Thanks for your detailed followup Phillip,
Hi Patrick,
Have you had a try on the suggestions in my last reply? I'm still thinking
the problem is concerned with your asp.net web application's security
context. And impersonation is a potential cause, if there're any further
finding or anything we can help, please feel free to post here.
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| Thread-Topic: "Sudden" Active Directory error on ASP.NET
| thread-index: AcWzQSB7RPR3OtazRFqlDQHhtLAcGw==
| X-WBNR-Posting-Host: 207.230.226.92
| From: "=?Utf-8?B?UGhpbGxpcCBXaWxsaWFtcw==?="
<Ph**************@webswapp.com>
| References: <42**********************************@microsoft.co m>
<4C**********************************@microsoft.co m>
<F7**********************************@microsoft.co m>
<0F**********************************@microsoft.co m>
<0E**********************************@microsoft.co m>
| Subject: RE: "Sudden" Active Directory error on ASP.NET
| Date: Tue, 6 Sep 2005 17:14:34 -0700
| Lines: 116
| Message-ID: <E8**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups:
microsoft.public.adsi.general,microsoft.public.dot net.framework.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:122743
microsoft.public.adsi.general:8911
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Actually I have a correction to what I wrote below. It was not the NTLM
| authenticated userID that I used in creating the DirectoryEntry. Upon
| careful examination of the code that I left on the IIS server (as opposed
to
| the version I have on my development desktop) I found that I actually
left a
| hard-coded userID and password in the DirectoryEntry constructor. So you
| were right. It works on the development desktop but not on the IIS
server;
| the latter required supplying the userID and password.
|
| This is my working solution:
| Dim entry As New
DirectoryServices.DirectoryEntry(AppSettings("LDAP _PATH"),
| strUserID, strPassword)
|
| Sorry if I have caused any confusion.
|
| "Phillip Williams" wrote:
|
| > Hi Patrick,
| >
| > I think though that getting a dirSearcher.FindAll().Count==0 is not a
| > security access issue. If the responses of Steven and Paul have not
helped
| > you yet to find a solution, you might try a few more tests:
| >
| > 1- log on to the IIS machine and run the application from there,
| >
| > 2- add a Trace.WriteLine statement that displays the
| > Context.User.Identity.Name to verify that impersonation works.
| >
| > 3- try without a filter condition at all; if you get any result then
the
| > problem is not security related rather it might be the way you
specified the
| > filter condition that caused dirSearcher.FindAll().Count to return 0.
| >
| > --
| > HTH,
| > Phillip Williams
| >
http://www.societopia.net
| >
http://www.webswapp.com
| >
| >
| > "Patrick" wrote:
| >
| > > Whilst this new LDAP string works on my developer workstation,
porting to the
| > > development IIS6.0 web server, dirSearcher.FindAll().Count returns 0
(when
| > > matches are expected), presumably because no credentials were passed
from IIS
| > > to the Active Directory?
| > >
| > > "Phillip Williams" wrote:
| > >
| > > > Hi Patrick:
| > > >
| > > > Because the Active Directory is setup on a server other than the
IIS server,
| > > > try explicitly specifying the former when constructing the
DirectoryEntry,
| > > > e.g.
| > > > DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc=com");
| > > >
| > > > (I know this works because I ran into the same problem last week
and I
| > > > solved it this way)
| > > > --
| > > > HTH,
| > > > Phillip Williams
| > > >
http://www.societopia.net/Samples/
| > > >
http://www.societopia.net
| > > >
http://www.webswapp.com
| > > >
| > > >
| > > > "Patrick" wrote:
| > > >
| > > > > I have read some articles which suggest that I need to turn on
"Kerberos"
| > > > > authentication (in order for token to be passed to Active
Directory for
| > > > > authentication).
| > > > >
| > > > > How could I turn on Kerberos authentication? It is not an option
in IIS6 on
| > > > > Windows server 2003. Note I am using Integrated Windows
authentication at
| > > > > present.
| > > > >
| > > > >
| > > > >
| > > > > "Patrick" wrote:
| > > > >
| > > > > > I have an ASP.NET page that searches for someone in the
corporate Active
| > > > > > Directory.
| > > > > >
| > > > > > It had been working fine until recently when I changed from
Basic
| > > > > > Authentication on IIS6 back to Integrated Windows
authentication. The error
| > > > > > occurs on the FindAll method. The exceptions are as follows.
anyway of
| > > > > > getting the code working with Integrated Windows authentication
(too annoying
| > > > > > for user to enter user-name/password). Note I do need to use
impersonation
| > > > > > (to figure out the username of the logged on user)
| > > > > >
| > > > > > Exception:
| > > > > > System.Runtime.InteropServices.COMException (0x80072020): An
operations
| > > > > > error occurred
| > > > > > at System.DirectoryServices.DirectoryEntry.Bind(Boole an
throwIfFail)
| > > > > > at System.DirectoryServices.DirectoryEntry.Bind()
| > > > > > at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
| > > > > > at
System.DirectoryServices.DirectorySearcher.FindAll (Boolean
| > > > > > findMoreThanOne)
| > > > > > at System.DirectoryServices.DirectorySearcher.FindAll ()
| > > > > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click( Object
sender,
| > > > > > EventArgs e)
| > > > > >
| > > > > > Web.config:
| > > > > > <authentication mode="Windows" />
| > > > > > <identity impersonate="true" />
| > > > > >
| > > > > > Code snippet below:
| > > > > >
| > > > > > DirectoryEntry dirEntry = new
| > > > > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
| > > > > > DirectorySearcher dirSearcher = new DirectorySearcher(
dirEntry );
| > > > > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text +
"*)(givenName="+
| > > > > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
| > > > > > System.DirectoryServices.PropertyCollection
objectPropperties;
| > > > > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
| > > > > > {
| > > > > > //display results
| > > > > > }
|