Active Directory Authorization Store question

[hey]

I'm using Authorization and Profile block in my middle tier (.NET Remoting
hosted under IIS) for role-based application security. It's all good when the
authorization store is placed in a local xml file. But this is only good in
development. In production environment the store need to be integrated into
Active Directory.

The middle-tier (ASP.NET) is supposed to be configured to run under a least
privileged local account. But I cannot successfully configure any local
account (neither custom account nor built-in account) to communicate with the
remote AD authorization store.

The steps were:
1. Create an authorization store in AD
2. Assign the computer account of the server running ASP.NET to the Readers
group of the store.

My question is that whether a non-domain account can be used to run open and
query a remote authorization store in Active Directory. If yes then what is
the requirement for this local account (like membership, permissions etc)?

Thanks
Ming

 

[Joe Kaplan \(MVP - ADSI\)]

You'll need a domain account if you want to talk to AD using the credentials
of your current thread. If you can specify credentials somehow then you
have more flexibility.

Can you set up ASP.NET to run as a low privileged domain account?

Joe K.

 

[hey]

Thanks for your reply Joe.

For sure it works by using a domain account.

But the preference is to use a local account, which will be consistent to
the way to communicate with the backend sserver. We have set up mirrored
local account in the middle-tier and backend database server to facilitate
Windows authentication between the two.

Ming

 

[Joe Kaplan \(MVP - ADSI\)]

I'm not a huge fan of the mirrored local account as it is pretty brittle.
Wouldn't it be easier to use a domain account for that purpose too? That
would seem to solve both problems. You can still use a least privilege
account for this purpose.

Joe K.