Search code examples
active-directorywindows-authenticationimpersonationkerberosdelegation

Impersonate with Delegation or More than one hop on Kerberos? Completely lost

My issue here is how to deal with security and a proper implementation of impersonation which will work from a client machine and authenticate properly to my IIS server which passes the still valid impersonation ticket along with the LDAP request.

My System is an independent server running on my company intranet which hosts the domain controller, LDAP server, etc, and uses Kerberos protocol.

  • System Info: IIS7 with Windows Auth and Impersonate on Windows 7 x64
  • Network Info: IIS 6, LDAP, Kerberos

Here is my VB.NET method.

Protected FirstName, LastName, EMail As String
Protected Sub Lookup(ByVal UserName As String)
    UserName = Trim(UserName)
    UserName = Replace(UserName, "\", "/")
    UserName = Right(UserName, Len(UserName) - InStr(1, UserName, "/"))

    Using (Hosting.HostingEnvironment.Impersonate) 'ADDED
        Dim directoryEntry As New DirectoryEntry("LDAP://dl/DC=dl,DC=net")
        'directoryEntry.AuthenticationType = AuthenticationTypes.Delegation 'REMOVED

        Dim ds As New DirectorySearcher(directoryEntry)
        Dim r As SearchResult
        Try
            ds.PropertiesToLoad.Add("givenName") 'First Name
            ds.PropertiesToLoad.Add("sn")        'Last Name
            ds.PropertiesToLoad.Add("mail")      'Email

            ds.Filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & UserName & "))"
            r = ds.FindOne 'Query LDAP; find record with UserName.

            'Populates all the variables retrieved from LDAP.
            FirstName = If(r.Properties.Contains("givenName"), Trim(r.Properties("givenName").Item(0)), "")
            LastName = If(r.Properties.Contains("sn"), Trim(r.Properties("sn").Item(0)), "")
            If IsNothing(r.Properties.Contains("mail")) Then
                EMail = If(r.Properties.Contains("userPrincipalName"), Trim(r.Properties("userPrincipalName").Item(0)), "")
            Else
                EMail = If(r.Properties.Contains("mail"), Trim(r.Properties("mail").Item(0)), "")
            End If
            EMail = EMail.ToLower
        Catch ex As Exception
            'Error Logging to Database Here
        End Try
    End Using
End Sub

Please ask any questions necessary to get the information you need to help me. I've been researching this for weeks and it seems that Impersonation has such an insane number of variables that I could easily get lost. I just can't figure out how to implement this in my code... I'm still fairly new to .NET :(

Solution

  • You shouldn't need to configure an AuthenticationType for this to work. You will however need to ensure that the service account (or computer account if network service) hosting the code above is allowed to delegate to the LDAP service on all of the DCs in your environment.