"Sudden" Active Directory error on ASP.NET

I have read some articles which suggest that I need to turn on "Kerberos"
authentication (in order for token to be passed to Active Directory for
authentication).

How could I turn on Kerberos authentication? It is not an option in IIS6 on
Windows server 2003. Note I am using Integrated Windows authentication at
present.

"Patrick" wrote:

I have an ASP.NET page that searches for someone in the corporate Active
Directory.

It had been working fine until recently when I changed from Basic
Authentication on IIS6 back to Integrated Windows authentication. The error
occurs on the FindAll method. The exceptions are as follows. anyway of
getting the code working with Integrated Windows authentication (too annoying
for user to enter user-name/password). Note I do need to use impersonation
(to figure out the username of the logged on user)

Exception:
System.Runtime.InteropServices.COMException (0x80072020): An operations
error occurred
at System.DirectoryServices.DirectoryEntry.Bind(Boole an throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
at System.DirectoryServices.DirectorySearcher.FindAll (Boolean
findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindAll ()
at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click( Object sender,
EventArgs e)

Web.config:
<authentication mode="Windows" />
<identity impersonate="true" />

Code snippet below:

DirectoryEntry dirEntry = new
DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
System.DirectoryServices.PropertyCollection objectPropperties;
foreach (SearchResult resultEntry in dirSearcher.FindAll())
{
//display results
}

Alternatively, is it at all possible to use another (hard-wired) user's
credentials to authenticate into Active Directory. When I say, hard-wired
user, I mean a fixed user that is different from the logged on user (note, I
need to use impersonation to figure out from Environment.Username the
username of the logged on user).

"Patrick" wrote:

I have read some articles which suggest that I need to turn on "Kerberos"
authentication (in order for token to be passed to Active Directory for
authentication).

How could I turn on Kerberos authentication? It is not an option in IIS6 on
Windows server 2003. Note I am using Integrated Windows authentication at
present.

"Patrick" wrote:

I have an ASP.NET page that searches for someone in the corporate Active
Directory.

It had been working fine until recently when I changed from Basic
Authentication on IIS6 back to Integrated Windows authentication. The error
occurs on the FindAll method. The exceptions are as follows. anyway of
getting the code working with Integrated Windows authentication (too annoying
for user to enter user-name/password). Note I do need to use impersonation
(to figure out the username of the logged on user)

Exception:
System.Runtime.InteropServices.COMException (0x80072020): An operations
error occurred
at System.DirectoryServices.DirectoryEntry.Bind(Boole an throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
at System.DirectoryServices.DirectorySearcher.FindAll (Boolean
findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindAll ()
at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click( Object sender,
EventArgs e)

Web.config:
<authentication mode="Windows" />
<identity impersonate="true" />

Code snippet below:

DirectoryEntry dirEntry = new
DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
System.DirectoryServices.PropertyCollection objectPropperties;
foreach (SearchResult resultEntry in dirSearcher.FindAll())
{
//display results
}

Hi Patrick:

Because the Active Directory is setup on a server other than the IIS server,
try explicitly specifying the former when constructing the DirectoryEntry,
e.g.
DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc=com");

(I know this works because I ran into the same problem last week and I
solved it this way)
--
HTH,
Phillip Williams
http://www.societopia.net/Samples/
http://www.societopia.net
http://www.webswapp.com
"Patrick" wrote:

I have read some articles which suggest that I need to turn on "Kerberos"
authentication (in order for token to be passed to Active Directory for
authentication).

How could I turn on Kerberos authentication? It is not an option in IIS6 on
Windows server 2003. Note I am using Integrated Windows authentication at
present.

"Patrick" wrote:

I have an ASP.NET page that searches for someone in the corporate Active
Directory.

It had been working fine until recently when I changed from Basic
Authentication on IIS6 back to Integrated Windows authentication. The error
occurs on the FindAll method. The exceptions are as follows. anyway of
getting the code working with Integrated Windows authentication (too annoying
for user to enter user-name/password). Note I do need to use impersonation
(to figure out the username of the logged on user)

Exception:
System.Runtime.InteropServices.COMException (0x80072020): An operations
error occurred
at System.DirectoryServices.DirectoryEntry.Bind(Boole an throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
at System.DirectoryServices.DirectorySearcher.FindAll (Boolean
findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindAll ()
at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click( Object sender,
EventArgs e)

Web.config:
<authentication mode="Windows" />
<identity impersonate="true" />

Code snippet below:

DirectoryEntry dirEntry = new
DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
System.DirectoryServices.PropertyCollection objectPropperties;
foreach (SearchResult resultEntry in dirSearcher.FindAll())
{
//display results
}

Hi Patrick,

For the problem you encountered, seems somewhat related to the security
context of the asp.net application. As you mentioned that the AD query code
works well when you're using basic authentication but failed when change to
Integrated windows, because when using basic authentication ,the client
user provide full credential so that the serverside logon session has the
network credential(which means it can be forwarded to remote machine for
authentication), however, under integrated windows, the clientside didn't
provide full credential, so the serverside logon session can't be forwarded
to remote machine for authentication. So the problerm you met is possibly
caused by this. Also, in asp.net we can use web.config 's <identity>
element or programmatically to impersonatea fixed account, since in such
means , we provide clear text username/password, the established security
session can be forwarded to remote machine for authentication, here is the
kb article discussing on this:

#How to implement impersonation in an ASP.NET application
http://support.microsoft.com/?id=306158

In addition, you can have a try on Phillip's suggestion.

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| Thread-Topic: "Sudden" Active Directory error on ASP.NET
| thread-index: AcWyQPxwckuHz8KxSL6p/atjSnYCEw==
| X-WBNR-Posting-Host: 198.240.128.75
| From: "=?Utf-8?B?UGF0cmljaw==?=" <qu*******@newsgroup.nospam>
| References: <42**********************************@microsoft.co m>
<4C**********************************@microsoft.co m>
| Subject: RE: "Sudden" Active Directory error on ASP.NET
| Date: Mon, 5 Sep 2005 10:41:03 -0700
| Lines: 58
| Message-ID: <E6**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups:
microsoft.public.adsi.general,microsoft.public.dot net.framework.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:122483
microsoft.public.adsi.general:8890
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Alternatively, is it at all possible to use another (hard-wired) user's
| credentials to authenticate into Active Directory. When I say,
hard-wired
| user, I mean a fixed user that is different from the logged on user
(note, I
| need to use impersonation to figure out from Environment.Username the
| username of the logged on user).
|
| "Patrick" wrote:
|
| > I have read some articles which suggest that I need to turn on
"Kerberos"
| > authentication (in order for token to be passed to Active Directory for
| > authentication).
| >
| > How could I turn on Kerberos authentication? It is not an option in
IIS6 on
| > Windows server 2003. Note I am using Integrated Windows authentication
at
| > present.
| >
| >
| >
| > "Patrick" wrote:
| >
| > > I have an ASP.NET page that searches for someone in the corporate
Active
| > > Directory.
| > >
| > > It had been working fine until recently when I changed from Basic
| > > Authentication on IIS6 back to Integrated Windows authentication.
The error
| > > occurs on the FindAll method. The exceptions are as follows. anyway
of
| > > getting the code working with Integrated Windows authentication (too
annoying
| > > for user to enter user-name/password). Note I do need to use
impersonation
| > > (to figure out the username of the logged on user)
| > >
| > > Exception:
| > > System.Runtime.InteropServices.COMException (0x80072020): An
operations
| > > error occurred
| > > at System.DirectoryServices.DirectoryEntry.Bind(Boole an
throwIfFail)
| > > at System.DirectoryServices.DirectoryEntry.Bind()
| > > at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
| > > at System.DirectoryServices.DirectorySearcher.FindAll (Boolean
| > > findMoreThanOne)
| > > at System.DirectoryServices.DirectorySearcher.FindAll ()
| > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click( Object
sender,
| > > EventArgs e)
| > >
| > > Web.config:
| > > <authentication mode="Windows" />
| > > <identity impersonate="true" />
| > >
| > > Code snippet below:
| > >
| > > DirectoryEntry dirEntry = new
| > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
| > > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry
);
| > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text +
"*)(givenName="+
| > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
| > > System.DirectoryServices.PropertyCollection objectPropperties;
| > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
| > > {
| > > //display results
| > > }
|

Whilst this new LDAP string works on my developer workstation, porting to the
development IIS6.0 web server, dirSearcher.FindAll().Count returns 0 (when
matches are expected), presumably because no credentials were passed from IIS
to the Active Directory?

"Phillip Williams" wrote:

Hi Patrick:

Because the Active Directory is setup on a server other than the IIS server,
try explicitly specifying the former when constructing the DirectoryEntry,
e.g.
DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc=com");

(I know this works because I ran into the same problem last week and I
solved it this way)
--
HTH,
Phillip Williams
http://www.societopia.net/Samples/
http://www.societopia.net
http://www.webswapp.com
"Patrick" wrote:

I have read some articles which suggest that I need to turn on "Kerberos"
authentication (in order for token to be passed to Active Directory for
authentication).

How could I turn on Kerberos authentication? It is not an option in IIS6 on
Windows server 2003. Note I am using Integrated Windows authentication at
present.

"Patrick" wrote:

I have an ASP.NET page that searches for someone in the corporate Active
Directory.

It had been working fine until recently when I changed from Basic
Authentication on IIS6 back to Integrated Windows authentication. The error
occurs on the FindAll method. The exceptions are as follows. anyway of
getting the code working with Integrated Windows authentication (too annoying
for user to enter user-name/password). Note I do need to use impersonation
(to figure out the username of the logged on user)

Exception:
System.Runtime.InteropServices.COMException (0x80072020): An operations
error occurred
at System.DirectoryServices.DirectoryEntry.Bind(Boole an throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
at System.DirectoryServices.DirectorySearcher.FindAll (Boolean
findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindAll ()
at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click( Object sender,
EventArgs e)

Web.config:
<authentication mode="Windows" />
<identity impersonate="true" />

Code snippet below:

DirectoryEntry dirEntry = new
DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
System.DirectoryServices.PropertyCollection objectPropperties;
foreach (SearchResult resultEntry in dirSearcher.FindAll())
{
//display results
}

On Mon, 5 Sep 2005 10:36:03 -0700, "Patrick" <qu*******@newsgroup.nospam> wrote:

¤ I have read some articles which suggest that I need to turn on "Kerberos"
¤ authentication (in order for token to be passed to Active Directory for
¤ authentication).
¤
¤ How could I turn on Kerberos authentication? It is not an option in IIS6 on
¤ Windows server 2003. Note I am using Integrated Windows authentication at
¤ present.

http://www.microsoft.com/windowsserv...s/default.mspx
Paul
~~~~
Microsoft MVP (Visual Basic)

Hi Patrick,

I think though that getting a dirSearcher.FindAll().Count==0 is not a
security access issue. If the responses of Steven and Paul have not helped
you yet to find a solution, you might try a few more tests:

1- log on to the IIS machine and run the application from there,

2- add a Trace.WriteLine statement that displays the
Context.User.Identity.Name to verify that impersonation works.

3- try without a filter condition at all; if you get any result then the
problem is not security related rather it might be the way you specified the
filter condition that caused dirSearcher.FindAll().Count to return 0.

--
HTH,
Phillip Williams
http://www.societopia.net
http://www.webswapp.com
"Patrick" wrote:

Whilst this new LDAP string works on my developer workstation, porting to the
development IIS6.0 web server, dirSearcher.FindAll().Count returns 0 (when
matches are expected), presumably because no credentials were passed from IIS
to the Active Directory?

"Phillip Williams" wrote:

Hi Patrick:

Because the Active Directory is setup on a server other than the IIS server,
try explicitly specifying the former when constructing the DirectoryEntry,
e.g.
DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc=com");

(I know this works because I ran into the same problem last week and I
solved it this way)
--
HTH,
Phillip Williams
http://www.societopia.net/Samples/
http://www.societopia.net
http://www.webswapp.com
"Patrick" wrote:

I have read some articles which suggest that I need to turn on "Kerberos"
authentication (in order for token to be passed to Active Directory for
authentication).

How could I turn on Kerberos authentication? It is not an option in IIS6 on
Windows server 2003. Note I am using Integrated Windows authentication at
present.

"Patrick" wrote:

> I have an ASP.NET page that searches for someone in the corporate Active
> Directory.
>
> It had been working fine until recently when I changed from Basic
> Authentication on IIS6 back to Integrated Windows authentication. The error
> occurs on the FindAll method. The exceptions are as follows. anyway of
> getting the code working with Integrated Windows authentication (too annoying
> for user to enter user-name/password). Note I do need to use impersonation
> (to figure out the username of the logged on user)
>
> Exception:
> System.Runtime.InteropServices.COMException (0x80072020): An operations
> error occurred
> at System.DirectoryServices.DirectoryEntry.Bind(Boole an throwIfFail)
> at System.DirectoryServices.DirectoryEntry.Bind()
> at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
> at System.DirectoryServices.DirectorySearcher.FindAll (Boolean
> findMoreThanOne)
> at System.DirectoryServices.DirectorySearcher.FindAll ()
> at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click( Object sender,
> EventArgs e)
>
> Web.config:
> <authentication mode="Windows" />
> <identity impersonate="true" />
>
> Code snippet below:
>
> DirectoryEntry dirEntry = new
> DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
> DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
> dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
> FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
> System.DirectoryServices.PropertyCollection objectPropperties;
> foreach (SearchResult resultEntry in dirSearcher.FindAll())
> {
> //display results
> }

Actually I have a correction to what I wrote below. It was not the NTLM
authenticated userID that I used in creating the DirectoryEntry. Upon
careful examination of the code that I left on the IIS server (as opposed to
the version I have on my development desktop) I found that I actually left a
hard-coded userID and password in the DirectoryEntry constructor. So you
were right. It works on the development desktop but not on the IIS server;
the latter required supplying the userID and password.

This is my working solution:
Dim entry As New DirectoryServices.DirectoryEntry(AppSettings("LDAP _PATH"),
strUserID, strPassword)

Sorry if I have caused any confusion.

"Phillip Williams" wrote:

Hi Patrick,

I think though that getting a dirSearcher.FindAll().Count==0 is not a
security access issue. If the responses of Steven and Paul have not helped
you yet to find a solution, you might try a few more tests:

1- log on to the IIS machine and run the application from there,

2- add a Trace.WriteLine statement that displays the
Context.User.Identity.Name to verify that impersonation works.

3- try without a filter condition at all; if you get any result then the
problem is not security related rather it might be the way you specified the
filter condition that caused dirSearcher.FindAll().Count to return 0.

--
HTH,
Phillip Williams
http://www.societopia.net
http://www.webswapp.com
"Patrick" wrote:

Whilst this new LDAP string works on my developer workstation, porting to the
development IIS6.0 web server, dirSearcher.FindAll().Count returns 0 (when
matches are expected), presumably because no credentials were passed from IIS
to the Active Directory?

"Phillip Williams" wrote:

Hi Patrick:

Because the Active Directory is setup on a server other than the IIS server,
try explicitly specifying the former when constructing the DirectoryEntry,
e.g.
DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc=com");

(I know this works because I ran into the same problem last week and I
solved it this way)
--
HTH,
Phillip Williams
http://www.societopia.net/Samples/
http://www.societopia.net
http://www.webswapp.com
"Patrick" wrote:

> I have read some articles which suggest that I need to turn on "Kerberos"
> authentication (in order for token to be passed to Active Directory for
> authentication).
>
> How could I turn on Kerberos authentication? It is not an option in IIS6 on
> Windows server 2003. Note I am using Integrated Windows authentication at
> present.
>
>
>
> "Patrick" wrote:
>
> > I have an ASP.NET page that searches for someone in the corporate Active
> > Directory.
> >
> > It had been working fine until recently when I changed from Basic
> > Authentication on IIS6 back to Integrated Windows authentication. The error
> > occurs on the FindAll method. The exceptions are as follows. anyway of
> > getting the code working with Integrated Windows authentication (too annoying
> > for user to enter user-name/password). Note I do need to use impersonation
> > (to figure out the username of the logged on user)
> >
> > Exception:
> > System.Runtime.InteropServices.COMException (0x80072020): An operations
> > error occurred
> > at System.DirectoryServices.DirectoryEntry.Bind(Boole an throwIfFail)
> > at System.DirectoryServices.DirectoryEntry.Bind()
> > at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
> > at System.DirectoryServices.DirectorySearcher.FindAll (Boolean
> > findMoreThanOne)
> > at System.DirectoryServices.DirectorySearcher.FindAll ()
> > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click( Object sender,
> > EventArgs e)
> >
> > Web.config:
> > <authentication mode="Windows" />
> > <identity impersonate="true" />
> >
> > Code snippet below:
> >
> > DirectoryEntry dirEntry = new
> > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
> > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
> > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
> > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
> > System.DirectoryServices.PropertyCollection objectPropperties;
> > foreach (SearchResult resultEntry in dirSearcher.FindAll())
> > {
> > //display results
> > }

Thanks for your detailed followup Phillip,

Hi Patrick,

Have you had a try on the suggestions in my last reply? I'm still thinking
the problem is concerned with your asp.net web application's security
context. And impersonation is a potential cause, if there're any further
finding or anything we can help, please feel free to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| Thread-Topic: "Sudden" Active Directory error on ASP.NET
| thread-index: AcWzQSB7RPR3OtazRFqlDQHhtLAcGw==
| X-WBNR-Posting-Host: 207.230.226.92
| From: "=?Utf-8?B?UGhpbGxpcCBXaWxsaWFtcw==?="
<Ph**************@webswapp.com>
| References: <42**********************************@microsoft.co m>
<4C**********************************@microsoft.co m>
<F7**********************************@microsoft.co m>
<0F**********************************@microsoft.co m>
<0E**********************************@microsoft.co m>
| Subject: RE: "Sudden" Active Directory error on ASP.NET
| Date: Tue, 6 Sep 2005 17:14:34 -0700
| Lines: 116
| Message-ID: <E8**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups:
microsoft.public.adsi.general,microsoft.public.dot net.framework.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:122743
microsoft.public.adsi.general:8911
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Actually I have a correction to what I wrote below. It was not the NTLM
| authenticated userID that I used in creating the DirectoryEntry. Upon
| careful examination of the code that I left on the IIS server (as opposed
to
| the version I have on my development desktop) I found that I actually
left a
| hard-coded userID and password in the DirectoryEntry constructor. So you
| were right. It works on the development desktop but not on the IIS
server;
| the latter required supplying the userID and password.
|
| This is my working solution:
| Dim entry As New
DirectoryServices.DirectoryEntry(AppSettings("LDAP _PATH"),
| strUserID, strPassword)
|
| Sorry if I have caused any confusion.
|
| "Phillip Williams" wrote:
|
| > Hi Patrick,
| >
| > I think though that getting a dirSearcher.FindAll().Count==0 is not a
| > security access issue. If the responses of Steven and Paul have not
helped
| > you yet to find a solution, you might try a few more tests:
| >
| > 1- log on to the IIS machine and run the application from there,
| >
| > 2- add a Trace.WriteLine statement that displays the
| > Context.User.Identity.Name to verify that impersonation works.
| >
| > 3- try without a filter condition at all; if you get any result then
the
| > problem is not security related rather it might be the way you
specified the
| > filter condition that caused dirSearcher.FindAll().Count to return 0.
| >
| > --
| > HTH,
| > Phillip Williams
| > http://www.societopia.net
| > http://www.webswapp.com
| >
| >
| > "Patrick" wrote:
| >
| > > Whilst this new LDAP string works on my developer workstation,
porting to the
| > > development IIS6.0 web server, dirSearcher.FindAll().Count returns 0
(when
| > > matches are expected), presumably because no credentials were passed
from IIS
| > > to the Active Directory?
| > >
| > > "Phillip Williams" wrote:
| > >
| > > > Hi Patrick:
| > > >
| > > > Because the Active Directory is setup on a server other than the
IIS server,
| > > > try explicitly specifying the former when constructing the
DirectoryEntry,
| > > > e.g.
| > > > DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc=com");
| > > >
| > > > (I know this works because I ran into the same problem last week
and I
| > > > solved it this way)
| > > > --
| > > > HTH,
| > > > Phillip Williams
| > > > http://www.societopia.net/Samples/
| > > > http://www.societopia.net
| > > > http://www.webswapp.com
| > > >
| > > >
| > > > "Patrick" wrote:
| > > >
| > > > > I have read some articles which suggest that I need to turn on
"Kerberos"
| > > > > authentication (in order for token to be passed to Active
Directory for
| > > > > authentication).
| > > > >
| > > > > How could I turn on Kerberos authentication? It is not an option
in IIS6 on
| > > > > Windows server 2003. Note I am using Integrated Windows
authentication at
| > > > > present.
| > > > >
| > > > >
| > > > >
| > > > > "Patrick" wrote:
| > > > >
| > > > > > I have an ASP.NET page that searches for someone in the
corporate Active
| > > > > > Directory.
| > > > > >
| > > > > > It had been working fine until recently when I changed from
Basic
| > > > > > Authentication on IIS6 back to Integrated Windows
authentication. The error
| > > > > > occurs on the FindAll method. The exceptions are as follows.
anyway of
| > > > > > getting the code working with Integrated Windows authentication
(too annoying
| > > > > > for user to enter user-name/password). Note I do need to use
impersonation
| > > > > > (to figure out the username of the logged on user)
| > > > > >
| > > > > > Exception:
| > > > > > System.Runtime.InteropServices.COMException (0x80072020): An
operations
| > > > > > error occurred
| > > > > > at System.DirectoryServices.DirectoryEntry.Bind(Boole an
throwIfFail)
| > > > > > at System.DirectoryServices.DirectoryEntry.Bind()
| > > > > > at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
| > > > > > at
System.DirectoryServices.DirectorySearcher.FindAll (Boolean
| > > > > > findMoreThanOne)
| > > > > > at System.DirectoryServices.DirectorySearcher.FindAll ()
| > > > > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click( Object
sender,
| > > > > > EventArgs e)
| > > > > >
| > > > > > Web.config:
| > > > > > <authentication mode="Windows" />
| > > > > > <identity impersonate="true" />
| > > > > >
| > > > > > Code snippet below:
| > > > > >
| > > > > > DirectoryEntry dirEntry = new
| > > > > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
| > > > > > DirectorySearcher dirSearcher = new DirectorySearcher(
dirEntry );
| > > > > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text +
"*)(givenName="+
| > > > > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
| > > > > > System.DirectoryServices.PropertyCollection
objectPropperties;
| > > > > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
| > > > > > {
| > > > > > //display results
| > > > > > }
|