|
|
You're in the
dotnet clr
group:calling ADSI from WebApp
dotnet clr:
Hello, I got this weird problem. I have an intranet application that needs to
communicate with Active directory. Authentication to Web application is done by means of active directory accounts. Now I have this code: DirectoryEntry objDomain = new DirectoryEntry("LDAP://rootDse"); string domain = objDomain.Properties["defaultNamingContext"].Value.ToString(); DirectorySearcher ds = new DirectorySearcher(); ds.SearchRoot = new DirectoryEntry(string.Format("LDAP://{0}",domain)); ds.Filter = "(&(objectClass=group)(sAMAccountName=group_name))"; ds.SearchScope = SearchScope.Subtree; SearchResult res = ds.FindOne(); When I run the application from any computer and authenticate as a user with domain administrator privilige, everything works fine. When I authenticate as a normal user application fail at line SearchResult res = ds.FindOne(); throwing this exception: Text: An operations error occurred Exception Details: System.Runtime.InteropServices.COMException: An operations error occurred Stack Trace: System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +513 System.DirectoryServices.DirectoryEntry.Bind() +10 System.DirectoryServices.DirectoryEntry.get_AdsObject() +10 System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) +198 System.DirectoryServices.DirectorySearcher.FindOne() +31 To remind: This bunch of code is called from a library that is inside GAC to assert it's not consindered as partially trusted code. I have no idea, where the problem could be. As a first thing I thought the user doesn't have a privilige to communicate to AD, so I took this piece of code and put it into a Windows application and run as a normal user. It worked ok. Can anybody have any idea what I should do? I'd be very grateful. Thanks in advance.
[quoted text, click to view]
>Can anybody have any idea what I should do? I'd be very grateful. Thanks in >advance. Post your question in a more "targeted" group, such as mircosoft.public.adsi.general or such - there are tons of excellent ADSI and ASP.NET gurus there to answer your questions! From my point of view, I'd say it's most likely a permissions issue (almost always is, with ASP.NET). Marc ================================================================ Marc Scheuner May The Source Be With You!
[quoted text, click to view]
"johnny" <johnny@discussions.microsoft.com> wrote in message news:E5C81271-BFB6-4B6D-9B79-7E6A489CD83B@microsoft.com... > Hello, I got this weird problem. I have an intranet application that needs > to > communicate with Active directory. Authentication to Web application is > done > by means of active directory accounts. > > Now I have this code: > > DirectoryEntry objDomain = new DirectoryEntry("LDAP://rootDse"); > string domain = > objDomain.Properties["defaultNamingContext"].Value.ToString(); > DirectorySearcher ds = new DirectorySearcher(); > ds.SearchRoot = new DirectoryEntry(string.Format("LDAP://{0}",domain)); > ds.Filter = "(&(objectClass=group)(sAMAccountName=group_name))"; > ds.SearchScope = SearchScope.Subtree; > SearchResult res = ds.FindOne(); > > When I run the application from any computer and authenticate as a user > with > domain administrator privilige, everything works fine. When I authenticate > as > a normal user application fail at line > SearchResult res = ds.FindOne(); > throwing this exception: > > Text: An operations error occurred > Exception Details: System.Runtime.InteropServices.COMException: An > operations error occurred > Stack Trace: > System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +513 > System.DirectoryServices.DirectoryEntry.Bind() +10 > System.DirectoryServices.DirectoryEntry.get_AdsObject() +10 > System.DirectoryServices.DirectorySearcher.FindAll(Boolean > findMoreThanOne) +198 > System.DirectoryServices.DirectorySearcher.FindOne() +31 > > To remind: This bunch of code is called from a library that is inside GAC > to > assert it's not consindered as partially trusted code. > > I have no idea, where the problem could be. As a first thing I thought the > user doesn't have a privilige to communicate to AD, so I took this piece > of > code and put it into a Windows application and run as a normal user. It > worked ok. > > Can anybody have any idea what I should do? I'd be very grateful. Thanks > in > advance. > Herewith some questions I like to be answered before I can help. I assume you run this code from asp.net, right? How do you authenticate and impersonate at the Web server (IIS asp.net I assume), more precisely, are you using "windows authentication" or something else? and, are you impersonating? What version of IIS do you run (W2K or W2K3) and, What is the asp.net identity used to run the worker process? What is the anonymous account configured for IIS/ASP.NET? (domain or local account) Where is the DC located? What exactly do you mean with: When I run the application from any computer and authenticate as a user with [quoted text, click to view] > domain administrator privilige, everything works fine. When I authenticate do you mean when the client (browser or wathever) uses domain credentials it > as > a normal user application fail at line works, and fails with it's local identity? Note that when using windows authentication and impersonation at the Web server, a client using it's domain account will impersonate the domain account, but a local account (Workstation) will impersonate the anonymous account when binding , this all provided Delegation is turned on for the web server . Willy.
Please note that you better cross post to microsoft.public.dotnet.framework
and a specialized adsi group (see Marc's reply). Willy. [quoted text, click to view] "johnny" <johnny@discussions.microsoft.com> wrote in message news:E5C81271-BFB6-4B6D-9B79-7E6A489CD83B@microsoft.com... > Hello, I got this weird problem. I have an intranet application that needs > to > communicate with Active directory. Authentication to Web application is > done > by means of active directory accounts. > > Now I have this code: > > DirectoryEntry objDomain = new DirectoryEntry("LDAP://rootDse"); > string domain = > objDomain.Properties["defaultNamingContext"].Value.ToString(); > DirectorySearcher ds = new DirectorySearcher(); > ds.SearchRoot = new DirectoryEntry(string.Format("LDAP://{0}",domain)); > ds.Filter = "(&(objectClass=group)(sAMAccountName=group_name))"; > ds.SearchScope = SearchScope.Subtree; > SearchResult res = ds.FindOne(); > > When I run the application from any computer and authenticate as a user > with > domain administrator privilige, everything works fine. When I authenticate > as > a normal user application fail at line > SearchResult res = ds.FindOne(); > throwing this exception: > > Text: An operations error occurred > Exception Details: System.Runtime.InteropServices.COMException: An > operations error occurred > Stack Trace: > System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +513 > System.DirectoryServices.DirectoryEntry.Bind() +10 > System.DirectoryServices.DirectoryEntry.get_AdsObject() +10 > System.DirectoryServices.DirectorySearcher.FindAll(Boolean > findMoreThanOne) +198 > System.DirectoryServices.DirectorySearcher.FindOne() +31 > > To remind: This bunch of code is called from a library that is inside GAC > to > assert it's not consindered as partially trusted code. > > I have no idea, where the problem could be. As a first thing I thought the > user doesn't have a privilige to communicate to AD, so I took this piece > of > code and put it into a Windows application and run as a normal user. It > worked ok. > > Can anybody have any idea what I should do? I'd be very grateful. Thanks > in > advance. >
[quoted text, click to view] "Marc Scheuner [MVP ADSI]" <m.scheuner@inova.SPAMBEGONE.ch> wrote in message news:igokv0dte6bga3qv6d7u0jqtku6skj1j6m@4ax.com... > >Can anybody have any idea what I should do? I'd be very grateful. Thanks > >in >>advance. > > Post your question in a more "targeted" group, such as > > mircosoft.public.adsi.general > > or such - there are tons of excellent ADSI and ASP.NET gurus there to > answer your questions! > > From my point of view, I'd say it's most likely a permissions issue > (almost always is, with ASP.NET). > > Marc > ================================================================ > Marc Scheuner May The Source Be With You! > Berne, Switzerland m.scheuner -at- inova.ch Marc, Johnny Much better would be to cross-post [PS Johnny]to microsoft.public.dotnet.framework and mircosoft.public.adsi.general or microsoft.public.dotnet.framework.aspnet.security and mircosoft.public.adsi.general as the issue is .NET IIS/aspnet security and ADSI related . Willy. But don't multipost like you did.
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |