Geek Answers Handbook

AD user authentication

I am trying to create an ASP.NET website (.NET 3.5) to connect to our Exchange 2010 server through Exchange web services, I can connect to EWS when I determine the username, password and domain for authentication, but I would like if possible, do not include registration data in your code.

In IIS, I have included integrated Windows authentication for the site, in the web.config of the site I have <authentication mode="Windows"/> .

The following code is what I bit:

 svc.UseDefaultCredentials = True svc.Credentials = New WebCredentials() svc.Url = New Uri(svcURL)

With the above code, I get a message:

When creating a request as an account that does not have a mailbox, you must specify the primary SMTP address of the mailbox for any folder IDs.

When I try to use svc.Credentials = CredentialCache.DefaultNetworkCredentials (instead of svc.Credentials = New WebCredentials() ), I get an error message:

Cannot pass an object of type "System.Net.SystemNetworkCredential" to enter "Microsoft.Exchange.WebServices.Data.ExchangeCredentials".

As already mentioned, the only thing that worked was to determine the user credentials for authentication using the svc.Credentials = New WebCredentials("username","password","domain") user details, which I would not do: svc.Credentials = New WebCredentials("username","password","domain")

Could anyone authenticate with EWS using the credentials of the currently logged in user on the ASP.NET website?

+7
source share
1 answer

By default, it is not possible to delegate user credentials from one server (the server on which you host your ASP.NET site) to another (your Exchange server). This is called the "server host", and Windows will prevent it by default as a security measure.

You have several options to get around this:

  • Using Kerberos: When Kerberos is enabled, it allows you to delegate user credentials between servers when using Windows Authentication. I don’t know the exact details of how to configure Kerberos, since I am just a modest developer, but maybe your system administrator can help you. AFAIK, you need to configure the ASP.NET server to allow user delegation.
  • Configuring the IIS application pool user ID: If Kerberos is not a parameter, you can change the identity of the application pool that your ASP.NET site runs on. First, define a new application pool in IIS Manager. Then go to the Advanced Settings dialog box for this application pool and set the identifier for the domain user who is allowed access to your Exchange server. More information about the application pool identifier is here: http://technet.microsoft.com/en-us/library/cc771170(v=WS.10).aspx .
  • Installing the <identity> element: If for some reason you cannot change the application pool, you can try to personalize your ASP.NET website with the <identity> element in the web.config file. ASP.NET provides you with the ability to store credentials in the registry, so you do not need to place them directly in the web.config file. More details here: http://msdn.microsoft.com/en-us/library/72wdk8cc(v=vs.90).aspx
  • Using ellement and encryption <appSettings> . The last option I can think of is to simply put the credentials in your web.config file as usual and lt; appSettings> and then encrypt the entire <appSettings>. Then you just read appSettings from your code using the AppSettingsReader ..NET class to encrypt sections of the web.config file out of the box, and you can read the settings without notifying that the section is encrypted .. NET will take care of decryption for you. More details here: http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
+2
source

More articles:


All Articles