Hi Marlon,
Welcome to MSDN newsgroup.
From your description, you get a security related error when performing
ADSI query (through the System.DirectoryServices components) in ASP.NET
webapplication, yes?
As you mentioned that you've used impersonation in your web.config, I do
think that it's likely due to the asp.net's working process identity which
didn't have the sufficent permission. To confirm this, I suggest that we
try the following things first:
1. Logon as a powerful domain account (which has the sufficient permission
to query AD) and running those ADSI quer code in a desktop/winform or
console app to see whether it works.
2. If #1 works, try using the
<identity impersonate="true" userName="..." password="..." /> to
explicitly specify a powerful user account to impersonate your asp.net app
and to see whether it works.
If the above all works, we can get that it's your web appcliation 's client
user (whom is impersonated in your asp.net app) which dosn't have the
sufficient permission. Anyway, please check the above things first , if
there're any thing unclear, please feel free to post here.
Thanks & Regards,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| From: "Marlon" <ya********@online.nospam>
| Subject: The following code IIS with WinXP SP2 but not on Windows 2003 SP1
| Date: Tue, 19 Jul 2005 10:58:27 -0400
| Lines: 35
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| Message-ID: <u1**************@TK2MSFTNGP12.phx.gbl>
| Newsgroups: microsoft.public.dotnet.general
| NNTP-Posting-Host: ewimail2.exhibitworks.com 209.131.15.66
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP12.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.dotnet.general:46345
| X-Tomcat-NG: microsoft.public.dotnet.general
|
| <! -- Web.config-->
| <authentication mode="Windows" />
| <identity impersonate="true" />
|
| <! -- Web.config-->
|
| where Configurations.ADsUsersPath is
| LDAP://domain.com/ou=Users,ou=Corporate,dc=domain,dc=com
|
| ds = New DirectoryEntry(Configurations.ADsUsersPath)
| 'creates searcher object, set filter string ... tells seacher object to
look
| this object in the active directory
| dsSrch = New DirectorySearcher(ds)
|
| ' pull this information about the object (user object)
| dsSrch.Filter = Configurations.ADsQuery ''
| "(&(objectClass=user)(objectCategory=person)(sAMAc countName=*))"
| dsSrch.PropertiesToLoad.Add("sAMAccountName")
| dsSrch.PropertiesToLoad.Add("mail")
| dsSrch.PropertiesToLoad.Add("name")
| dsSrch.PropertiesToLoad.Add("sn")
| dsSrch.PropertiesToLoad.Add("givenName")
| dsSrch.PropertiesToLoad.Add("telephoneNumber")
| results = dsSrch.FindAll() ' commence search
|
| on windows 2003 "results = dsSrch.FindAll()" throws an exception "
| System.Runtime.InteropServices.COMException (0x8007200A): The specified
| directory service attribute or value does not exist "
|
| I know that it is problem with the security because if give user id and
| password to the ds object it works fine.
|
| Does anyone know what I can do get the above to work with impersonation?
|
|
|
