Administrators,group",@"NTTestdomain\Administ > rator","intelligroup", > > > > > AuthenticationTypes.Secure); > > > > > > > > > > and try again.... > > > > > > > > > > Sorry for that. > > > > > Willy. > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "george antony" <[EMAIL PROTECTED]> > > > > > To: <[EMAIL PROTECTED]> > > > > > Sent: Wednesday, April 24, 2002 8:18 AM > > > > > Subject: Re: [DOTNET] Retrieving user properties > > > > > from a WinNT provider using .Net > > > > > > > > > > > > > > > > Willy, > > > > > > We were trying your sample in ASP .Net which > > > > > didn't > > > > > > work .Whereas the same code works as a console > > > > > > application. I guess even if we give our > > > username > > > > > and > > > > > > password explicitly it takes the ASP Net > > > Identity > > > > > for > > > > > > authentication.We had set the mode of > > > > > authentication > > > > > > as Windows in the Webconfig file . I tried out > > > the > > > > > > same sample in ASP .Net in a machine which is > > > in > > > > > the > > > > > > same domain and I had logged into the computer > > > > > using > > > > > > the Domain account NTTestDomain\Administrator. > > > But > > > > > > still doesn't work there. At the same time > > > Console > > > > > > applications get connected from anywhere > > > without > > > > > any > > > > > > username and password . > > > > > > > > > > > > thanks so much for your help > > > > > > George > > > > > > > > > > > > --- Willy Denoyette > > > <[EMAIL PROTECTED]> > > > > > > wrote: > > > > > > > The reason is obvious; user > > > > > > > "NTTestdomain\Administrator" with password > > > > > > > "intelligroup" is - or invalid or unknown or > > > has > > > > > > > no privileges. > > > > > > > I'm afraid there is something wrong with you > > > > > domain > > > > > > > structure and/or your trust relationships > > > > > between > > > > > > > doamins. > > > > > > > Can you access a Fileshare using the same > > > > > > > credentials? > > > > > > > > > > > > > > Willy. > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "george antony" <[EMAIL PROTECTED]> > > > > > > > To: <[EMAIL PROTECTED]> > > > > > > > Sent: Tuesday, April 23, 2002 2:44 PM > > > > > > > Subject: Re: [DOTNET] Retrieving user > > > properties > > > > > > > from a WinNT provider using .Net > > > > > > > > > > > > > > > > > > > > > > It throws a COMException which says > > > "Access is > > > > > > > denied" > > > > > > > > > > > > > > > > Exception is raised when we try to get the > > > > > members > > > > > > > > collection. The code below: > > > > > > > > > > > > > > > > ************************************************** > > > > > > > > DirectoryEntry groupEntry = new > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > DirectoryEntry("WinNT://nttest/Administrators,group",@"NTTestdomain\Administ > rator","intelligroup"); > > > > > > > > pcoll = groupEntry.Properties; > > > > > > > > MembersCollection = > > > > > groupEntry.Invoke("Members") > > > > > > > > > > > > > > > > > > > > > > > **************************************************** > > > > > > > > > > > > > > > > I have copied the stacktrace and the error > > > > > code > > > > > > > below > > > > > > > > . > > > > > > > > > > > > > > > > > > > > > > > > ERROR CODE: -2147024891 > > > > > > > > STACKTRACE: at > > > > > > > > > > > > > > > > > > > > > > > System.DirectoryServices.DirectoryEntry.Bind(Boolean > > > > > > > > throwIfFail) at > > > > > > > > > > > System.DirectoryServices.DirectoryEntry.Bind() > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > System.DirectoryServices.DirectoryEntry.get_NativeObject() > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > System.DirectoryServices.DirectoryEntry.Invoke(String > > > > > > > > methodName, Object[] args) at > > > > > > > > WebApplication3.WebForm1.Page_Load(Object > > > > > sender, > > > > > > > > EventArgs e) in > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > c:\inetpub\wwwroot\webapplication3\webform1.aspx.cs:line > > > > > > > > 32 > > > > > > > > > > > > > > > > We couldn't find any relevant information > > > for > > > > > this > > > > > > > > error code in MSDN > > > > > > > > > > > > > > > > --- Willy Denoyette > > > > > <[EMAIL PROTECTED]> > > > > > > > > wrote: > > > > > > > > > What does it do when using explicit > > > > > credentials? > > > > > > > Is > > > > > > > > > there an exception thrown? > > > > > > > > > Are you sure you you have the authority > > > and > > > > > > > > > principal separated by a double back > > > slash: > > > > > > > > > "NTTestDomain\\Administrator", > > > > > > > > > > > > > > > > > > or a verbatim string.... > > > > > > > > > @"NTTestDomain\Administrator", > > > > > > > > > > > > > > > > > > Willy. > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > From: "george antony" <[EMAIL PROTECTED]> > > > > > > > > > To: <[EMAIL PROTECTED]> > > > > > === message truncated === > > > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Games - play chess, backgammon, pool and more > > http://games.yahoo.com/ > > > > You can read messages from the DOTNET archive, unsubscribe from DOTNET, or > > subscribe to other DevelopMentor lists at http://discuss.develop.com. > > > > You can read messages from the DOTNET archive, unsubscribe from DOTNET, or > subscribe to other DevelopMentor lists at http://discuss.develop.com. > You can read messages from the DOTNET archive, unsubscribe from DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
