You are hereForums & Blogs > Forums
Register   |  Log In
 Forum
Minimise
 
ForumForumDiscussions and...Discussions and....Net framework ....Net framework ...Update Active directory from an ASP.NET web siteUpdate Active directory from an ASP.NET web site
Previous Previous
 
Next Next
New Post
 09/02/2009 12:21
 
User is offline Santhi
No Ranking

Joined: 02/02/2009
3 posts

Hello Richard,

Its Chrysanthi from United Nations in Geneva.

I need some help with my application.  If you can give me some info I would be grateful.

I have an ASP.NET 3.5 application and I want to update some fields in the active directory, from my application. 

The application runs to the intranet  using windows authentication.  While the update works fine in my computer when I publish it to the server it doesn't work.  I receive an error "An operations error occured".  My windowns account can update active directory accounts but it seems that the server uses different credentials.  Do I need to use impersonate and if yes how exactly.

 

Thank you in advance and have a nice day.

 

 

 
New Post
 09/02/2009 12:41
 
User is offline Richard Howells
7th Level Poster

Joined: 14/09/2006
71 posts

Hi Chrysanthi - lovely to hear from you.

First - full disclosure - I have never done this so I don't know.  Here is my guess. 

I think, as you suggested it is related to credentials.

I think you have four choices:

- ask the AD administrators to allow the 'Network Service' (on windows server 2003) account to update AD.

- configure your web application into a private application pool and set that pool to use an account that has update rights to AD

- use impersonation in your web site.  You need a tag like this in the web config...

 <identity impersonate="true" userName="trustedToUpdateAD" password="LongAndDifficultToGuess"/>

Yes - it does mean that the password is written in plain text in the web config file.

- if you are already using AD to determine who has access to the site then you could try

<identity impersonate="true" />

This means that the web server will use the credentials of the logged in user.  When you connect to AD, if that user is allowed to update it should work, else it should be denied.

You need to consider what security you need in your application.  I think I option 4 is probably the most secure of the three but relies on you using AD for authentication.

Do let us know how it works out for you.

Cheers,
- Richard
If this post helped you over a problem, or taught you something new, please login and rate it. Ratings are in the drop down in the top left corner
New Post
 09/02/2009 15:41
 
User is offline Santhi
No Ranking

Joined: 02/02/2009
3 posts
 Modified By Santhi on 09/02/2009 16:42:24

Hello Richard,

Thanks for the quick response. 

Actually we don't want to use the first solution,neither the third one although it works fine but it's not at all secure.

I have  already set  impersonate  to true in my web.config but it doesn't work.

I use also windows authentication and this seems to create a "secondary" token which cannot be authenticated against another server when the page is imperonated.  At least that is what I found in Internet. 

The error message I receive is -2147016672 An operations error occured.

I don't know how to implement the second solution, but for the time being we are working in the fourth option.

I'll let you know if we find a solution.

Thank you

 
New Post
 09/02/2009 16:10
 
User is offline Richard Howells
7th Level Poster

Joined: 14/09/2006
71 posts

Hi Chrysanthi,

The second solution is a Server2003+ only method. It is done in IIS Manager.  Create a new Application Pool, and inside that configure the identity as the account you will allow access to AD.

Still in IIS manager go to the configuration for your site and on the Home Directory tab configure your site to use the new Application Pool.

I know you don't like option 3 very much.  This article http://msdn.microsoft.com/en-us/library/xh507fc5(VS.71).aspx mentions that option 3 does create a authorisation token that can be delegated to another server.  It doesn't actually say that option 4 does not allow delegation, but neither does it say it does allow delegation.  My bet is it does not.  It does point out a way that the id/password can be held encrypted in the registry.  That might cover your security concerns.

Cheers,
- Richard
If this post helped you over a problem, or taught you something new, please login and rate it. Ratings are in the drop down in the top left corner
New Post
 10/02/2009 08:34
 
User is offline Santhi
No Ranking

Joined: 02/02/2009
3 posts

 

Hi Richard,

 

We finally managed to solve our problem.

We followed the fourth option where :

1. In the Web.config we set:

    <

identity impersonate="true" />authentication mode="Windows"/>

2.  We created a connection to Active Directory using DirectoryServices (DirectoryEntry,DirectorySearcher)

3.  In Active Directory in Computers we found the server and went to Properties.  In the tab Delegation we clicked in the option

      Trust this computer for delegation to any service (Kerberos only)

and it worked.

You can find more in the article below:

http://msdn.microsoft.com/en-us/library/aa302400.aspx#secnetht05_topic3

It was nice talking to you and exchange information.

Thank you and have a nice day

   <
 Page 1 of 1
Previous Previous
 
Next Next
ForumForumDiscussions and...Discussions and....Net framework ....Net framework ...Update Active directory from an ASP.NET web siteUpdate Active directory from an ASP.NET web site

     
 Forum Usage Guidelines
Minimise

The forums are a place for all to exchange ideas and techniques, and to post and answer questions.  All are welcome to read, registration is required to post. 

If you learn somthing new, discover or acquire a new technique, then please take a moment to register and rate the post that just helped you.  This site does not send spam and it does not release your personal details.  Full details in the site privacy policy.

We have some simple posting guidelines to keep the forums a pleasant and informative environment.

  • No flames, no trolls
  • No profanity, no racism
  • Site management has the final word on approving or removing any thread, post, or comment
  • English language only please

 

  

Dynamisys is based near Swindon, Wiltshire, in the South West, and works with customers located throughout the UK. or telephone us on (+44) 1793 731225.

Learn more...
Next page(s)...
Blogs

This page
Forums

Previous Page(s)...
Home   |   Agile   |   Articles & Downloads