Dear All,
I was wondering If the following scenario is available on IIS 6:
I have a web based application that is a portal for users. Through that portal users can make some changes to user accounts within Active Directory.
Users authenticate using Kerberos (it’s an internal app). Now, is it possible to get user to authenticate to the app using their Domain Accounts, and then get IIS to use a designated account to make changes within AD on the user’s behalf? Basically, I would like to restrict users from being able to edit AD using their accounts from Active Directory Users and Computers, but I want to enable them to do it via this portal.
I thought the only option would be to get the app (IIS?) to make changes on the behalf of the user. This way I can designate only one generic account to have access to AD.
We use Windows 2003 Web Server within Windows 2003 Forest.
Thank you in advance.
Michael
I was wondering If the following scenario is available on IIS 6:
I have a web based application that is a portal for users. Through that portal users can make some changes to user accounts within Active Directory.
Users authenticate using Kerberos (it’s an internal app). Now, is it possible to get user to authenticate to the app using their Domain Accounts, and then get IIS to use a designated account to make changes within AD on the user’s behalf? Basically, I would like to restrict users from being able to edit AD using their accounts from Active Directory Users and Computers, but I want to enable them to do it via this portal.
I thought the only option would be to get the app (IIS?) to make changes on the behalf of the user. This way I can designate only one generic account to have access to AD.
We use Windows 2003 Web Server within Windows 2003 Forest.
Thank you in advance.
Michael
