Domain could not be contacted problem

Discussion in 'ASP .Net Security' started by Grant, Nov 22, 2004.

  1. Grant

    Grant Guest

    Hello,

    I got some sample code off the MSDN website on how to loop through a group
    in active directory and list the members. I can run the code from a console
    app but I cant run it from an ASP solution? I get the folowing message:

    "The specified domain either does not exist or could not be contacted"

    Heres the code Im using:
    ---------------------------------------------------
    try
    {
    DirectoryEntry group = new
    DirectoryEntry("LDAP://CN=Administrators,CN=builtin,DC=ourdomain,DC=com");
    object members = group.Invoke("Members",null); //CODE IS FAILING HERE
    foreach( object member in (IEnumerable) members)
    {
    DirectoryEntry x = new DirectoryEntry(member);
    }
    }
    catch ( Exception ex )
    {
    lblResults.Text = ex.Message;

    }
    ---------------------------------------------------

    I havent done any ASP programming before. This is a standard webapplication
    created using Visual Studio.NET 2003. I have IIS installed and Ive set the
    permissions to interactive user. The above code works from my console app
    and works a beaut but just not from my ASP page..

    can anyone tell me what Im doing worng here?

    Thanks,
    Grant
     
    Grant, Nov 22, 2004
    #1
    1. Advertising

  2. This is a security context issue. The account your code is running under
    might not be a domain account, so you can't use serverless binding (which is
    what you are doing when you don't put a server name in the binding string
    below).

    This document has a lot more detail:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

    Joe K.

    "Grant" <> wrote in message
    news:u2KGc%...
    > Hello,
    >
    > I got some sample code off the MSDN website on how to loop through a group
    > in active directory and list the members. I can run the code from a
    > console app but I cant run it from an ASP solution? I get the folowing
    > message:
    >
    > "The specified domain either does not exist or could not be contacted"
    >
    > Heres the code Im using:
    > ---------------------------------------------------
    > try
    > {
    > DirectoryEntry group = new
    > DirectoryEntry("LDAP://CN=Administrators,CN=builtin,DC=ourdomain,DC=com");
    > object members = group.Invoke("Members",null); //CODE IS FAILING HERE
    > foreach( object member in (IEnumerable) members)
    > {
    > DirectoryEntry x = new DirectoryEntry(member);
    > }
    > }
    > catch ( Exception ex )
    > {
    > lblResults.Text = ex.Message;
    >
    > }
    > ---------------------------------------------------
    >
    > I havent done any ASP programming before. This is a standard
    > webapplication created using Visual Studio.NET 2003. I have IIS installed
    > and Ive set the permissions to interactive user. The above code works from
    > my console app and works a beaut but just not from my ASP page..
    >
    > can anyone tell me what Im doing worng here?
    >
    > Thanks,
    > Grant
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 22, 2004
    #2
    1. Advertising

  3. Grant

    Grant Guest

    Thank you for the reply! Looking at my web.config file I dont have this
    "identity impersonate="true"" section and also it says to "security
    mechanism to Anonymous only" - where do I find this security mechanism, and
    how would i set the identity impersonate setting?

    -------------
    When the Web.config file is set to identity impersonate="true"/ and
    authentication mode="Windows", use the Anonymous account with the following
    settings: . On the ASPX page, set the security mechanism to Anonymous only.
    . Clear the Allow IIS to control the password check box.
    . Set the Anonymous account to be a domain user.

    -------------

    Cheers
    Grant


    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > This is a security context issue. The account your code is running under
    > might not be a domain account, so you can't use serverless binding (which
    > is what you are doing when you don't put a server name in the binding
    > string below).
    >
    > This document has a lot more detail:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
    >
    > Joe K.
    >
    > "Grant" <> wrote in message
    > news:u2KGc%...
    >> Hello,
    >>
    >> I got some sample code off the MSDN website on how to loop through a
    >> group in active directory and list the members. I can run the code from a
    >> console app but I cant run it from an ASP solution? I get the folowing
    >> message:
    >>
    >> "The specified domain either does not exist or could not be contacted"
    >>
    >> Heres the code Im using:
    >> ---------------------------------------------------
    >> try
    >> {
    >> DirectoryEntry group = new
    >> DirectoryEntry("LDAP://CN=Administrators,CN=builtin,DC=ourdomain,DC=com");
    >> object members = group.Invoke("Members",null); //CODE IS FAILING HERE
    >> foreach( object member in (IEnumerable) members)
    >> {
    >> DirectoryEntry x = new DirectoryEntry(member);
    >> }
    >> }
    >> catch ( Exception ex )
    >> {
    >> lblResults.Text = ex.Message;
    >>
    >> }
    >> ---------------------------------------------------
    >>
    >> I havent done any ASP programming before. This is a standard
    >> webapplication created using Visual Studio.NET 2003. I have IIS installed
    >> and Ive set the permissions to interactive user. The above code works
    >> from my console app and works a beaut but just not from my ASP page..
    >>
    >> can anyone tell me what Im doing worng here?
    >>
    >> Thanks,
    >> Grant
    >>

    >
    >
     
    Grant, Nov 22, 2004
    #3
  4. The way I see it, you have two choices. You can either get your code
    running under a domain account so that you don't have to supply credentials
    and a server name, or you can supply a server or domain name and supply
    credentials.

    If you go the former route, you have a lot of options. Essentially, you can
    either make the process run under a domain account, or you can impersonate a
    domain account so that your current thread will take on that identity.

    To change the process account, you can either make the worker process run as
    a domain account or move the code into a COM+ component and run that under a
    domain identity.

    To impersonate a domain account, you generally do this by enabling
    impersonation in web.config. If you do that, then you will be impersonating
    the authenticated user in IIS. That will either be the user logging on or
    the anonyous user account (which you can make a domain account if you want).

    It is also possible to impersonate a specific user via web.config by
    specifying credentials and you can impersonate an account through code.
    Thus, you have lots of options. Some of these options vary by the OS you
    are running and your security settings.

    All of the IIS security settings are configured via the IIS MMC on the
    directory security tab.

    Normally, I just supply the server or domain in the binding string and
    supply som credentials from a service account and don't worry about all of
    the above.

    HTH,

    Joe K.

    "Grant" <> wrote in message
    news:...
    > Thank you for the reply! Looking at my web.config file I dont have this
    > "identity impersonate="true"" section and also it says to "security
    > mechanism to Anonymous only" - where do I find this security mechanism,
    > and how would i set the identity impersonate setting?
    >
    > -------------
    > When the Web.config file is set to identity impersonate="true"/ and
    > authentication mode="Windows", use the Anonymous account with the
    > following settings: . On the ASPX page, set the security mechanism to
    > Anonymous only.
    > . Clear the Allow IIS to control the password check box.
    > . Set the Anonymous account to be a domain user.
    >
    > -------------
    >
    > Cheers
    > Grant
    >
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    >> This is a security context issue. The account your code is running under
    >> might not be a domain account, so you can't use serverless binding (which
    >> is what you are doing when you don't put a server name in the binding
    >> string below).
    >>
    >> This document has a lot more detail:
    >>
    >> http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
    >>
    >> Joe K.
    >>
    >> "Grant" <> wrote in message
    >> news:u2KGc%...
    >>> Hello,
    >>>
    >>> I got some sample code off the MSDN website on how to loop through a
    >>> group in active directory and list the members. I can run the code from
    >>> a console app but I cant run it from an ASP solution? I get the folowing
    >>> message:
    >>>
    >>> "The specified domain either does not exist or could not be contacted"
    >>>
    >>> Heres the code Im using:
    >>> ---------------------------------------------------
    >>> try
    >>> {
    >>> DirectoryEntry group = new
    >>> DirectoryEntry("LDAP://CN=Administrators,CN=builtin,DC=ourdomain,DC=com");
    >>> object members = group.Invoke("Members",null); //CODE IS FAILING HERE
    >>> foreach( object member in (IEnumerable) members)
    >>> {
    >>> DirectoryEntry x = new DirectoryEntry(member);
    >>> }
    >>> }
    >>> catch ( Exception ex )
    >>> {
    >>> lblResults.Text = ex.Message;
    >>>
    >>> }
    >>> ---------------------------------------------------
    >>>
    >>> I havent done any ASP programming before. This is a standard
    >>> webapplication created using Visual Studio.NET 2003. I have IIS
    >>> installed and Ive set the permissions to interactive user. The above
    >>> code works from my console app and works a beaut but just not from my
    >>> ASP page..
    >>>
    >>> can anyone tell me what Im doing worng here?
    >>>
    >>> Thanks,
    >>> Grant
    >>>

    >>
    >>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 23, 2004
    #4
  5. Grant

    Grant Guest

    Thanks for your help Joe. I put the "identity impersonate="true"" into the
    web config file and it worked perfectly. So nice when t works when in fact
    you were expecting an error - love that.

    I also had to disable anonymous access and enable integrated authentication
    in IIS before it worked. I do have to log in when I access the page for the
    first time - not sure why thats happening but if the rest works then my
    theory is - walk away veeeery slowly.

    Cheers,
    Grant

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > The way I see it, you have two choices. You can either get your code
    > running under a domain account so that you don't have to supply
    > credentials and a server name, or you can supply a server or domain name
    > and supply credentials.
    >
    > If you go the former route, you have a lot of options. Essentially, you
    > can either make the process run under a domain account, or you can
    > impersonate a domain account so that your current thread will take on that
    > identity.
    >
    > To change the process account, you can either make the worker process run
    > as a domain account or move the code into a COM+ component and run that
    > under a domain identity.
    >
    > To impersonate a domain account, you generally do this by enabling
    > impersonation in web.config. If you do that, then you will be
    > impersonating the authenticated user in IIS. That will either be the user
    > logging on or the anonyous user account (which you can make a domain
    > account if you want).
    >
    > It is also possible to impersonate a specific user via web.config by
    > specifying credentials and you can impersonate an account through code.
    > Thus, you have lots of options. Some of these options vary by the OS you
    > are running and your security settings.
    >
    > All of the IIS security settings are configured via the IIS MMC on the
    > directory security tab.
    >
    > Normally, I just supply the server or domain in the binding string and
    > supply som credentials from a service account and don't worry about all of
    > the above.
    >
    > HTH,
    >
    > Joe K.
    >
    > "Grant" <> wrote in message
    > news:...
    >> Thank you for the reply! Looking at my web.config file I dont have this
    >> "identity impersonate="true"" section and also it says to "security
    >> mechanism to Anonymous only" - where do I find this security mechanism,
    >> and how would i set the identity impersonate setting?
    >>
    >> -------------
    >> When the Web.config file is set to identity impersonate="true"/ and
    >> authentication mode="Windows", use the Anonymous account with the
    >> following settings: . On the ASPX page, set the security mechanism to
    >> Anonymous only.
    >> . Clear the Allow IIS to control the password check box.
    >> . Set the Anonymous account to be a domain user.
    >>
    >> -------------
    >>
    >> Cheers
    >> Grant
    >>
    >>
    >> "Joe Kaplan (MVP - ADSI)" <>
    >> wrote in message news:...
    >>> This is a security context issue. The account your code is running
    >>> under might not be a domain account, so you can't use serverless binding
    >>> (which is what you are doing when you don't put a server name in the
    >>> binding string below).
    >>>
    >>> This document has a lot more detail:
    >>>
    >>> http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
    >>>
    >>> Joe K.
    >>>
    >>> "Grant" <> wrote in message
    >>> news:u2KGc%...
    >>>> Hello,
    >>>>
    >>>> I got some sample code off the MSDN website on how to loop through a
    >>>> group in active directory and list the members. I can run the code from
    >>>> a console app but I cant run it from an ASP solution? I get the
    >>>> folowing message:
    >>>>
    >>>> "The specified domain either does not exist or could not be contacted"
    >>>>
    >>>> Heres the code Im using:
    >>>> ---------------------------------------------------
    >>>> try
    >>>> {
    >>>> DirectoryEntry group = new
    >>>> DirectoryEntry("LDAP://CN=Administrators,CN=builtin,DC=ourdomain,DC=com");
    >>>> object members = group.Invoke("Members",null); //CODE IS FAILING
    >>>> HERE
    >>>> foreach( object member in (IEnumerable) members)
    >>>> {
    >>>> DirectoryEntry x = new DirectoryEntry(member);
    >>>> }
    >>>> }
    >>>> catch ( Exception ex )
    >>>> {
    >>>> lblResults.Text = ex.Message;
    >>>>
    >>>> }
    >>>> ---------------------------------------------------
    >>>>
    >>>> I havent done any ASP programming before. This is a standard
    >>>> webapplication created using Visual Studio.NET 2003. I have IIS
    >>>> installed and Ive set the permissions to interactive user. The above
    >>>> code works from my console app and works a beaut but just not from my
    >>>> ASP page..
    >>>>
    >>>> can anyone tell me what Im doing worng here?
    >>>>
    >>>> Thanks,
    >>>> Grant
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Grant, Nov 23, 2004
    #5
  6. Grant

    Ken Schaefer Guest

    "Grant" <> wrote in message
    news:...
    > I also had to disable anonymous access and enable integrated
    > authentication in IIS before it worked. I do have to log in when I access
    > the page for the first time - not sure why thats happening


    Um - because IIS needs to impersonate a user account, and so you need to
    supply valid user credentials?

    Well, technically your browser needs to supply them, and so you enter them
    into a dialogue the browser throws up, and the browser then sends them (or a
    hash of your password) to the server.

    Now, IE can attempt to logon on your behalf in certain circumstances without
    bothering you. See this KB article for a list of conditions that must be
    satisfied for this to happen:
    http://support.microsoft.com/?id=258063

    Cheers
    Ken
     
    Ken Schaefer, Nov 23, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin Buchan
    Replies:
    0
    Views:
    3,595
    Kevin Buchan
    Feb 16, 2004
  2. Brad
    Replies:
    1
    Views:
    26,414
    [MSFT]
    Jun 22, 2004
  3. Sanmic
    Replies:
    1
    Views:
    3,811
    Scott Allen
    Oct 11, 2004
  4. Luca Passani
    Replies:
    0
    Views:
    115
    Luca Passani
    May 11, 2004
  5. Grant

    Domain could not be contacted problem

    Grant, Nov 22, 2004, in forum: ASP .Net Web Services
    Replies:
    5
    Views:
    121
    Ken Schaefer
    Nov 23, 2004
Loading...

Share This Page