"reda" <reda@discussions.microsoft.com> wrote in message
news:8AF035F8-16E9-4DFE-884A-01820A9E6368@microsoft.com...
> Dear Joe,
>
> Thank You for your help.
>
> I find the document and tried to apply the delegation in the active
> directory
> first I made the users accounts to be trusted for delegation, not
> sensetive,
> and can be delegated
> then I made the web server computer to be trusted for delegation
>
> but I still have the same error !!
> is there any other settings should take place in the active directory or
> in
> the web server itself ?
>
> Thank You,
>
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> This is a double hop issue. Essentially, the security token can go "one
>> hop" from either the browser to the web server or directly from the web
>> server to the AD if the browser was run from the local server, but it
>> can't
>> go two hops from the browser to the web server to the AD.
>>
>> If you really must access AD with the security context of the current
>> user
>> and you want to use IWA authentication in the web site, you need to also
>> implement Kerberos delegation to overcome the double hop limitation.
>>
>> http://msdn.microsoft.com/vstudio/using/building/web/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT05.asp?FRAME=true#ImplementKerberos
>>
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
>>
>> If you don't need to use the authenticated user's security context to
>> access
>> AD, then you can use a service account instead. If you specify
>> credentials
>> or change the worker process to use a domain account and disable
>> impersonation, you can do this instead. This arcticle has some
>> suggestions.
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
>>
>> Joe K.
>>
>> "reda" <reda@discussions.microsoft.com> wrote in message
>> news:70D7BC57-F466-408E-A6A6-C1A18A8FABAE@microsoft.com...
>> > Hi all,
>> >
>> > I am developing asp.net application using windows authentication from
>> > active
>> > directory on a local area network. the domain controller is not on the
>> > same
>> > machine of the IIS. when trying to get the display name of the logged
>> > in
>> > user
>> > I am getting an error if I try remotly even if user is logged in but it
>> > works
>> > fine localy on the web server.
>> >
>> > I am new in using directoryservice namespace and donnt find any
>> > document
>> > to
>> > disccus how to emplement an application like that using active
>> > directory
>> > hosted on another server.
>> >
>> > this is my code
>> >
>> > DirectorySearcher ds = new DirectorySearcher();
>> > ds.SearchRoot = new DirectoryEntry("LDAP://CN=users,DC=TAC,DC=local");
>> > string filter = "";
>> > filter += FormFilter("user", userName);
>> > filter = "(|" + filter + ")";
>> > ds.Filter = filter;
>> > ds.PropertiesToLoad.Add("*");
>> > System.DirectoryServices.SearchResult res = ds.FindOne();
>> >
>> > in the last line I get "An Operations error occurred"
>> >
>> > both of web server and domain controller are windows 2003 and the
>> > domain
>> > name is TAC.LOCAL
>> >
>> > any body can help me ?
>> >
>> > Regards,
>> >
>>
>>
>>