views:

122

answers:

1

Currently, we have an .hta file that employees use to update certain elements of their active directory profile. This alleviates system administrators from having to deal with that issue. The reasoning for a .hta file is obvious. It lifts a lot of the security blockades in place and allows a machine to do things (such as update an active directory profile) that it otherwise wouldn't be able to do (to my knowledge).

I realize the security implications, but we are being asked to transfer this .hta application to a browser-based .net application. Is this even possible? If it is, why is it possible? It seems like something that is (and should be) relatively impossible from the browser.

A: 

I guess it depends on what you mean by browser-based .net application. I've written many utilities which are presented to the user as web pages and which update AD (or some other repository). In these cases, at least a part of the application runs on the server. The web page in the browser merely gives access to this server code.

There are several technologies behind this. I'm assuming that your users run the .hta as themselves. You can do something similar using ASP.NET. ASP.NET runs on IIS. If you're using IE as your browser, you can configure IIS (and IE) to use Windows Integrated Authentication. This means that IE passes the windows security token to IIS so that IIS knows who the user is and that they've authenticated themselves to a DC recently. IIS passes this to ASP.NET so your application can know this as well. You can configure your app so that it 'impersonates' the user and does things using their ID.

Or, you can define credentials to be used by your app and either run the ASP.NET site using an IIS ApplicationPool or use the credentials directly in your code when you call out to AD. I've done this when I wanted the user to be able to do something they can't do with their own credentials and I've not wanted to grant them direct access by delegating that authority to them. It means I can add validation to the process.

You use a .NET namespace called System.DirectoryServices, aka S.DS, (or System.DirectoryServices.Protocols (aka SDS.P) but this is harder to use, or System.DirectoryServices.AccountManagement which came with .NET 3.5) and you can read and update AD using it.

If you want to know more, update your question and I'll try to help.

serialhobbyist