Account for form authentication to AD

[Guest]

Hi
I read a microsoft kb article#Q316748, and it says in order for form
authentication to work I need to configure IIS for anonymous authentication
as the followings
Configure IIS for Anonymous Authentication
To configure IIS for anonymous authentication, follow these steps: 1. In
IIS, click to select the Anonymous Authentication check box.
2. Make the anonymous account for the application an account that has
permission to the Active Directory.
3. Click to clear the Allow IIS To Control Password check box.


just what do we need to do for step 2 please?!

TIA
--

 

[Joseph Bittman MCAD]

June 4, 2005

Is there a specific reason why you want to use a custom guest account for
ASP.Net? If not then you don't need to go to all that work. There is an
account configured by Microsoft to be used for anonymous authentication for
Forms Auth that almost everybody uses. It is named IUSR_MACHINENAME. Just
put in IIS that account name IUSR_(MACHINENAME) where machinename = the name
of the server. IIS SHOULD control the password. Hope this helps!
--
Joseph Bittman Beta ID# 678424
Microsoft Certified Application Developer

Web Site: http://71.35.110.42
Dynamic IP -- Check here for future changes

 

[Guest]

I need to have access to AD, ie be able to add / change /delete AD objects!

June 4, 2005

Is there a specific reason why you want to use a custom guest account for
ASP.Net? If not then you don't need to go to all that work. There is an
account configured by Microsoft to be used for anonymous authentication for
Forms Auth that almost everybody uses. It is named IUSR_MACHINENAME. Just
put in IIS that account name IUSR_(MACHINENAME) where machinename = the name
of the server. IIS SHOULD control the password. Hope this helps!
--
Joseph Bittman Beta ID# 678424
Microsoft Certified Application Developer

Web Site: http://71.35.110.42
Dynamic IP -- Check here for future changes

 

[Joseph Bittman MCAD]

June 4, 2005

Sorry, I read more of the article and I understand now. You need to
create a user account that has AD permissions to query AD for users and
groups, but still has some sort of least privilege. I'm not familiar with
how you configure AD permissions for LDAP queries so I hope somebody else
can help you! Sorry, but have a great day!

--
Joseph Bittman Beta ID# 678424
Microsoft Certified Application Developer

Web Site: http://71.35.110.42
Dynamic IP -- Check here for future changes

I need to have access to AD, ie be able to add / change /delete AD objects!

 

[Paul Glavich [MVP ASP.NET]]

Get an administrator for the AD to create a user for you. Without the
required priveleges, you wont be able to do it.

 

[Guest]

I have administrator right on this server, but I am not sure if I need to be
a member of "domain admin" to do the job, or some other group will do?!

Get an administrator for the AD to create a user for you. Without the
required priveleges, you wont be able to do it.

 

[Joseph Bittman MCAD]

June 6, 2005

hmmm.... If I remember right..... I have accessed the AD Users and
Computers snapin and viewed everything with a standard account; just
couldn't change anything.... You should be able to do the same from code
with a standard account then.

--
Joseph Bittman Beta ID# 678424
Microsoft Certified Application Developer

Web Site: http://71.35.110.42
Dynamic IP -- Check here for future changes

I have administrator right on this server, but I am not sure if I need to
be
a member of "domain admin" to do the job, or some other group will do?!

 

[Guest]

I know, that is exactly what I need to do - to add / change / delete AD
objects!
TIA

 

[Joe Kaplan \(MVP - ADSI\)]

The best practice is to use an account with the least privileges as
possible. For basic provisioning stuff, an account in Account Operators
should be fine, but you can get it much more granular if you delegate
permissions for a single container (OU) to a more restricted account.

I would also suggest not using this account as the anonymous account in IIS.
That is giving a LOT of privilege in AD for something with such a high
surface area to the public. Instead, I'd suggest using the minimum
privileged account for your simple queries and switch to a higher privileged
account for provisioning activities. You can do this by passing credentials
directly with the DirectoryEntry or moving the provisioning code to a COM+
component running under the privileged identity.

Joe K.

 

[Guest]

Hi Joe
I am trying to implement "impersonation" hoping that would eliminates the
needs of hard coding credentials information in any of the files and to
maintain the flexibility for user to change password and of course at the
same time be able to delegate administration to different authenticated
users... etc. But I guess this impersonation thing is what giving the
errors I have in another thead I just post "form authentication - errors"!!!