Account Permissions to query Active Directory

[Keith F.]

I'm working with my windows tech support guy on trying to give an ASP.NET 2.0
web app I built, adequate permissions so it can query active directory for
user roles created using Authorization Manager.
If we go into the application pool properties on the web server, and on the
Identity tab, select configurable identity, and put in my tech guy's username
and password, the app works fine. I can use the IsInRole method, etc.
We've tried creating a special account just for this, but we haven't been
able to figure out exactly what permission this account needs to access
active directory.
Can anyone tell me how to set the permissions to allow a least privledge
account to query active directory? or point me to a link that would help?
(Note: I'm using the AuthorizationStoreRoleProvider in my web.config)
Thanks,
KF

 

[MikeS]

Have you checked the security settings on the AzMan store or
application?

 

[Joe Kaplan \(MVP - ADSI\)]

This is a difficult question in general because AD allows such flexible
delegation of permissions. Typically, I'd expect someone in the
Authenticated Users group in AD to be able to read the AzMan objects in the
directory. However, your admins might have delegated the permissions such
that only specific users can read them. As such, a solution that works for
me might not work for you.

Assuming that the app works fine when used with a domain user who doesn't
have any special permissions but does not work when configured with Network
Service (which uses the computer account when accessing the network), it may
be the case that Domain Users have rights to read these objects, but not
Domain Computers. You might try examining the ACLs on the AzMan objects and
containers and see what you can tell.

Best of luck,

Joe K.