I have ADSI code that I can make work at the command line. I cannot in
any way get it to work in asp.net. Even using Windows authentication,
impersonation on, and providing the credentials hardcoded, I cannot make
this same code happen. This is all I am trying to do:
static void Stuff()
{
//we don't need the credentials on this form
// so store in session state.
//look up computers from selected branch.
DataTable dt = new DataTable("Computers");
dt.Columns.Add("ComputerName");
DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Computers,DC=TOPDOMAIN,DC=CA");
de.Username = "adminishtypeaccount";
de.Password = "biglongpasswordofsomesort";
DirectorySearcher ds = new DirectorySearcher(de);
//try
{
foreach(SearchResult sr in ds.FindAll())
{
DataRow dr = dt.NewRow();
dr["ComputerName"] = sr.GetDirectoryEntry().Name.ToString();
dt.Rows.Add(dr);
}
}
//catch
{
//no action for now.
}
/* web version attaches
to a grid then binds
- only difference */
DataSet MySet = new DataSet();
MySet.Tables.Add(dt);
Console.WriteLine(MySet.GetXml());
Console.ReadLine();
}
}
8  1770 
Is it possible that you are providing credentials to access to ADSI but not
to access the remote server itself? At the command line, yours would be
passed through. ASP.NET wouldn't do that the same way.
Not sure, but I'd look into NetworkCredential Class to get ASP.NET into the
machine itself: http://msdn.microsoft.com/library/de...classtopic.asp
Let us know when you get it working?
Ken
"msnews.microsoft.com" wrote: I have ADSI code that I can make work at the command line. I cannot in
any way get it to work in asp.net. Even using Windows authentication,
impersonation on, and providing the credentials hardcoded, I cannot make
this same code happen. This is all I am trying to do:
static void Stuff()
{
//we don't need the credentials on this form
// so store in session state.
//look up computers from selected branch.
DataTable dt = new DataTable("Computers");
dt.Columns.Add("ComputerName");
DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Computers,DC=TOPDOMAIN,DC=CA");
de.Username = "adminishtypeaccount";
de.Password = "biglongpasswordofsomesort";
DirectorySearcher ds = new DirectorySearcher(de);
//try
{
foreach(SearchResult sr in ds.FindAll())
{
DataRow dr = dt.NewRow();
dr["ComputerName"] = sr.GetDirectoryEntry().Name.ToString();
dt.Rows.Add(dr);
}
}
//catch
{
//no action for now.
}
/* web version attaches
to a grid then binds
- only difference */
DataSet MySet = new DataSet();
MySet.Tables.Add(dt);
Console.WriteLine(MySet.GetXml());
Console.ReadLine();
}
}
Ken Cox [Microsoft MVP] wrote: Is it possible that you are providing credentials to access to ADSI but not
to access the remote server itself? At the command line, yours would be
passed through. ASP.NET wouldn't do that the same way.
Not sure, but I'd look into NetworkCredential Class to get ASP.NET into the
machine itself:
http://msdn.microsoft.com/library/de...classtopic.asp
Let us know when you get it working?
Ken
Thanks for the suggestion. How would you do this if you're not sure
which AD server is going to be doing the authenticating? There is more
than one on our network, and I'd hate to have to target it specifically
for connection.
Richard
This is pretty well documented here: http://support.microsoft.com/default...b;en-us;329986
Generally, the problem is that when you don't supply a server or domain name
in our binding string or don't supply credentials in your directoryentry
constructor, the ADSI components will try to infer them from the current
security context. In ASP.NET, you are often running as a local machine
account, so this won't work when trying to get domain information or
credentials. When you run the code locally, it picks up your domain
credentials and domain controller information from that.
To verify this is the problem, add a domain controller to your binding
string (LDAP://mydc.com/CN=xxxx) and provide valid credentials for the
username and password properties. If that works, then that is the problem.
If you don't want to specific a DC or credentials, there are a bunch of ways
around this as ASP.NET gives you lots of security options. They all have
good points and bad points.
Joe K.
"msnews.microsoft.com" <so*****@spammingisevil.bad> wrote in message
news:%2****************@TK2MSFTNGP14.phx.gbl... I have ADSI code that I can make work at the command line. I cannot in any
way get it to work in asp.net. Even using Windows authentication,
impersonation on, and providing the credentials hardcoded, I cannot make
this same code happen. This is all I am trying to do:
static void Stuff()
{
//we don't need the credentials on this form
// so store in session state.
//look up computers from selected branch.
DataTable dt = new DataTable("Computers");
dt.Columns.Add("ComputerName");
DirectoryEntry de = new
DirectoryEntry("LDAP://CN=Computers,DC=TOPDOMAIN,DC=CA");
de.Username = "adminishtypeaccount";
de.Password = "biglongpasswordofsomesort";
DirectorySearcher ds = new DirectorySearcher(de);
//try
{
foreach(SearchResult sr in ds.FindAll())
{
DataRow dr = dt.NewRow();
dr["ComputerName"] = sr.GetDirectoryEntry().Name.ToString();
dt.Rows.Add(dr);
}
}
//catch
{
//no action for now.
}
/* web version attaches
to a grid then binds
- only difference */
DataSet MySet = new DataSet();
MySet.Tables.Add(dt);
Console.WriteLine(MySet.GetXml());
Console.ReadLine();
}
}
You've got a couple of options if you want to this to be dynamic:
- You can change the security context so that a domain user is used. This
will get you a valid domain controller that can be used in a "serverless"
bind and should get you valid credentials that can be used. To do this, you
can either:
Change the process identity for ASP.NET to a domain account, either with the
processModel setting in web.config for IIS5 or the app pool identity for
IIS6, or impersonate a windows user or lace the code in a COM+ dll and set
that up to use a domain identity. Impersonation works well if you are using
Windows auth in your application, but you may have delegation issues with
that. Please read the doc in the link I posted in my other reply.
- You can also specify a domain or domain controller name and put it in
web.config so you can change it at runtime. If you specify a domain name
instead of an actual DC, the underlying system will use DNS to determine a
DC to use at runtime. However, this doesn't solve the credentials problem,
so you may still need to provide those (via config again).
All of the various approaches have good points and bad points. I generally
go with setting values via configuration, but I will use the "security
context" approaches sometimes as well. The important thing to know is WHY
the code works and what it depends on so that when you change something
later, you'll know why it broke.
HTH,
Joe K.
"msnews.microsoft.com" <so*****@spammingisevil.bad> wrote in message
news:uZ**************@TK2MSFTNGP12.phx.gbl... Ken Cox [Microsoft MVP] wrote: Is it possible that you are providing credentials to access to ADSI but
not to access the remote server itself? At the command line, yours would
be passed through. ASP.NET wouldn't do that the same way.
Not sure, but I'd look into NetworkCredential Class to get ASP.NET into
the machine itself:
http://msdn.microsoft.com/library/de...classtopic.asp
Let us know when you get it working?
Ken
Thanks for the suggestion. How would you do this if you're not sure which
AD server is going to be doing the authenticating? There is more than one
on our network, and I'd hate to have to target it specifically for
connection.
Richard
msnews.microsoft.com wrote: Ken Cox [Microsoft MVP] wrote:
Is it possible that you are providing credentials to access to ADSI
but not to access the remote server itself? At the command line, yours
would be passed through. ASP.NET wouldn't do that the same way.
Not sure, but I'd look into NetworkCredential Class to get ASP.NET
into the machine itself:
http://msdn.microsoft.com/library/de...classtopic.asp
Let us know when you get it working?
OK - I'm still struggling with ADSI and asp.net, as another angle of
this project has forced me back at it. ADSI and asp.net are two things
definitely not made to work together, from what I can tell.
At any rate, I'm at the desperate point where I will try anything, but
don't know how to use the NetworkCredential class against this AD server
- it is not a SOAP server, and offers up no http services of any kind.
Does this class come into play for just the simple attempt to try and
gain some access to the AD services?
I just want to do some very simple things... I can't believe what a
difficult struggle this is.
R.
Hi Richard,
I think this should be a normal issue that the DirectoryService processing
work well under winform/console app but fail in asp.net. What's the error
info you got when failing in accessing the AD?
Here is a kb artcle discussing on this detailedly.
#How to use the System.DirectoryServices namespace in ASP.NET http://support.microsoft.com/?id=329986
It has mentioned serveral important points such as require a Primary Token
and possible double hop issue....
Also, you can try some of the troubleshooting approachs in it.
Hope helps. Thanks.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.) Ken Cox [Microsoft MVP] wrote: Is it possible that you are providing credentials to access to ADSI
but not to access the remote server itself? At the command line,
yours would be passed through. ASP.NET wouldn't do that the same way.
Not sure, but I'd look into NetworkCredential Class to get ASP.NET
into the machine itself:
http://msdn.microsoft.com/library/de...classtopic.asp
Let us know when you get it working?
Well, I couldn't find any way to use this class, but I did find a way to
get credentials passing in a way that had more force. I put the code
inside an impersonation block, opening with this:
System.Security.Principal.WindowsImpersonationCont ext impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)HttpCo ntext.Current.User.Identity).Impersonate();
Funny - the impersonation flag in web.config was not as effective as this.
Richard
Hi Richard,
Thanks for your followup. Yes, as for the impersonation via web.config or
programly impersonation. There maybe some difference on the crediential
they generated.
1. When using the web.config impersonation, if we don't specify the
username and PASSWORD as clear text in the <identity> element, asp.net will
use the account passed from IIS. And the identity token passed by IIS
depend on the authentication mode it use, if use Integrited Windows, the
passed token is not a primary token(you can refer to the kb I provided in
the last message) and which can't be double hop to remote machine. If using
basic authentication, since the client user must provide clear text
password, so the passed
token can be used to double hop to remote machine.
2. When using code to programly impersonate, we will provide the cleartext
password, so the generated identity token is also double-hopable. And the
effect is as same as we speicfying a fixed account (with clear USERNAME
PASSWORD) in web.config's <idenity > element or use BASIC authenticaiton
in IIS and impersonate the client user identity from IIS.
Anyway, glad that you've resolved the problem. And you may have a look at
the kb article in my last reply. If there are any further questions, please
feel free to post here. Thanks.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Ryan Ritten |
last post by:
I was wondering if anyone knew how (or if it's even possible) to cache
the results of an ADSI call in asp for a longer period of time.
Basically what I am doing is I have a website that loads the...
|
by: Enigma Webmaster |
last post by:
Hi All,
We've written a couple of functions which, when run in VB6 work fine and
allow AD users to be updated. When we include the code into an ASP Page and
try and update a users information...
|
by: Arran Pearce |
last post by:
Hi,
I am looking for a way to use System.DirectoryServices to find all users on
a domain whos accounts are either locked out or disabled. I have used
ADSIEdit and the mmc schema add-in to try...
|
by: Rubble |
last post by:
Hello, Im trying to see if a user exists in active directory. The
code I have has been posted elsewhere and apparantly works for
others....but it will not work for me. I get the error: "The...
|
by: Corne Grotius |
last post by:
Hiya,
I'm trying to create a new site on IIS 6.0 using ADSI and C# using the
following code:
DirectoryEntry W3SVC = new DirectoryEntry("IIS://" + ServerName +
"/w3svc", Username, Password,...
|
by: YRao |
last post by:
I am going to create intranet application using Windows Authentication
using C# asp.net
I am having following problem:
1 setting windows Authentication, it will validate for all users, user...
|
by: Roy Osherove |
last post by:
Hi folks.
I have an ASP.Net application that runs a .Net dll that uses WMI and
ADSI(both managed) to connect to a given IIS root and search through it.
When not using the ASP.Net client, but...
|
by: chat_devil |
last post by:
hi,
does anyone know if it is possible to remove an attribute that can not
be read into the ADSI property cache/collection.
i'm trying to do an eDirectory password change from .net directory...
|
by: John |
last post by:
Hi, gurus,
How can I implement the following feature in C#:
Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup & ", group")
For Each objMember In objGroup.Members...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
