active directory - Can I impersonate a client authenticated with forms auth and establish a trusted connection to SQL Server? -

-

here i've been trying do

build asp.net mvc 3 application forms authentication , active directory membership. web server , database different physical servers hence double hop.

i thought answer older article on constrained delegation , protocol transition? far, have not been able technique work.

i'm testing dev machine (windows 7, iis7) web server before deploying windows 2008 (iis7) in production setup. windows 2008 make difference?

what works , fails

i'm able login forms auth , ad membership. seem working fine. when try make database call using code:

public void asuser(action action)     {         using (var id = new windowsidentity(user.identity.name + @"@example.com"))         {             windowsimpersonationcontext context = null;             try             {                 context = id.impersonate();                 action.invoke();             }             catch (exception ex)             {                 // ex.message type initializer system.data.sqlclient.sqlconnection threw exception                 // buried inner exeption requested registry access not allowed             }                         {                 if (context != null)                 {                     context.undo();                 }             }         }     }

it fails exception leading me believe have setup issues on local dev server. inner exception requested registry access not allowed.

if set breakpoint , inspect windowsidentity after impersonate() call see impersonationlevel set identification. seems clue not setup correctly. can confirm?

am on right track , possible setup? pointers appreciated.

i think on right track. need more troubleshooting work on protocol transition setup.

i assume configured active directory membership provider correctly can logon web page using active directory user name , password. if that's not case, please ignore rest of answer :)

from saw in question, got user's token using s4uself windowsidentity. then, using s4uproxy pass impersonated token sql server. since said got impersonationlevel.identification only, means failed protocol transition.

you need understand allowing 1 machine protocol transition in domain high privilege. granting server protocol transition means trust server domain controller. need consciously make decision in ad turn server have ability , have domian administrator make change. if haven't done this, didn't setup thing properly.

there couple things check.

first, make sure selected "trust computer delegation specified services only" , picked "select use authentication protocol" on service account. may create domain account. here link on how create service account asp.net. remember, need domain account. after created domain service account, make sure go delegation tab on account , selected correct options.

second, need make sure spns set properly. realize link posted mention spn of asp.net service account. actually, need make sure service account on sql server set properly. otheriwse, windows won't use kerberos authentication @ all. fall use ntlm. there lot of details setup spn correctly on sql server. can check here first , see if have luck. experience, of dba don't know how set them properly. don't aware of because applications work fine ntlm. need pay attention sql server service account , port number it's using.

third, need make sure there nothing disabling kerberos delegation. sensitive ad accounts default not allowed delegated. example, built-in administrator account. so, better use other normal user accounts testing purpose.

update

i found another article teaching how setup protocol transition asp.net. mentioned need grant tcb right iis service account in order make sure can create impersonation type windowsidentity. can give shot.


Comments

Post a Comment

Popular posts from this blog

python - Scipy curvefit RuntimeError:Optimal parameters not found: Number of calls to function has reached maxfev = 1000 -

-
Image
i want make logharitmic fit. keep getting runtime error: optimal parameters not found: number of calls function has reached maxfev = 1000 i use following script. can tell me go wrong? use spyder still beginner. import math import matplotlib mpl scipy.optimize import curve_fit import numpy np #data f1=[735.0,696.0,690.0,683.0,680.0,678.0,679.0,675.0,671.0,669.0,668.0,664.0,664.0] t1=[1,90000.0,178200.0,421200.0,505800.0,592200.0,768600.0,1036800.0,1371600.0,1630800.0,1715400.0,2345400.0,2409012.0] f1n=np.array(f1) t1n=np.array(t1) plt.plot(t1,f1,'ro',label="original data") # curvefit def func(t,a,b): return a+b*np.log(t) t=np.linspace(0,3600*24*28,13) popt, pcov = curve_fit(func, t, f1n, maxfev=1000) plt.plot(t, func(t, *popt), label="fitted curve") plt.legend(loc='upper left') plt.show() your original data t1 , f1 . therefore curve_fit should given t1 second argument, not t . popt, pcov = curve_fit(func,
Read more

c# - How to add a new treeview at the selected node? -

-
i have treeview 4 levels; parent, child, grandchild, great-grandchild. selectednode @ grandchild level. what i'm trying create new "treeview" @ grandchild - no, dont wnat create new node "selectednode" (grandchild). should somelike this: parent child grandchild (new treeview) parent grandchild great-grandchild child great-grandchild child grandchild grandchild it similar parent table mother , father went off , had new childern different spouse other spouse of there existing children. private sub populaterootlevel() ' query find first round of parent populatenodes(dt, jcatreeview.nodes) end sub private sub populatenodes(byval dt datatable, byval nodes treenodecollection) each dr datarow in dt.rows dim tn new treenode() tn.text = dr("title").tostring()
Read more

java - netbeans "Please wait - classpath scanning in progress..." -

-
when try compile netbeans projects message/error : "please wait - classpath scanning in progress..." and nothing happens , have have wait enternity conmpile "hello world"... now first thing have moved new office building, laptop same. it's secure enviroment lot of "security", can't connect anywhere almost. have changed user dir in netbeans.conf save data in c:\program files\user any ideas how fix this? alrady tried reinstalling netbeans, changing save location between standart , newone... just ideas find problem look @ cpu - netbeans busy (100% on 1 core) or blocking (95% idle)? standard, ant or maven build? libraries , use absolute or relative paths? start simple "hello world" project (no dependencies), add 1 lib (log4j or similiar), located in project folder , - if works - move lib other locations (choose locations similiar libs on real classpath) there chance, don't have access rights folders/shares conta
Read more