| Groups | Blog | Home |
asp.net security : Some or all identity references could not be translated.
Don't use an NTAccount for the IdentityReference. Instead, use a
SecurityIdentifier type and build that based on reading the objectSid attribute of the user or group you created previously. That way, you don't have to worry about any replication lag causing the name translation to fail since there is no name translation involved when you use the SID directly. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "Darko Bazulj" <darko.bazulj@discussions.microsoft.com> wrote in message news:E3FB40C5-DE83-43D9-8AED-26CE049F921B@microsoft.com... > Hi, > > what I try to do: > > create user/group in AD(works fine). > set permissions on folder for created user/group(problems) > > If I try that I get the following error: > > System.Security.Principal.IdentityNotMappedException: Some or all identity > references could not be translated. > at > System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection > sourceAccounts, Type targetType, Boolean forceSuccess) > at System.Security.Principal.NTAccount.Translate(Type targetType) > at > System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification > modification, AccessRule rule, Boolean& modified) > at > System.Security.AccessControl.ObjectSecurity.ModifyAccessRule(AccessControlModification > modification, AccessRule rule, Boolean& modified) > > If I try set permissions for same user/group about 30 seconds after > creation everything went fine. > > CODE: > > Dim identity As NTAccount > > identity = New NTAccount(strUserName) > > Dim dInfo As New DirectoryInfo(strFolderName) > Dim dSecurity As DirectorySecurity = > dInfo.GetAccessControl(AccessControlSections.Access) > > dSecurity.AddAccessRule(New FileSystemAccessRule(identity, _ > rights, _ > iFlags, _ > pFlags, _ > acType)) > > dInfo.SetAccessControl(dSecurity) > > Can someone help, suggest something??
Hi,
what I try to do: create user/group in AD(works fine). set permissions on folder for created user/group(problems) If I try that I get the following error: System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated. at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess) at System.Security.Principal.NTAccount.Translate(Type targetType) at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified) at System.Security.AccessControl.ObjectSecurity.ModifyAccessRule(AccessControlModification modification, AccessRule rule, Boolean& modified) If I try set permissions for same user/group about 30 seconds after creation everything went fine. CODE: Dim identity As NTAccount identity = New NTAccount(strUserName) Dim dInfo As New DirectoryInfo(strFolderName) Dim dSecurity As DirectorySecurity = dInfo.GetAccessControl(AccessControlSections.Access) dSecurity.AddAccessRule(New FileSystemAccessRule(identity, _ rights, _ iFlags, _ pFlags, _ acType)) dInfo.SetAccessControl(dSecurity) Can someone help, suggest something??
Hi Joe,
it works now :)) Thank you for help. Can you suggest me something about AD. what I do: create OU and then create user. But I sometimes recive error, like there is no OU which I just created but OU is there strDNSADDomain= I was put just domain(domain.loc) but I then recived error frequently. Then I put full DC name(ad1.domain.loc) but mistakes were reduce but nevertheless knows happen. Can you suggest something?? Code: ---------- create user: Dim ctx As New PrincipalContext(ContextType.Domain, strDNSADDomain, strOU) Dim user As New UserPrincipal(ctx) user.SamAccountName = strSamAccountName If Not String.IsNullOrEmpty(strDescription) Then user.Description = strDescription user.SetPassword(strPassword) user.Enabled = True user.PasswordNeverExpires = True If Not String.IsNullOrEmpty(strUPN) Then user.UserPrincipalName = strUPN user.Save() user.Dispose() ctx.Dispose() create OU: Dim objAD As DirectoryEntry Dim objOU As DirectoryEntry strOU = "OU=" + strOU objAD = New DirectoryEntry(strPath) objOU = objAD.Children.Add(strOU, "OrganizationalUnit") If Not String.IsNullOrEmpty(strDescription) Then objOU.Properties("description").Add(strDescription) If Not String.IsNullOrEmpty(struPNSuffix) Then objOU.Properties("uPNSuffixes").Add(struPNSuffix) objOU.CommitChanges() objOU.Dispose() objAD.Dispose() Error: ------- There is no such object on the server. -- at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.ContextForType(Type t) at System.DirectoryServices.AccountManagement.Principal.GetStoreCtxToUse() at System.DirectoryServices.AccountManagement.Principal.set_SamAccountName(String value) at serviceprovisioning.ActiveDirectory.CreateUser(String strSamAccountName, String strPassword, String strOU, String strDescription, String strUPN, String strDNSADDomain) ---------------------------------------------- #example if someone else have similar problems. Dim identity As NTAccount identity = New NTAccount(strUserName) Dim sid As SecurityIdentifier = DirectCast(identity.Translate(GetType(SecurityIdentifier)), SecurityIdentifier) Dim dInfo As New DirectoryInfo(strFolderName) Dim dSecurity As DirectorySecurity = dInfo.GetAccessControl(AccessControlSections.Access) dSecurity.AddAccessRule(New FileSystemAccessRule(sid, _ rights, _ iFlags, _ pFlags, _ acType)) dInfo.SetAccessControl(dSecurity)
I didn't quite follow what you were saying here. You do need to make sure
you are working off of the same server though. Could that be the problem? Please try to explain again. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "Darko Bazulj" <darko.bazulj@discussions.microsoft.com> wrote in message news:15AB08F9-9201-4925-BE5A-4AE0AB5B7888@microsoft.com... > Hi Joe, > > it works now :)) > Thank you for help. > > Can you suggest me something about AD. > > what I do: > > create OU and then create user. > But I sometimes recive error, like there is no OU which I just created but > OU is there > > strDNSADDomain= > I was put just domain(domain.loc) but I then recived error frequently. > Then I put full DC name(ad1.domain.loc) but mistakes were reduce but > nevertheless knows happen. > > Can you suggest something?? > > > Code: > ---------- > > create user: > > Dim ctx As New PrincipalContext(ContextType.Domain, strDNSADDomain, > strOU) > > Dim user As New UserPrincipal(ctx) > > user.SamAccountName = strSamAccountName > If Not String.IsNullOrEmpty(strDescription) Then user.Description = > strDescription > user.SetPassword(strPassword) > user.Enabled = True > user.PasswordNeverExpires = True > > If Not String.IsNullOrEmpty(strUPN) Then user.UserPrincipalName = > strUPN > > user.Save() > > user.Dispose() > ctx.Dispose() > > create OU: > > Dim objAD As DirectoryEntry > Dim objOU As DirectoryEntry > > strOU = "OU=" + strOU > > objAD = New DirectoryEntry(strPath) > > objOU = objAD.Children.Add(strOU, "OrganizationalUnit") > If Not String.IsNullOrEmpty(strDescription) Then > objOU.Properties("description").Add(strDescription) > If Not String.IsNullOrEmpty(struPNSuffix) Then > objOU.Properties("uPNSuffixes").Add(struPNSuffix) > objOU.CommitChanges() > > objOU.Dispose() > objAD.Dispose() > > Error: > ------- > > There is no such object on the server. -- at > System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() > at > System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() > at > System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() > at > System.DirectoryServices.AccountManagement.PrincipalContext.ContextForType(Type > t) at > System.DirectoryServices.AccountManagement.Principal.GetStoreCtxToUse() at > System.DirectoryServices.AccountManagement.Principal.set_SamAccountName(String > value) at serviceprovisioning.ActiveDirectory.CreateUser(String > strSamAccountName, String strPassword, String strOU, String > strDescription, String strUPN, String strDNSADDomain) > > > ---------------------------------------------- > #example if someone else have similar problems. > > Dim identity As NTAccount > > identity = New NTAccount(strUserName) > > Dim sid As SecurityIdentifier = > DirectCast(identity.Translate(GetType(SecurityIdentifier)), > SecurityIdentifier) > > Dim dInfo As New DirectoryInfo(strFolderName) > Dim dSecurity As DirectorySecurity = > dInfo.GetAccessControl(AccessControlSections.Access) > > dSecurity.AddAccessRule(New FileSystemAccessRule(sid, _ > rights, _ > iFlags, _ > pFlags, _ > acType)) > > dInfo.SetAccessControl(dSecurity) > > >
Hi Joe,
I will try to explain better. First I create OU then inside that OU I create otheres OUs, users and groups. But sometimes I get error "There is no such object on the server", like there is no OU which I just created. To create users and groups I use "System.DirectoryServices.AccountManagement" class. http://msdn.microsoft.com/en-us/library/bb348316.aspx Dim ctx As New PrincipalContext(ContextType.Domain, strDNSADDomain, strOU) Dim user As New UserPrincipal(ctx) strOU = DN - name of newly created OU in which I want to create user strDNSADDomain = I set empty string, domain name or full DNS DC name If I set empty string or domain name the error occurs often. But if I set full DNS DC name the error occurs from time to time when I start to use application, then I just enter DNS name of second DC and code start to work. If I put some sleep(20-30sec) in code the application work but I think that there is some better way. hmm... I think I know where is the problem. Problem is in creation of OU. When I create OU I don't bind to specific DC but for path enter "LDAP://OU=name,DC=domain,DC=loc" Maybe if I enter "LDAP://DC1.domain.name:389/OU=name,DC=domain,DC=loc" But is this good approach, what if this DC stop to work? Can you suggest what is the good way to create OU and user inside newly created OU and to avoid problem with AD replication? Is there some trick like with SID/user name? Thank you for your help. [quoted text, click to view] > -- > "Darko Bazulj" <darko.bazulj@discussions.microsoft.com> wrote in message > news:15AB08F9-9201-4925-BE5A-4AE0AB5B7888@microsoft.com... >> Hi Joe, >> >> it works now :)) >> Thank you for help. >> >> Can you suggest me something about AD. >> >> what I do: >> >> create OU and then create user. >> But I sometimes recive error, like there is no OU which I just created >> but OU is there >> >> strDNSADDomain= >> I was put just domain(domain.loc) but I then recived error frequently. >> Then I put full DC name(ad1.domain.loc) but mistakes were reduce but >> nevertheless knows happen. >> >> Can you suggest something?? >> >> >> Code: >> ---------- >> >> create user: >> >> Dim ctx As New PrincipalContext(ContextType.Domain, >> strDNSADDomain, strOU) >> >> Dim user As New UserPrincipal(ctx) >> >> user.SamAccountName = strSamAccountName >> If Not String.IsNullOrEmpty(strDescription) Then user.Description >> = strDescription >> user.SetPassword(strPassword) >> user.Enabled = True >> user.PasswordNeverExpires = True >> >> If Not String.IsNullOrEmpty(strUPN) Then user.UserPrincipalName = >> strUPN >> >> user.Save() >> >> user.Dispose() >> ctx.Dispose() >> >> create OU: >> >> Dim objAD As DirectoryEntry >> Dim objOU As DirectoryEntry >> >> strOU = "OU=" + strOU >> >> objAD = New DirectoryEntry(strPath) >> >> objOU = objAD.Children.Add(strOU, "OrganizationalUnit") >> If Not String.IsNullOrEmpty(strDescription) Then >> objOU.Properties("description").Add(strDescription) >> If Not String.IsNullOrEmpty(struPNSuffix) Then >> objOU.Properties("uPNSuffixes").Add(struPNSuffix) >> objOU.CommitChanges() >> >> objOU.Dispose() >> objAD.Dispose() >> >> Error: >> ------- >> >> There is no such object on the server. -- at >> System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() >> at >> System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() >> at >> System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() >> at >> System.DirectoryServices.AccountManagement.PrincipalContext.ContextForType(Type >> t) at >> System.DirectoryServices.AccountManagement.Principal.GetStoreCtxToUse() >> at >> System.DirectoryServices.AccountManagement.Principal.set_SamAccountName(String >> value) at serviceprovisioning.ActiveDirectory.CreateUser(String >> strSamAccountName, String strPassword, String strOU, String >> strDescription, String strUPN, String strDNSADDomain)
It seems like the key for you is to ensure that you always use the same DC
for doing your write operations, so it would likely be a good idea to use fixed DC names for this particular app. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "Darko Bazulj" <darko.bazulj@discussions.microsoft.com> wrote in message news:83B8CA3C-B80B-4ECB-9E03-9786AA727641@microsoft.com... > Hi Joe, > > I will try to explain better. > > First I create OU then inside that OU I create otheres OUs, users and > groups. > But sometimes I get error "There is no such object on the server", like > there is no OU which I just created. > To create users and groups I use > "System.DirectoryServices.AccountManagement" class. > http://msdn.microsoft.com/en-us/library/bb348316.aspx > > Dim ctx As New PrincipalContext(ContextType.Domain, strDNSADDomain, strOU) > Dim user As New UserPrincipal(ctx) > > strOU = DN - name of newly created OU in which I want to create user > > strDNSADDomain = I set empty string, domain name or full DNS DC name > If I set empty string or domain name the error occurs often. > But if I set full DNS DC name the error occurs from time to time when I > start to use application, then I just enter DNS name of second DC and code > start to work. > > If I put some sleep(20-30sec) in code the application work but I think > that there is some better way. > > hmm... > > I think I know where is the problem. > > Problem is in creation of OU. > When I create OU I don't bind to specific DC but for path enter > "LDAP://OU=name,DC=domain,DC=loc" > Maybe if I enter "LDAP://DC1.domain.name:389/OU=name,DC=domain,DC=loc" > > But is this good approach, what if this DC stop to work? > > Can you suggest what is the good way to create OU and user inside newly > created OU and to avoid problem with AD replication? > Is there some trick like with SID/user name? > > Thank you for your help. > >> -- >> "Darko Bazulj" <darko.bazulj@discussions.microsoft.com> wrote in message >> news:15AB08F9-9201-4925-BE5A-4AE0AB5B7888@microsoft.com... >>> Hi Joe, >>> >>> it works now :)) >>> Thank you for help. >>> >>> Can you suggest me something about AD. >>> >>> what I do: >>> >>> create OU and then create user. >>> But I sometimes recive error, like there is no OU which I just created >>> but OU is there >>> >>> strDNSADDomain= >>> I was put just domain(domain.loc) but I then recived error frequently. >>> Then I put full DC name(ad1.domain.loc) but mistakes were reduce but >>> nevertheless knows happen. >>> >>> Can you suggest something?? >>> >>> >>> Code: >>> ---------- >>> >>> create user: >>> >>> Dim ctx As New PrincipalContext(ContextType.Domain, >>> strDNSADDomain, strOU) >>> >>> Dim user As New UserPrincipal(ctx) >>> >>> user.SamAccountName = strSamAccountName >>> If Not String.IsNullOrEmpty(strDescription) Then user.Description >>> = strDescription >>> user.SetPassword(strPassword) >>> user.Enabled = True >>> user.PasswordNeverExpires = True >>> >>> If Not String.IsNullOrEmpty(strUPN) Then user.UserPrincipalName = >>> strUPN >>> >>> user.Save() >>> >>> user.Dispose() >>> ctx.Dispose() >>> >>> create OU: >>> >>> Dim objAD As DirectoryEntry >>> Dim objOU As DirectoryEntry >>> >>> strOU = "OU=" + strOU >>> >>> objAD = New DirectoryEntry(strPath) >>> >>> objOU = objAD.Children.Add(strOU, "OrganizationalUnit") >>> If Not String.IsNullOrEmpty(strDescription) Then >>> objOU.Properties("description").Add(strDescription) >>> If Not String.IsNullOrEmpty(struPNSuffix) Then >>> objOU.Properties("uPNSuffixes").Add(struPNSuffix) >>> objOU.CommitChanges() >>> >>> objOU.Dispose() >>> objAD.Dispose() >>> >>> Error: >>> ------- >>> >>> There is no such object on the server. -- at >>> System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() >>> at >>> System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() >>> at >>> System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() >>> at >>> System.DirectoryServices.AccountManagement.PrincipalContext.ContextForType(Type >>> t) at >>> System.DirectoryServices.AccountManagement.Principal.GetStoreCtxToUse() >>> at >>> System.DirectoryServices.AccountManagement.Principal.set_SamAccountName(String >>> value) at serviceprovisioning.ActiveDirectory.CreateUser(String >>> strSamAccountName, String strPassword, String strOU, String >>> strDescription, String strUPN, String strDNSADDomain) > >
You can also use the FindDomainController method on the domain class to get
more control over this and make sure you get DCs in your site and such. It might be an easier and more robust approach to do the same basic thing. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "Darko Bazulj" <darko.bazulj@discussions.microsoft.com> wrote in message news:CB86B6FB-A8B8-4CB8-9A02-595EF0F31B5E@microsoft.com... > Hi Joe, > > Thank you for suggestions. > > I decide to do next: > > enumerate DCs > try to connect to first and if connection is sucessfull continue but if > not then try to connect to second DC. > > Regards, > Darko Bazulj > >
Hi Joe,
Thank you for suggestions. I decide to do next: enumerate DCs try to connect to first and if connection is sucessfull continue but if not then try to connect to second DC. Regards, Darko Bazulj
Hi Joe,
good suggestion, I tried and it works :) Good thing is that only active DC will return. I tested with blocking(IPSec) data between DC and memeber on which I run code. Code: maybe help to someone Dim instance As Domain Dim returnValue As DomainController instance = Domain.GetCurrentDomain returnValue = instance.FindDomainController(LocatorOptions.ForceRediscovery) Console.WriteLine(returnValue.Name) Regards, Darko Bazulj
Don't see what you're looking for? Try a search.
|
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |