Fog Creek Software
Discussion Board




Welcome! and rules

Joel on Software

IIS security settings

I've got a .NET app up and running now that queries and updates the Active Directory.

It works fine with impersonation enabled in the Web.Config, basic authentication enabled and digest authentication for WinDNS servers enabled.

However, if I try to switch on integrated windows authentication the whole app fails with 'cannot create ActiveX component'.

Anybody know why this could be? When I tested this app on two laptops (one running AD and the other one being the client) it worked fine.

Colm O'Connor
Thursday, March 17, 2005

You might like to set some breakpoints and check that the various identities are actually set to what you expect, as your code is running.  Although, admitedly, it sounds like you've got everything right (http://support.microsoft.com/kb/810572 ) ....

...in which case it might be an issue with delegation.  I.e. your server is, indeed, impersonating the user, but it cannot propagate that identity on to the domain controller that runs AD.  Imagine the basic auth case: if the server needs to impersonate the user when it accesses AD it can do so easily, because it has the users username AND password.  But now imagine a Windows authentication scenario: the server doesn't have the password, because the password never crosses the wire.

Depending on your situation, you may or may not be able to set up a solution using Kerberos and delegation.  This is the best link I could find (in an admitedly rather brief search): http://support.microsoft.com/kb/810572  If you do a bit more Googling yourself you may find a better explaination.

John Rusk
Friday, March 18, 2005

*  Recent Topics

*  Fog Creek Home