Double Hop Issues

S

- Steve -

I have a website that creates new user accounts in AD, and mailbox enables
them in Exchange. Everything worked fine back when I was using basic
authentication.

When I switched to Forms Based Authentication (authenticating against AD
still) I have problems adding users to groups, and I have problems creating
the Exchange mailbox. I can still create the mailbox just fine.

I'm pretty certain this is a double hop issue. So I tried the following.
On the computer account for the web server I enabled delegation. I selected
the radio button "Trust this computer for delegation to any services
(Kerberos Only)", but that doesn't seem to fix it.

Any idea what's going on here?

--

Steve Evans
Email Services
SDSU Foundation
(619) 594-0708
 
R

Raterus

Forms Authentication isn't going to impersonate your logged on user because Forms Authentication doesn't directly authenticate these users against active directory. You've created the code to check AD, and then told Forms Authentication if they are validated or not.

If you need to impersonate an actual user, take a look at the code found on this page. http://support.microsoft.com/default.aspx?scid=kb;en-us;306158 You should be able to easily do it, since you had their username/password at one point in the application. You will have to keep track of their password somehow, perhaps in a FormsAuthenticationTicket, since I doubt you are running this code right after they log in.

Hope this helps,
--Michael
 
S

- Steve -

Yes I'm already impersonating the user at necessary times. That's why I'm
able to create the AD account. But then it uses WMI against the Exchange
server to create the mailbox. (I believe I'm correct on that)

Shouldn't allowing the IIS boxes computer account to delegate get this to
work?

--

Steve Evans
Email Services
SDSU Foundation
(619) 594-0708


Forms Authentication isn't going to impersonate your logged on user because
Forms Authentication doesn't directly authenticate these users against
active directory. You've created the code to check AD, and then told Forms
Authentication if they are validated or not.

If you need to impersonate an actual user, take a look at the code found on
this page. http://support.microsoft.com/default.aspx?scid=kb;en-us;306158
You should be able to easily do it, since you had their username/password at
one point in the application. You will have to keep track of their password
somehow, perhaps in a FormsAuthenticationTicket, since I doubt you are
running this code right after they log in.

Hope this helps,
--Michael
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Creating Exchange Mailbox 1
Delegation: the usual double hop question... 4
Impersonation and double hop 3
Forms Authentication and Active Directory 7
Pass Credentials when opening Link 3
defaultcredentials - double hop? way around this? 0
Gracefully Handling Logged Out User 6
Forms Based Authentication, Except on Certain Files 1

Members online

Total: 79 (members: 1, guests: 78)
Robots: 203

Forum statistics

Threads
473,982
Messages
2,570,186
Members
46,739
Latest member
Clint8040

Latest Threads

Top