Webservice IsInRole and LDAP to AD

[Harold]

Can someone explain to me why IsInRole will work, but using
DirectorySearcher will not? The code is running in a business object behind
a webservice. The user's credentials (windows authenication) are being
passed to the webservice. The webservice is configured for "integrated
windows authenication" and no "anonymous access".

The error "An operations error occurred" occurs when FindOne is executed.
The LDAP information is good as it works when it is not behind the
webservice.

If this is because of the double-hop of a token, how can IsInRole use the
token and not DirectorySearcher?

Here's the code:

For using LDAP:

ID = CType(System.Threading.Thread.CurrentPrincipal.Identity,
WindowsIdentity)
ImpersonateContext = ID.Impersonate()
oLDPA = New DirectoryEntry(LDAP://ServerName/DC=name1,DC=name2,DC=net)
oSearch = New DirectorySearcher(oLDPA)
oGroups = New Hashtable
With oSearch
.Filter =
String.Format("(&(objectCategory=person)(objectClass=user)(sAMAccountName={0
}))", Split(System.Threading.Thread.CurrentPrincipal.Identity.Name, "\")(1))
.CacheResults = False
.PropertyNamesOnly = True
.ReferralChasing = ReferralChasingOption.All
Dim iSearchResult As SearchResult = .FindOne
End With

For using IsInRole:
If System.Threading.Thread.CurrentPrincipal.IsInRole(sGroup) Then


Thanks,
Harold

 

[Joe Kaplan \(MVP - ADSI\)]

This is probably an issue related to security context. It is explained
pretty throughly here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

Essentially, you are probably either running as a local machine account and
your bind to AD will end up being anonymous or you are impersonating a
domain account, but your token can't delegate to another machine, so you
still end up with an anonymous bind.

You can verify this is the problem easily by changing the constructor for
your search root DirectoryEntry to include credentials.

Also, S.DS questions are usually best asked in the adsi.general group
(although this is obviously relevant to ASP.NET too).

Joe K.

 

[Harold]

Thanks for the article. I understand what is being said about the primary
token and how to get around it. What I'm having a hard time understanding
is how can the IsInRole method access the AD information and not the
DirectorySearcher. Are they not both using the same token?

 

[Joe Kaplan \(MVP - ADSI\)]

WindowsPrincipal.IsInRole isn't using LDAP to talk to AD. Windows
authentication uses RPC to authenticate and communicate with the domain
controller.

They also may not be using the same token. Windows authentication happens
down in the lower levels of IIS directly, not in the ASP.NET stack.
Inetinfo.exe will pass the user's token to the aspnet_wp.exe process or your
app pool worker process on IIS 6, and they almost never use the same process
token.

Joe K.