P
Paul Hadfield
Hi,
I started off yesterday with what seemed like a simple requirement - for an
intranet ASP.Net (2.0) application using Windows authentication, use Active
Directory to get the Full Name and Email address for the logged in user.
This was my first time I'd looked into AD, having not needed to access it
before and our network is managed by a separate department - so was learning
from ground up.
In the end I got a prototype working, but it required a valid NT user name
password to be stored either in the code (to be passed into
DirectoryEntry()) or in web.config for impersonatation. Whilst the relevant
section of the web.config could be encrypted, I don't believe it's an ideal
solution, if only because our passwords change every 'n' days (SBOX
requirement). I read something about anonymous access for DirectoryEntry(),
however it would appear that our AD has not been configured to allow this,
nor can I get that changed. Googling on the web, I see this to be a fairly
common issue - however the solution (or workaround) of storing user details
in web.config just isn't workable for us.
I have another solution in my head, but it feels slightly over-engineered.
As my AD exposure is very limited, I was wondering what other people think
or if they've found another solution. Basically I'm thinking I could create
a windows service that ran under the NETWORK user, which handled calls to
AD. This windows service could be accessed by the website, using .Net
Remoting. This way, the NT user details are not being stored anywhere that
is not secure (i.e. website details in IIS admin and web service in relevant
MMC service property). If the NETWORK user does not have enough rights, I
believe I'll be able to release the windows service to our dept that managed
AD - they could install it onto a single server running under one of the
service accounts (which is not subject to the password change policy). What
do people think, does this seem like a workable solution, is there something
similar freely available?
Regards,
- Paul Hadfield.
I started off yesterday with what seemed like a simple requirement - for an
intranet ASP.Net (2.0) application using Windows authentication, use Active
Directory to get the Full Name and Email address for the logged in user.
This was my first time I'd looked into AD, having not needed to access it
before and our network is managed by a separate department - so was learning
from ground up.
In the end I got a prototype working, but it required a valid NT user name
password to be stored either in the code (to be passed into
DirectoryEntry()) or in web.config for impersonatation. Whilst the relevant
section of the web.config could be encrypted, I don't believe it's an ideal
solution, if only because our passwords change every 'n' days (SBOX
requirement). I read something about anonymous access for DirectoryEntry(),
however it would appear that our AD has not been configured to allow this,
nor can I get that changed. Googling on the web, I see this to be a fairly
common issue - however the solution (or workaround) of storing user details
in web.config just isn't workable for us.
I have another solution in my head, but it feels slightly over-engineered.
As my AD exposure is very limited, I was wondering what other people think
or if they've found another solution. Basically I'm thinking I could create
a windows service that ran under the NETWORK user, which handled calls to
AD. This windows service could be accessed by the website, using .Net
Remoting. This way, the NT user details are not being stored anywhere that
is not secure (i.e. website details in IIS admin and web service in relevant
MMC service property). If the NETWORK user does not have enough rights, I
believe I'll be able to release the windows service to our dept that managed
AD - they could install it onto a single server running under one of the
service accounts (which is not subject to the password change policy). What
do people think, does this seem like a workable solution, is there something
similar freely available?
Regards,
- Paul Hadfield.