For the archives:
Looks like the issue is that my LDAP:// string wasn't as
specific as it
needed to be. If I specify a server name at the start of
the string,
like so:
LDAP://ghcmaster.ghc.org/OU=prod,OU=GHCUsers,dc=ghcmaster,dc
=ghc,dc=org
It works just fine w/out needing impersonation or windows
auth. I'm
told that when you don't specify a domain server in the
first part of
the string, ADSI uses the security context of the current
thread to make
a guess at the domain. If that's a domain account (as with
impersonation) it can find the domain okay, if it's a local
account
(ASPNET or *_IUSR) then it has trouble.
More details can be had in the usenet group
microsoft.public.adsi.general, under the thread subject
"asp.net app
requires impersonation *and* service account
credentials?".
Cheers,
-Roy
-----Original Message-----
From: Discussion of building .NET applications targeted for
the Web
[mailto OTNET-WE
B DISCUSS.DEVELOP.COM] On Behalf Of Pardee, Roy
Sent: Monday, May 08, 2006 1:09 PM
To: DOTNET-WEBDISCUSS.DEVELOP.COM
Subject: [DOTNET-WEB] Adsi query requires impersonation
*and* service
account credentials?
Greetings All,
I've got an asp.net v1.1 app that includes the following
function, which
translates a domain username into a full name:
' ========================================
Public Function GetFullName(ByVal UserName As String) As
String
Dim usr As New
sdi.DirectoryEntry("LDAP://OU=prod, OU=GHCUsers,
dc=ghcmaster, dc=ghc, dc=org", AD_USERNAME,
AD_PASSWORD)
usr.AuthenticationType =
sdi.AuthenticationTypes.ServerBind
Dim ds As New sdi.DirectorySearcher(usr)
With ds
.PropertiesToLoad.Add("GivenName")
.PropertiesToLoad.Add("sn")
.Filter = "(anr=" & UserName &
")"
End With
Dim sr As sdi.SearchResult = ds.FindOne
If sr Is Nothing Then
Return ""
Else
Return
sr.Properties("GivenName")(0).ToString() &
" " &
sr.Properties("sn")(0).ToString
End If
End Function
' ========================================
Where AD_USERNAME and AD_PASSWORD are credentials for a
service account
created for the purpose of connecting to our Active
Directory.
I expected that to work regardless of the user identity
under which the
asp.net process was running, since I'm passing explicit
credentials to
the AD. But I'm finding that in order to get this to work,
I've got
to:
- Disable anonymous logins on the 'directory security'
tab of the
virtual directory, AND
- set <identity impersonate="true" /> in
web.config.
If I leave out either of those steps, my function fails with
the error
"The specified domain either does not exist or could
not be contacted"
on the call to FindOne(). If I include both of those steps,
and then
leave out the domain credentials, it fails with the same
error.
This has to be a misconfiguration somwhere, right? I don't
want my app
to have to impersonate the browsing user... Can anyone
advise?
Thanks!
-Roy
===================================
This list is hosted by DevelopMentor(r) http://www.develop.com
View archives and manage your subscription(s) at
http://discuss.develop.com
===================================
This list is hosted by DevelopMentorŪ http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com
|