HRESULT: 0X80070490 with Azman and AD LDS on 2008 server

Discussion in 'ASP .Net Security' started by Ken, Jun 5, 2009.

  1. Ken

    Ken Guest

    Hi,
    I'm developing a WPF application which is using AzMan as its policy store.
    The AzMan in configured to work with AD LDS (aka ADAM). The development
    environment was with 2003 server and everything was fine. The deployment
    environment has 2008 server and when I'm trying to run the application I get
    an exception: "Element not found. (Exception from HRESULT: 0X80070490)". The
    stack trace points to
    AZROLESLib.AZAuthorizationStoreClass.OpenApplication2(String
    bstrApplicationName, Object varReserved). I call this method with "MyApp" and
    null and it was working fine on 2003 box.
    It seems to me that the application cannot locate "MyApp" in my AzMan store.
    Does The AZMan API expect something different on 2008 than on 2003? Do I need
    to replace interop.AZROLESLib.dll to a newer version?
    --
    Thank you,
    Ken
     
    Ken, Jun 5, 2009
    #1
    1. Advertising

  2. Ken

    Joe Kaplan Guest

    Are you sure your app has the right read permissions to the ADAM data? I'm
    guessing the app would be using Windows auth to bind to the ADAM LDAP server
    and uses the process identity of the app pool (typically network service) to
    do this. That would mean that you would either need to grant the machine
    account for the domain computer object for the machine read access to ADAM
    or something more general (I typically give "authenticated users" read
    access in ADAM unless there is something really sensitive in there that
    requires specific restrictions).

    The error you are getting is not very helpful at all, but this could just be
    some sort of operational problem related to not being app to read the data.
    In LDAP, if you try to read data that you don't have permission to see, the
    result to the client is that it simply doesn't exist. You don't get an
    access denied error.

    If there was a failure to authenticate, at the LDAP layer you'd likely get
    an "operations error" from ADAM in this case.

    HTH!

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Ken" <> wrote in message
    news:...
    > Hi,
    > I'm developing a WPF application which is using AzMan as its policy store.
    > The AzMan in configured to work with AD LDS (aka ADAM). The development
    > environment was with 2003 server and everything was fine. The deployment
    > environment has 2008 server and when I'm trying to run the application I
    > get
    > an exception: "Element not found. (Exception from HRESULT: 0X80070490)".
    > The
    > stack trace points to
    > AZROLESLib.AZAuthorizationStoreClass.OpenApplication2(String
    > bstrApplicationName, Object varReserved). I call this method with "MyApp"
    > and
    > null and it was working fine on 2003 box.
    > It seems to me that the application cannot locate "MyApp" in my AzMan
    > store.
    > Does The AZMan API expect something different on 2008 than on 2003? Do I
    > need
    > to replace interop.AZROLESLib.dll to a newer version?
    > --
    > Thank you,
    > Ken
     
    Joe Kaplan, Jun 8, 2009
    #2
    1. Advertising

  3. Ken

    Ken Guest

    Hi Joe,
    Thank you. I tried to give permission on ADAM for authenticated users but I
    got the same error. I actually think that the problem is not with access
    right as the call:
    azStore.Initialize(0, appStoreLocation, null) is returning with no
    exceptions. It is the azStore.OpenApplication2(appName, null) call which
    return the 'element not found' exception. So I suspect the appName is not
    found in the ADAM store but I don't know why. The same calls works great
    with 2003 server... Any other ideas?
    --
    Thank you,
    Ken


    "Joe Kaplan" wrote:

    > Are you sure your app has the right read permissions to the ADAM data? I'm
    > guessing the app would be using Windows auth to bind to the ADAM LDAP server
    > and uses the process identity of the app pool (typically network service) to
    > do this. That would mean that you would either need to grant the machine
    > account for the domain computer object for the machine read access to ADAM
    > or something more general (I typically give "authenticated users" read
    > access in ADAM unless there is something really sensitive in there that
    > requires specific restrictions).
    >
    > The error you are getting is not very helpful at all, but this could just be
    > some sort of operational problem related to not being app to read the data.
    > In LDAP, if you try to read data that you don't have permission to see, the
    > result to the client is that it simply doesn't exist. You don't get an
    > access denied error.
    >
    > If there was a failure to authenticate, at the LDAP layer you'd likely get
    > an "operations error" from ADAM in this case.
    >
    > HTH!
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Ken" <> wrote in message
    > news:...
    > > Hi,
    > > I'm developing a WPF application which is using AzMan as its policy store.
    > > The AzMan in configured to work with AD LDS (aka ADAM). The development
    > > environment was with 2003 server and everything was fine. The deployment
    > > environment has 2008 server and when I'm trying to run the application I
    > > get
    > > an exception: "Element not found. (Exception from HRESULT: 0X80070490)".
    > > The
    > > stack trace points to
    > > AZROLESLib.AZAuthorizationStoreClass.OpenApplication2(String
    > > bstrApplicationName, Object varReserved). I call this method with "MyApp"
    > > and
    > > null and it was working fine on 2003 box.
    > > It seems to me that the application cannot locate "MyApp" in my AzMan
    > > store.
    > > Does The AZMan API expect something different on 2008 than on 2003? Do I
    > > need
    > > to replace interop.AZROLESLib.dll to a newer version?
    > > --
    > > Thank you,
    > > Ken

    >
    >
     
    Ken, Jun 9, 2009
    #3
  4. Ken

    Joe Kaplan Guest

    Are you sure all the data is stored in ADAM/LDS as expected? I think I'd
    probably use the ldp.exe tool that comes with ADAM to look at the data in
    both servers and see if it looks the same. Maybe there is something messed
    up with the actual data in the directory. You might also try a tool like
    LDIFDE to export the data into a text file.

    I really don't have any other ideas but if the store is initializing just
    fine.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Ken" <> wrote in message
    news:...
    > Hi Joe,
    > Thank you. I tried to give permission on ADAM for authenticated users but
    > I
    > got the same error. I actually think that the problem is not with access
    > right as the call:
    > azStore.Initialize(0, appStoreLocation, null) is returning with no
    > exceptions. It is the azStore.OpenApplication2(appName, null) call which
    > return the 'element not found' exception. So I suspect the appName is not
    > found in the ADAM store but I don't know why. The same calls works great
    > with 2003 server... Any other ideas?
    > --
    > Thank you,
    > Ken
    >
    >
    > "Joe Kaplan" wrote:
    >
    >> Are you sure your app has the right read permissions to the ADAM data?
    >> I'm
    >> guessing the app would be using Windows auth to bind to the ADAM LDAP
    >> server
    >> and uses the process identity of the app pool (typically network service)
    >> to
    >> do this. That would mean that you would either need to grant the machine
    >> account for the domain computer object for the machine read access to
    >> ADAM
    >> or something more general (I typically give "authenticated users" read
    >> access in ADAM unless there is something really sensitive in there that
    >> requires specific restrictions).
    >>
    >> The error you are getting is not very helpful at all, but this could just
    >> be
    >> some sort of operational problem related to not being app to read the
    >> data.
    >> In LDAP, if you try to read data that you don't have permission to see,
    >> the
    >> result to the client is that it simply doesn't exist. You don't get an
    >> access denied error.
    >>
    >> If there was a failure to authenticate, at the LDAP layer you'd likely
    >> get
    >> an "operations error" from ADAM in this case.
    >>
    >> HTH!
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "Ken" <> wrote in message
    >> news:...
    >> > Hi,
    >> > I'm developing a WPF application which is using AzMan as its policy
    >> > store.
    >> > The AzMan in configured to work with AD LDS (aka ADAM). The development
    >> > environment was with 2003 server and everything was fine. The
    >> > deployment
    >> > environment has 2008 server and when I'm trying to run the application
    >> > I
    >> > get
    >> > an exception: "Element not found. (Exception from HRESULT:
    >> > 0X80070490)".
    >> > The
    >> > stack trace points to
    >> > AZROLESLib.AZAuthorizationStoreClass.OpenApplication2(String
    >> > bstrApplicationName, Object varReserved). I call this method with
    >> > "MyApp"
    >> > and
    >> > null and it was working fine on 2003 box.
    >> > It seems to me that the application cannot locate "MyApp" in my AzMan
    >> > store.
    >> > Does The AZMan API expect something different on 2008 than on 2003? Do
    >> > I
    >> > need
    >> > to replace interop.AZROLESLib.dll to a newer version?
    >> > --
    >> > Thank you,
    >> > Ken

    >>
    >>
     
    Joe Kaplan, Jun 9, 2009
    #4
  5. Ken

    Ken Guest

    Thank you Joe.
    I used the ldp.exe and indeed found that in the 2003 server the content of
    my root directory (DC=myDomain,DC=local) includes a configuration file which
    is missing on the 2008 machine. Is there some configuration on the 2008
    server which prevent the configuration file from being created? How can I
    correct it?
    --
    Thank you,
    Ken


    "Joe Kaplan" wrote:

    > Are you sure all the data is stored in ADAM/LDS as expected? I think I'd
    > probably use the ldp.exe tool that comes with ADAM to look at the data in
    > both servers and see if it looks the same. Maybe there is something messed
    > up with the actual data in the directory. You might also try a tool like
    > LDIFDE to export the data into a text file.
    >
    > I really don't have any other ideas but if the store is initializing just
    > fine.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Ken" <> wrote in message
    > news:...
    > > Hi Joe,
    > > Thank you. I tried to give permission on ADAM for authenticated users but
    > > I
    > > got the same error. I actually think that the problem is not with access
    > > right as the call:
    > > azStore.Initialize(0, appStoreLocation, null) is returning with no
    > > exceptions. It is the azStore.OpenApplication2(appName, null) call which
    > > return the 'element not found' exception. So I suspect the appName is not
    > > found in the ADAM store but I don't know why. The same calls works great
    > > with 2003 server... Any other ideas?
    > > --
    > > Thank you,
    > > Ken
    > >
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> Are you sure your app has the right read permissions to the ADAM data?
    > >> I'm
    > >> guessing the app would be using Windows auth to bind to the ADAM LDAP
    > >> server
    > >> and uses the process identity of the app pool (typically network service)
    > >> to
    > >> do this. That would mean that you would either need to grant the machine
    > >> account for the domain computer object for the machine read access to
    > >> ADAM
    > >> or something more general (I typically give "authenticated users" read
    > >> access in ADAM unless there is something really sensitive in there that
    > >> requires specific restrictions).
    > >>
    > >> The error you are getting is not very helpful at all, but this could just
    > >> be
    > >> some sort of operational problem related to not being app to read the
    > >> data.
    > >> In LDAP, if you try to read data that you don't have permission to see,
    > >> the
    > >> result to the client is that it simply doesn't exist. You don't get an
    > >> access denied error.
    > >>
    > >> If there was a failure to authenticate, at the LDAP layer you'd likely
    > >> get
    > >> an "operations error" from ADAM in this case.
    > >>
    > >> HTH!
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> "Ken" <> wrote in message
    > >> news:...
    > >> > Hi,
    > >> > I'm developing a WPF application which is using AzMan as its policy
    > >> > store.
    > >> > The AzMan in configured to work with AD LDS (aka ADAM). The development
    > >> > environment was with 2003 server and everything was fine. The
    > >> > deployment
    > >> > environment has 2008 server and when I'm trying to run the application
    > >> > I
    > >> > get
    > >> > an exception: "Element not found. (Exception from HRESULT:
    > >> > 0X80070490)".
    > >> > The
    > >> > stack trace points to
    > >> > AZROLESLib.AZAuthorizationStoreClass.OpenApplication2(String
    > >> > bstrApplicationName, Object varReserved). I call this method with
    > >> > "MyApp"
    > >> > and
    > >> > null and it was working fine on 2003 box.
    > >> > It seems to me that the application cannot locate "MyApp" in my AzMan
    > >> > store.
    > >> > Does The AZMan API expect something different on 2008 than on 2003? Do
    > >> > I
    > >> > need
    > >> > to replace interop.AZROLESLib.dll to a newer version?
    > >> > --
    > >> > Thank you,
    > >> > Ken
    > >>
    > >>

    >
    >
     
    Ken, Jun 10, 2009
    #5
  6. Ken

    Joe Kaplan Guest

    That I have no idea on. However, it may be that you are either missing some
    part of the AzMan schema for your LDS server or that some aspect of the MMC
    snap-in that manages AzMan and persists the policy didn't save all the
    objects correctly.

    I don't know exactly what you mean by a "configuration file" underneath the
    root as the directory doesn't contain files. It contains objects that have
    attributes which store data and those objects may also be containers that
    hold other objects.

    But, I'd definitely poke around with AzMan to try to ensure that the policy
    is saved correctly.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Ken" <> wrote in message
    news:...
    > Thank you Joe.
    > I used the ldp.exe and indeed found that in the 2003 server the content of
    > my root directory (DC=myDomain,DC=local) includes a configuration file
    > which
    > is missing on the 2008 machine. Is there some configuration on the 2008
    > server which prevent the configuration file from being created? How can I
    > correct it?
    > --
    > Thank you,
    > Ken
    >
    >
    > "Joe Kaplan" wrote:
    >
    >> Are you sure all the data is stored in ADAM/LDS as expected? I think I'd
    >> probably use the ldp.exe tool that comes with ADAM to look at the data in
    >> both servers and see if it looks the same. Maybe there is something
    >> messed
    >> up with the actual data in the directory. You might also try a tool like
    >> LDIFDE to export the data into a text file.
    >>
    >> I really don't have any other ideas but if the store is initializing just
    >> fine.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "Ken" <> wrote in message
    >> news:...
    >> > Hi Joe,
    >> > Thank you. I tried to give permission on ADAM for authenticated users
    >> > but
    >> > I
    >> > got the same error. I actually think that the problem is not with
    >> > access
    >> > right as the call:
    >> > azStore.Initialize(0, appStoreLocation, null) is returning with no
    >> > exceptions. It is the azStore.OpenApplication2(appName, null) call
    >> > which
    >> > return the 'element not found' exception. So I suspect the appName is
    >> > not
    >> > found in the ADAM store but I don't know why. The same calls works
    >> > great
    >> > with 2003 server... Any other ideas?
    >> > --
    >> > Thank you,
    >> > Ken
    >> >
    >> >
    >> > "Joe Kaplan" wrote:
    >> >
    >> >> Are you sure your app has the right read permissions to the ADAM data?
    >> >> I'm
    >> >> guessing the app would be using Windows auth to bind to the ADAM LDAP
    >> >> server
    >> >> and uses the process identity of the app pool (typically network
    >> >> service)
    >> >> to
    >> >> do this. That would mean that you would either need to grant the
    >> >> machine
    >> >> account for the domain computer object for the machine read access to
    >> >> ADAM
    >> >> or something more general (I typically give "authenticated users" read
    >> >> access in ADAM unless there is something really sensitive in there
    >> >> that
    >> >> requires specific restrictions).
    >> >>
    >> >> The error you are getting is not very helpful at all, but this could
    >> >> just
    >> >> be
    >> >> some sort of operational problem related to not being app to read the
    >> >> data.
    >> >> In LDAP, if you try to read data that you don't have permission to
    >> >> see,
    >> >> the
    >> >> result to the client is that it simply doesn't exist. You don't get
    >> >> an
    >> >> access denied error.
    >> >>
    >> >> If there was a failure to authenticate, at the LDAP layer you'd likely
    >> >> get
    >> >> an "operations error" from ADAM in this case.
    >> >>
    >> >> HTH!
    >> >>
    >> >> --
    >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> Programming"
    >> >> http://www.directoryprogramming.net
    >> >> "Ken" <> wrote in message
    >> >> news:...
    >> >> > Hi,
    >> >> > I'm developing a WPF application which is using AzMan as its policy
    >> >> > store.
    >> >> > The AzMan in configured to work with AD LDS (aka ADAM). The
    >> >> > development
    >> >> > environment was with 2003 server and everything was fine. The
    >> >> > deployment
    >> >> > environment has 2008 server and when I'm trying to run the
    >> >> > application
    >> >> > I
    >> >> > get
    >> >> > an exception: "Element not found. (Exception from HRESULT:
    >> >> > 0X80070490)".
    >> >> > The
    >> >> > stack trace points to
    >> >> > AZROLESLib.AZAuthorizationStoreClass.OpenApplication2(String
    >> >> > bstrApplicationName, Object varReserved). I call this method with
    >> >> > "MyApp"
    >> >> > and
    >> >> > null and it was working fine on 2003 box.
    >> >> > It seems to me that the application cannot locate "MyApp" in my
    >> >> > AzMan
    >> >> > store.
    >> >> > Does The AZMan API expect something different on 2008 than on 2003?
    >> >> > Do
    >> >> > I
    >> >> > need
    >> >> > to replace interop.AZROLESLib.dll to a newer version?
    >> >> > --
    >> >> > Thank you,
    >> >> > Ken
    >> >>
    >> >>

    >>
    >>
     
    Joe Kaplan, Jun 10, 2009
    #6
  7. Ken

    Ken Guest

    Thank you Joe.
    Inside the ldp.exe when I dbl-click the root directory, part of what I get is:
    1> configurationFile: <?xml version="1.0"?>
    <doc>
    <configuration>
    <description>sample Adamsync configuration file</description>
    <security-mode>object</security-mode>
    <source-ad-name>myDomain.local</source-ad-name>
    <source-ad-partition>dc=myDomain,dc=local</source-ad-partition>
    <source-ad-account></source-ad-account>
    <account-domain></account-domain>
    <target-dn>dc=myDomain,dc=local</target-dn>
    <query>
    <base-dn>ou=tplss accounts,dc=myDomain,dc=local</base-dn>
    and do on...
    I can't see it on the 2008 machine.
    --
    Thank you,
    Ken


    "Joe Kaplan" wrote:

    > That I have no idea on. However, it may be that you are either missing some
    > part of the AzMan schema for your LDS server or that some aspect of the MMC
    > snap-in that manages AzMan and persists the policy didn't save all the
    > objects correctly.
    >
    > I don't know exactly what you mean by a "configuration file" underneath the
    > root as the directory doesn't contain files. It contains objects that have
    > attributes which store data and those objects may also be containers that
    > hold other objects.
    >
    > But, I'd definitely poke around with AzMan to try to ensure that the policy
    > is saved correctly.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Ken" <> wrote in message
    > news:...
    > > Thank you Joe.
    > > I used the ldp.exe and indeed found that in the 2003 server the content of
    > > my root directory (DC=myDomain,DC=local) includes a configuration file
    > > which
    > > is missing on the 2008 machine. Is there some configuration on the 2008
    > > server which prevent the configuration file from being created? How can I
    > > correct it?
    > > --
    > > Thank you,
    > > Ken
    > >
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> Are you sure all the data is stored in ADAM/LDS as expected? I think I'd
    > >> probably use the ldp.exe tool that comes with ADAM to look at the data in
    > >> both servers and see if it looks the same. Maybe there is something
    > >> messed
    > >> up with the actual data in the directory. You might also try a tool like
    > >> LDIFDE to export the data into a text file.
    > >>
    > >> I really don't have any other ideas but if the store is initializing just
    > >> fine.
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> "Ken" <> wrote in message
    > >> news:...
    > >> > Hi Joe,
    > >> > Thank you. I tried to give permission on ADAM for authenticated users
    > >> > but
    > >> > I
    > >> > got the same error. I actually think that the problem is not with
    > >> > access
    > >> > right as the call:
    > >> > azStore.Initialize(0, appStoreLocation, null) is returning with no
    > >> > exceptions. It is the azStore.OpenApplication2(appName, null) call
    > >> > which
    > >> > return the 'element not found' exception. So I suspect the appName is
    > >> > not
    > >> > found in the ADAM store but I don't know why. The same calls works
    > >> > great
    > >> > with 2003 server... Any other ideas?
    > >> > --
    > >> > Thank you,
    > >> > Ken
    > >> >
    > >> >
    > >> > "Joe Kaplan" wrote:
    > >> >
    > >> >> Are you sure your app has the right read permissions to the ADAM data?
    > >> >> I'm
    > >> >> guessing the app would be using Windows auth to bind to the ADAM LDAP
    > >> >> server
    > >> >> and uses the process identity of the app pool (typically network
    > >> >> service)
    > >> >> to
    > >> >> do this. That would mean that you would either need to grant the
    > >> >> machine
    > >> >> account for the domain computer object for the machine read access to
    > >> >> ADAM
    > >> >> or something more general (I typically give "authenticated users" read
    > >> >> access in ADAM unless there is something really sensitive in there
    > >> >> that
    > >> >> requires specific restrictions).
    > >> >>
    > >> >> The error you are getting is not very helpful at all, but this could
    > >> >> just
    > >> >> be
    > >> >> some sort of operational problem related to not being app to read the
    > >> >> data.
    > >> >> In LDAP, if you try to read data that you don't have permission to
    > >> >> see,
    > >> >> the
    > >> >> result to the client is that it simply doesn't exist. You don't get
    > >> >> an
    > >> >> access denied error.
    > >> >>
    > >> >> If there was a failure to authenticate, at the LDAP layer you'd likely
    > >> >> get
    > >> >> an "operations error" from ADAM in this case.
    > >> >>
    > >> >> HTH!
    > >> >>
    > >> >> --
    > >> >> Joe Kaplan-MS MVP Directory Services Programming
    > >> >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> >> Programming"
    > >> >> http://www.directoryprogramming.net
    > >> >> "Ken" <> wrote in message
    > >> >> news:...
    > >> >> > Hi,
    > >> >> > I'm developing a WPF application which is using AzMan as its policy
    > >> >> > store.
    > >> >> > The AzMan in configured to work with AD LDS (aka ADAM). The
    > >> >> > development
    > >> >> > environment was with 2003 server and everything was fine. The
    > >> >> > deployment
    > >> >> > environment has 2008 server and when I'm trying to run the
    > >> >> > application
    > >> >> > I
    > >> >> > get
    > >> >> > an exception: "Element not found. (Exception from HRESULT:
    > >> >> > 0X80070490)".
    > >> >> > The
    > >> >> > stack trace points to
    > >> >> > AZROLESLib.AZAuthorizationStoreClass.OpenApplication2(String
    > >> >> > bstrApplicationName, Object varReserved). I call this method with
    > >> >> > "MyApp"
    > >> >> > and
    > >> >> > null and it was working fine on 2003 box.
    > >> >> > It seems to me that the application cannot locate "MyApp" in my
    > >> >> > AzMan
    > >> >> > store.
    > >> >> > Does The AZMan API expect something different on 2008 than on 2003?
    > >> >> > Do
    > >> >> > I
    > >> >> > need
    > >> >> > to replace interop.AZROLESLib.dll to a newer version?
    > >> >> > --
    > >> >> > Thank you,
    > >> >> > Ken
    > >> >>
    > >> >>
    > >>
    > >>

    >
    >
     
    Ken, Jun 10, 2009
    #7
  8. Ken

    Joe Kaplan Guest

    Ok, that's an attribute called "configurationFile" that contains a string
    that has some XML in it. It sounds like this attribute has been added to
    the class schema for the root object type (domainDNS is what you are using)
    or probably it was added to the "top" class which is the base of all the
    schema types.

    However, that's an ADAMSync config file, not something having to do with
    AzMan. As such I'm not sure it is related at all.

    Where is the AzMan data in both directories?

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Ken" <> wrote in message
    news:...
    > Thank you Joe.
    > Inside the ldp.exe when I dbl-click the root directory, part of what I get
    > is:
    > 1> configurationFile: <?xml version="1.0"?>
    > <doc>
    > <configuration>
    > <description>sample Adamsync configuration file</description>
    > <security-mode>object</security-mode>
    > <source-ad-name>myDomain.local</source-ad-name>
    > <source-ad-partition>dc=myDomain,dc=local</source-ad-partition>
    > <source-ad-account></source-ad-account>
    > <account-domain></account-domain>
    > <target-dn>dc=myDomain,dc=local</target-dn>
    > <query>
    > <base-dn>ou=tplss accounts,dc=myDomain,dc=local</base-dn>
    > and do on...
    > I can't see it on the 2008 machine.
    > --
    > Thank you,
    > Ken
    >
    >
    > "Joe Kaplan" wrote:
    >
    >> That I have no idea on. However, it may be that you are either missing
    >> some
    >> part of the AzMan schema for your LDS server or that some aspect of the
    >> MMC
    >> snap-in that manages AzMan and persists the policy didn't save all the
    >> objects correctly.
    >>
    >> I don't know exactly what you mean by a "configuration file" underneath
    >> the
    >> root as the directory doesn't contain files. It contains objects that
    >> have
    >> attributes which store data and those objects may also be containers that
    >> hold other objects.
    >>
    >> But, I'd definitely poke around with AzMan to try to ensure that the
    >> policy
    >> is saved correctly.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "Ken" <> wrote in message
    >> news:...
    >> > Thank you Joe.
    >> > I used the ldp.exe and indeed found that in the 2003 server the content
    >> > of
    >> > my root directory (DC=myDomain,DC=local) includes a configuration file
    >> > which
    >> > is missing on the 2008 machine. Is there some configuration on the 2008
    >> > server which prevent the configuration file from being created? How can
    >> > I
    >> > correct it?
    >> > --
    >> > Thank you,
    >> > Ken
    >> >
    >> >
    >> > "Joe Kaplan" wrote:
    >> >
    >> >> Are you sure all the data is stored in ADAM/LDS as expected? I think
    >> >> I'd
    >> >> probably use the ldp.exe tool that comes with ADAM to look at the data
    >> >> in
    >> >> both servers and see if it looks the same. Maybe there is something
    >> >> messed
    >> >> up with the actual data in the directory. You might also try a tool
    >> >> like
    >> >> LDIFDE to export the data into a text file.
    >> >>
    >> >> I really don't have any other ideas but if the store is initializing
    >> >> just
    >> >> fine.
    >> >>
    >> >> --
    >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> Programming"
    >> >> http://www.directoryprogramming.net
    >> >> "Ken" <> wrote in message
    >> >> news:...
    >> >> > Hi Joe,
    >> >> > Thank you. I tried to give permission on ADAM for authenticated
    >> >> > users
    >> >> > but
    >> >> > I
    >> >> > got the same error. I actually think that the problem is not with
    >> >> > access
    >> >> > right as the call:
    >> >> > azStore.Initialize(0, appStoreLocation, null) is returning with no
    >> >> > exceptions. It is the azStore.OpenApplication2(appName, null) call
    >> >> > which
    >> >> > return the 'element not found' exception. So I suspect the appName
    >> >> > is
    >> >> > not
    >> >> > found in the ADAM store but I don't know why. The same calls works
    >> >> > great
    >> >> > with 2003 server... Any other ideas?
    >> >> > --
    >> >> > Thank you,
    >> >> > Ken
    >> >> >
    >> >> >
    >> >> > "Joe Kaplan" wrote:
    >> >> >
    >> >> >> Are you sure your app has the right read permissions to the ADAM
    >> >> >> data?
    >> >> >> I'm
    >> >> >> guessing the app would be using Windows auth to bind to the ADAM
    >> >> >> LDAP
    >> >> >> server
    >> >> >> and uses the process identity of the app pool (typically network
    >> >> >> service)
    >> >> >> to
    >> >> >> do this. That would mean that you would either need to grant the
    >> >> >> machine
    >> >> >> account for the domain computer object for the machine read access
    >> >> >> to
    >> >> >> ADAM
    >> >> >> or something more general (I typically give "authenticated users"
    >> >> >> read
    >> >> >> access in ADAM unless there is something really sensitive in there
    >> >> >> that
    >> >> >> requires specific restrictions).
    >> >> >>
    >> >> >> The error you are getting is not very helpful at all, but this
    >> >> >> could
    >> >> >> just
    >> >> >> be
    >> >> >> some sort of operational problem related to not being app to read
    >> >> >> the
    >> >> >> data.
    >> >> >> In LDAP, if you try to read data that you don't have permission to
    >> >> >> see,
    >> >> >> the
    >> >> >> result to the client is that it simply doesn't exist. You don't
    >> >> >> get
    >> >> >> an
    >> >> >> access denied error.
    >> >> >>
    >> >> >> If there was a failure to authenticate, at the LDAP layer you'd
    >> >> >> likely
    >> >> >> get
    >> >> >> an "operations error" from ADAM in this case.
    >> >> >>
    >> >> >> HTH!
    >> >> >>
    >> >> >> --
    >> >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> >> Programming"
    >> >> >> http://www.directoryprogramming.net
    >> >> >> "Ken" <> wrote in message
    >> >> >> news:...
    >> >> >> > Hi,
    >> >> >> > I'm developing a WPF application which is using AzMan as its
    >> >> >> > policy
    >> >> >> > store.
    >> >> >> > The AzMan in configured to work with AD LDS (aka ADAM). The
    >> >> >> > development
    >> >> >> > environment was with 2003 server and everything was fine. The
    >> >> >> > deployment
    >> >> >> > environment has 2008 server and when I'm trying to run the
    >> >> >> > application
    >> >> >> > I
    >> >> >> > get
    >> >> >> > an exception: "Element not found. (Exception from HRESULT:
    >> >> >> > 0X80070490)".
    >> >> >> > The
    >> >> >> > stack trace points to
    >> >> >> > AZROLESLib.AZAuthorizationStoreClass.OpenApplication2(String
    >> >> >> > bstrApplicationName, Object varReserved). I call this method with
    >> >> >> > "MyApp"
    >> >> >> > and
    >> >> >> > null and it was working fine on 2003 box.
    >> >> >> > It seems to me that the application cannot locate "MyApp" in my
    >> >> >> > AzMan
    >> >> >> > store.
    >> >> >> > Does The AZMan API expect something different on 2008 than on
    >> >> >> > 2003?
    >> >> >> > Do
    >> >> >> > I
    >> >> >> > need
    >> >> >> > to replace interop.AZROLESLib.dll to a newer version?
    >> >> >> > --
    >> >> >> > Thank you,
    >> >> >> > Ken
    >> >> >>
    >> >> >>
    >> >>
    >> >>

    >>
    >>
     
    Joe Kaplan, Jun 10, 2009
    #8
  9. Ken

    Ken Guest

    Hi Joe,
    You're right. I missing a lot of AzMan data in the AD LDS of the 2008
    machine: there's no OU=MyDomain Accounts,DC=MyDomain,DC=LOCAL node and the
    ForeignSecurityPrincipal Node is almost empty. I don't know what could have
    caused it and how come my AzMan contains all the right information? Where
    does it actually stores it if I can't see it in the AD LDS?
    --
    Thank you,
    Ken


    "Joe Kaplan" wrote:

    > Ok, that's an attribute called "configurationFile" that contains a string
    > that has some XML in it. It sounds like this attribute has been added to
    > the class schema for the root object type (domainDNS is what you are using)
    > or probably it was added to the "top" class which is the base of all the
    > schema types.
    >
    > However, that's an ADAMSync config file, not something having to do with
    > AzMan. As such I'm not sure it is related at all.
    >
    > Where is the AzMan data in both directories?
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Ken" <> wrote in message
    > news:...
    > > Thank you Joe.
    > > Inside the ldp.exe when I dbl-click the root directory, part of what I get
    > > is:
    > > 1> configurationFile: <?xml version="1.0"?>
    > > <doc>
    > > <configuration>
    > > <description>sample Adamsync configuration file</description>
    > > <security-mode>object</security-mode>
    > > <source-ad-name>myDomain.local</source-ad-name>
    > > <source-ad-partition>dc=myDomain,dc=local</source-ad-partition>
    > > <source-ad-account></source-ad-account>
    > > <account-domain></account-domain>
    > > <target-dn>dc=myDomain,dc=local</target-dn>
    > > <query>
    > > <base-dn>ou=tplss accounts,dc=myDomain,dc=local</base-dn>
    > > and do on...
    > > I can't see it on the 2008 machine.
    > > --
    > > Thank you,
    > > Ken
    > >
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> That I have no idea on. However, it may be that you are either missing
    > >> some
    > >> part of the AzMan schema for your LDS server or that some aspect of the
    > >> MMC
    > >> snap-in that manages AzMan and persists the policy didn't save all the
    > >> objects correctly.
    > >>
    > >> I don't know exactly what you mean by a "configuration file" underneath
    > >> the
    > >> root as the directory doesn't contain files. It contains objects that
    > >> have
    > >> attributes which store data and those objects may also be containers that
    > >> hold other objects.
    > >>
    > >> But, I'd definitely poke around with AzMan to try to ensure that the
    > >> policy
    > >> is saved correctly.
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> "Ken" <> wrote in message
    > >> news:...
    > >> > Thank you Joe.
    > >> > I used the ldp.exe and indeed found that in the 2003 server the content
    > >> > of
    > >> > my root directory (DC=myDomain,DC=local) includes a configuration file
    > >> > which
    > >> > is missing on the 2008 machine. Is there some configuration on the 2008
    > >> > server which prevent the configuration file from being created? How can
    > >> > I
    > >> > correct it?
    > >> > --
    > >> > Thank you,
    > >> > Ken
    > >> >
    > >> >
    > >> > "Joe Kaplan" wrote:
    > >> >
    > >> >> Are you sure all the data is stored in ADAM/LDS as expected? I think
    > >> >> I'd
    > >> >> probably use the ldp.exe tool that comes with ADAM to look at the data
    > >> >> in
    > >> >> both servers and see if it looks the same. Maybe there is something
    > >> >> messed
    > >> >> up with the actual data in the directory. You might also try a tool
    > >> >> like
    > >> >> LDIFDE to export the data into a text file.
    > >> >>
    > >> >> I really don't have any other ideas but if the store is initializing
    > >> >> just
    > >> >> fine.
    > >> >>
    > >> >> --
    > >> >> Joe Kaplan-MS MVP Directory Services Programming
    > >> >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> >> Programming"
    > >> >> http://www.directoryprogramming.net
    > >> >> "Ken" <> wrote in message
    > >> >> news:...
    > >> >> > Hi Joe,
    > >> >> > Thank you. I tried to give permission on ADAM for authenticated
    > >> >> > users
    > >> >> > but
    > >> >> > I
    > >> >> > got the same error. I actually think that the problem is not with
    > >> >> > access
    > >> >> > right as the call:
    > >> >> > azStore.Initialize(0, appStoreLocation, null) is returning with no
    > >> >> > exceptions. It is the azStore.OpenApplication2(appName, null) call
    > >> >> > which
    > >> >> > return the 'element not found' exception. So I suspect the appName
    > >> >> > is
    > >> >> > not
    > >> >> > found in the ADAM store but I don't know why. The same calls works
    > >> >> > great
    > >> >> > with 2003 server... Any other ideas?
    > >> >> > --
    > >> >> > Thank you,
    > >> >> > Ken
    > >> >> >
    > >> >> >
    > >> >> > "Joe Kaplan" wrote:
    > >> >> >
    > >> >> >> Are you sure your app has the right read permissions to the ADAM
    > >> >> >> data?
    > >> >> >> I'm
    > >> >> >> guessing the app would be using Windows auth to bind to the ADAM
    > >> >> >> LDAP
    > >> >> >> server
    > >> >> >> and uses the process identity of the app pool (typically network
    > >> >> >> service)
    > >> >> >> to
    > >> >> >> do this. That would mean that you would either need to grant the
    > >> >> >> machine
    > >> >> >> account for the domain computer object for the machine read access
    > >> >> >> to
    > >> >> >> ADAM
    > >> >> >> or something more general (I typically give "authenticated users"
    > >> >> >> read
    > >> >> >> access in ADAM unless there is something really sensitive in there
    > >> >> >> that
    > >> >> >> requires specific restrictions).
    > >> >> >>
    > >> >> >> The error you are getting is not very helpful at all, but this
    > >> >> >> could
    > >> >> >> just
    > >> >> >> be
    > >> >> >> some sort of operational problem related to not being app to read
    > >> >> >> the
    > >> >> >> data.
    > >> >> >> In LDAP, if you try to read data that you don't have permission to
    > >> >> >> see,
    > >> >> >> the
    > >> >> >> result to the client is that it simply doesn't exist. You don't
    > >> >> >> get
    > >> >> >> an
    > >> >> >> access denied error.
    > >> >> >>
    > >> >> >> If there was a failure to authenticate, at the LDAP layer you'd
    > >> >> >> likely
    > >> >> >> get
    > >> >> >> an "operations error" from ADAM in this case.
    > >> >> >>
    > >> >> >> HTH!
    > >> >> >>
    > >> >> >> --
    > >> >> >> Joe Kaplan-MS MVP Directory Services Programming
    > >> >> >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> >> >> Programming"
    > >> >> >> http://www.directoryprogramming.net
    > >> >> >> "Ken" <> wrote in message
    > >> >> >> news:...
    > >> >> >> > Hi,
    > >> >> >> > I'm developing a WPF application which is using AzMan as its
    > >> >> >> > policy
    > >> >> >> > store.
    > >> >> >> > The AzMan in configured to work with AD LDS (aka ADAM). The
    > >> >> >> > development
    > >> >> >> > environment was with 2003 server and everything was fine. The
    > >> >> >> > deployment
    > >> >> >> > environment has 2008 server and when I'm trying to run the
    > >> >> >> > application
    > >> >> >> > I
    > >> >> >> > get
    > >> >> >> > an exception: "Element not found. (Exception from HRESULT:
    > >> >> >> > 0X80070490)".
    > >> >> >> > The
    > >> >> >> > stack trace points to
    > >> >> >> > AZROLESLib.AZAuthorizationStoreClass.OpenApplication2(String
    > >> >> >> > bstrApplicationName, Object varReserved). I call this method with
    > >> >> >> > "MyApp"
    > >> >> >> > and
    > >> >> >> > null and it was working fine on 2003 box.
    > >> >> >> > It seems to me that the application cannot locate "MyApp" in my
    > >> >> >> > AzMan
    > >> >> >> > store.
    > >> >> >> > Does The AZMan API expect something different on 2008 than on
    > >> >> >> > 2003?
    > >> >> >> > Do
    > >> >> >> > I
    > >> >> >> > need
    > >> >> >> > to replace interop.AZROLESLib.dll to a newer version?
    > >> >> >> > --
    > >> >> >> > Thank you,
    > >> >> >> > Ken
    > >> >> >>
    > >> >> >>
    > >> >>
    > >> >>
    > >>
    > >>

    >
    >
     
    Ken, Jun 10, 2009
    #9
  10. Ken

    Joe Kaplan Guest

    Is it possible the snap-in is referencing the old ADAM server instead of the
    new LDS instance?

    One easy way to have done this would have been to make the LDS server a
    replica in a configuration set with the original ADAM so that AzMan could
    basically use either store interchangeably and you could master the actual
    policy information from either of them.

    However, it sounds like you might need to do some sort of export/import or
    something. It is a little hard to visualize without seeing it, but I
    suspect that there is a simple explanation here somewhere.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Ken" <> wrote in message
    news:...
    > Hi Joe,
    > You're right. I missing a lot of AzMan data in the AD LDS of the 2008
    > machine: there's no OU=MyDomain Accounts,DC=MyDomain,DC=LOCAL node and the
    > ForeignSecurityPrincipal Node is almost empty. I don't know what could
    > have
    > caused it and how come my AzMan contains all the right information? Where
    > does it actually stores it if I can't see it in the AD LDS?
    > --
    > Thank you,
    > Ken
    >
    >
    > "Joe Kaplan" wrote:
    >
    >> Ok, that's an attribute called "configurationFile" that contains a string
    >> that has some XML in it. It sounds like this attribute has been added to
    >> the class schema for the root object type (domainDNS is what you are
    >> using)
    >> or probably it was added to the "top" class which is the base of all the
    >> schema types.
    >>
    >> However, that's an ADAMSync config file, not something having to do with
    >> AzMan. As such I'm not sure it is related at all.
    >>
    >> Where is the AzMan data in both directories?
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "Ken" <> wrote in message
    >> news:...
    >> > Thank you Joe.
    >> > Inside the ldp.exe when I dbl-click the root directory, part of what I
    >> > get
    >> > is:
    >> > 1> configurationFile: <?xml version="1.0"?>
    >> > <doc>
    >> > <configuration>
    >> > <description>sample Adamsync configuration file</description>
    >> > <security-mode>object</security-mode>
    >> > <source-ad-name>myDomain.local</source-ad-name>
    >> > <source-ad-partition>dc=myDomain,dc=local</source-ad-partition>
    >> > <source-ad-account></source-ad-account>
    >> > <account-domain></account-domain>
    >> > <target-dn>dc=myDomain,dc=local</target-dn>
    >> > <query>
    >> > <base-dn>ou=tplss accounts,dc=myDomain,dc=local</base-dn>
    >> > and do on...
    >> > I can't see it on the 2008 machine.
    >> > --
    >> > Thank you,
    >> > Ken
    >> >
    >> >
    >> > "Joe Kaplan" wrote:
    >> >
    >> >> That I have no idea on. However, it may be that you are either
    >> >> missing
    >> >> some
    >> >> part of the AzMan schema for your LDS server or that some aspect of
    >> >> the
    >> >> MMC
    >> >> snap-in that manages AzMan and persists the policy didn't save all the
    >> >> objects correctly.
    >> >>
    >> >> I don't know exactly what you mean by a "configuration file"
    >> >> underneath
    >> >> the
    >> >> root as the directory doesn't contain files. It contains objects that
    >> >> have
    >> >> attributes which store data and those objects may also be containers
    >> >> that
    >> >> hold other objects.
    >> >>
    >> >> But, I'd definitely poke around with AzMan to try to ensure that the
    >> >> policy
    >> >> is saved correctly.
    >> >>
    >> >> --
    >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> Programming"
    >> >> http://www.directoryprogramming.net
    >> >> "Ken" <> wrote in message
    >> >> news:...
    >> >> > Thank you Joe.
    >> >> > I used the ldp.exe and indeed found that in the 2003 server the
    >> >> > content
    >> >> > of
    >> >> > my root directory (DC=myDomain,DC=local) includes a configuration
    >> >> > file
    >> >> > which
    >> >> > is missing on the 2008 machine. Is there some configuration on the
    >> >> > 2008
    >> >> > server which prevent the configuration file from being created? How
    >> >> > can
    >> >> > I
    >> >> > correct it?
    >> >> > --
    >> >> > Thank you,
    >> >> > Ken
    >> >> >
    >> >> >
    >> >> > "Joe Kaplan" wrote:
    >> >> >
    >> >> >> Are you sure all the data is stored in ADAM/LDS as expected? I
    >> >> >> think
    >> >> >> I'd
    >> >> >> probably use the ldp.exe tool that comes with ADAM to look at the
    >> >> >> data
    >> >> >> in
    >> >> >> both servers and see if it looks the same. Maybe there is
    >> >> >> something
    >> >> >> messed
    >> >> >> up with the actual data in the directory. You might also try a
    >> >> >> tool
    >> >> >> like
    >> >> >> LDIFDE to export the data into a text file.
    >> >> >>
    >> >> >> I really don't have any other ideas but if the store is
    >> >> >> initializing
    >> >> >> just
    >> >> >> fine.
    >> >> >>
    >> >> >> --
    >> >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> >> Programming"
    >> >> >> http://www.directoryprogramming.net
    >> >> >> "Ken" <> wrote in message
    >> >> >> news:...
    >> >> >> > Hi Joe,
    >> >> >> > Thank you. I tried to give permission on ADAM for authenticated
    >> >> >> > users
    >> >> >> > but
    >> >> >> > I
    >> >> >> > got the same error. I actually think that the problem is not with
    >> >> >> > access
    >> >> >> > right as the call:
    >> >> >> > azStore.Initialize(0, appStoreLocation, null) is returning with
    >> >> >> > no
    >> >> >> > exceptions. It is the azStore.OpenApplication2(appName, null)
    >> >> >> > call
    >> >> >> > which
    >> >> >> > return the 'element not found' exception. So I suspect the
    >> >> >> > appName
    >> >> >> > is
    >> >> >> > not
    >> >> >> > found in the ADAM store but I don't know why. The same calls
    >> >> >> > works
    >> >> >> > great
    >> >> >> > with 2003 server... Any other ideas?
    >> >> >> > --
    >> >> >> > Thank you,
    >> >> >> > Ken
    >> >> >> >
    >> >> >> >
    >> >> >> > "Joe Kaplan" wrote:
    >> >> >> >
    >> >> >> >> Are you sure your app has the right read permissions to the ADAM
    >> >> >> >> data?
    >> >> >> >> I'm
    >> >> >> >> guessing the app would be using Windows auth to bind to the ADAM
    >> >> >> >> LDAP
    >> >> >> >> server
    >> >> >> >> and uses the process identity of the app pool (typically network
    >> >> >> >> service)
    >> >> >> >> to
    >> >> >> >> do this. That would mean that you would either need to grant
    >> >> >> >> the
    >> >> >> >> machine
    >> >> >> >> account for the domain computer object for the machine read
    >> >> >> >> access
    >> >> >> >> to
    >> >> >> >> ADAM
    >> >> >> >> or something more general (I typically give "authenticated
    >> >> >> >> users"
    >> >> >> >> read
    >> >> >> >> access in ADAM unless there is something really sensitive in
    >> >> >> >> there
    >> >> >> >> that
    >> >> >> >> requires specific restrictions).
    >> >> >> >>
    >> >> >> >> The error you are getting is not very helpful at all, but this
    >> >> >> >> could
    >> >> >> >> just
    >> >> >> >> be
    >> >> >> >> some sort of operational problem related to not being app to
    >> >> >> >> read
    >> >> >> >> the
    >> >> >> >> data.
    >> >> >> >> In LDAP, if you try to read data that you don't have permission
    >> >> >> >> to
    >> >> >> >> see,
    >> >> >> >> the
    >> >> >> >> result to the client is that it simply doesn't exist. You don't
    >> >> >> >> get
    >> >> >> >> an
    >> >> >> >> access denied error.
    >> >> >> >>
    >> >> >> >> If there was a failure to authenticate, at the LDAP layer you'd
    >> >> >> >> likely
    >> >> >> >> get
    >> >> >> >> an "operations error" from ADAM in this case.
    >> >> >> >>
    >> >> >> >> HTH!
    >> >> >> >>
    >> >> >> >> --
    >> >> >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> >> >> Programming"
    >> >> >> >> http://www.directoryprogramming.net
    >> >> >> >> "Ken" <> wrote in message
    >> >> >> >> news:...
    >> >> >> >> > Hi,
    >> >> >> >> > I'm developing a WPF application which is using AzMan as its
    >> >> >> >> > policy
    >> >> >> >> > store.
    >> >> >> >> > The AzMan in configured to work with AD LDS (aka ADAM). The
    >> >> >> >> > development
    >> >> >> >> > environment was with 2003 server and everything was fine. The
    >> >> >> >> > deployment
    >> >> >> >> > environment has 2008 server and when I'm trying to run the
    >> >> >> >> > application
    >> >> >> >> > I
    >> >> >> >> > get
    >> >> >> >> > an exception: "Element not found. (Exception from HRESULT:
    >> >> >> >> > 0X80070490)".
    >> >> >> >> > The
    >> >> >> >> > stack trace points to
    >> >> >> >> > AZROLESLib.AZAuthorizationStoreClass.OpenApplication2(String
    >> >> >> >> > bstrApplicationName, Object varReserved). I call this method
    >> >> >> >> > with
    >> >> >> >> > "MyApp"
    >> >> >> >> > and
    >> >> >> >> > null and it was working fine on 2003 box.
    >> >> >> >> > It seems to me that the application cannot locate "MyApp" in
    >> >> >> >> > my
    >> >> >> >> > AzMan
    >> >> >> >> > store.
    >> >> >> >> > Does The AZMan API expect something different on 2008 than on
    >> >> >> >> > 2003?
    >> >> >> >> > Do
    >> >> >> >> > I
    >> >> >> >> > need
    >> >> >> >> > to replace interop.AZROLESLib.dll to a newer version?
    >> >> >> >> > --
    >> >> >> >> > Thank you,
    >> >> >> >> > Ken
    >> >> >> >>
    >> >> >> >>
    >> >> >>
    >> >> >>
    >> >>
    >> >>

    >>
    >>
     
    Joe Kaplan, Jun 11, 2009
    #10
  11. Ken

    Ken Guest

    So I unistall everything and re-started from scratch following this link:
    http://msdn.microsoft.com/en-us/library/ms998331.aspx (though my app is WPF
    and not ASP. This was the best official documentation I could find). Now I
    see all the Azman information inside ADAM as it should be. BUT, I still get
    the exception above!
    --
    Thank you,
    Ken


    "Joe Kaplan" wrote:

    > Is it possible the snap-in is referencing the old ADAM server instead of the
    > new LDS instance?
    >
    > One easy way to have done this would have been to make the LDS server a
    > replica in a configuration set with the original ADAM so that AzMan could
    > basically use either store interchangeably and you could master the actual
    > policy information from either of them.
    >
    > However, it sounds like you might need to do some sort of export/import or
    > something. It is a little hard to visualize without seeing it, but I
    > suspect that there is a simple explanation here somewhere.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Ken" <> wrote in message
    > news:...
    > > Hi Joe,
    > > You're right. I missing a lot of AzMan data in the AD LDS of the 2008
    > > machine: there's no OU=MyDomain Accounts,DC=MyDomain,DC=LOCAL node and the
    > > ForeignSecurityPrincipal Node is almost empty. I don't know what could
    > > have
    > > caused it and how come my AzMan contains all the right information? Where
    > > does it actually stores it if I can't see it in the AD LDS?
    > > --
    > > Thank you,
    > > Ken
    > >
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> Ok, that's an attribute called "configurationFile" that contains a string
    > >> that has some XML in it. It sounds like this attribute has been added to
    > >> the class schema for the root object type (domainDNS is what you are
    > >> using)
    > >> or probably it was added to the "top" class which is the base of all the
    > >> schema types.
    > >>
    > >> However, that's an ADAMSync config file, not something having to do with
    > >> AzMan. As such I'm not sure it is related at all.
    > >>
    > >> Where is the AzMan data in both directories?
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> "Ken" <> wrote in message
    > >> news:...
    > >> > Thank you Joe.
    > >> > Inside the ldp.exe when I dbl-click the root directory, part of what I
    > >> > get
    > >> > is:
    > >> > 1> configurationFile: <?xml version="1.0"?>
    > >> > <doc>
    > >> > <configuration>
    > >> > <description>sample Adamsync configuration file</description>
    > >> > <security-mode>object</security-mode>
    > >> > <source-ad-name>myDomain.local</source-ad-name>
    > >> > <source-ad-partition>dc=myDomain,dc=local</source-ad-partition>
    > >> > <source-ad-account></source-ad-account>
    > >> > <account-domain></account-domain>
    > >> > <target-dn>dc=myDomain,dc=local</target-dn>
    > >> > <query>
    > >> > <base-dn>ou=tplss accounts,dc=myDomain,dc=local</base-dn>
    > >> > and do on...
    > >> > I can't see it on the 2008 machine.
    > >> > --
    > >> > Thank you,
    > >> > Ken
    > >> >
    > >> >
    > >> > "Joe Kaplan" wrote:
    > >> >
    > >> >> That I have no idea on. However, it may be that you are either
    > >> >> missing
    > >> >> some
    > >> >> part of the AzMan schema for your LDS server or that some aspect of
    > >> >> the
    > >> >> MMC
    > >> >> snap-in that manages AzMan and persists the policy didn't save all the
    > >> >> objects correctly.
    > >> >>
    > >> >> I don't know exactly what you mean by a "configuration file"
    > >> >> underneath
    > >> >> the
    > >> >> root as the directory doesn't contain files. It contains objects that
    > >> >> have
    > >> >> attributes which store data and those objects may also be containers
    > >> >> that
    > >> >> hold other objects.
    > >> >>
    > >> >> But, I'd definitely poke around with AzMan to try to ensure that the
    > >> >> policy
    > >> >> is saved correctly.
    > >> >>
    > >> >> --
    > >> >> Joe Kaplan-MS MVP Directory Services Programming
    > >> >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> >> Programming"
    > >> >> http://www.directoryprogramming.net
    > >> >> "Ken" <> wrote in message
    > >> >> news:...
    > >> >> > Thank you Joe.
    > >> >> > I used the ldp.exe and indeed found that in the 2003 server the
    > >> >> > content
    > >> >> > of
    > >> >> > my root directory (DC=myDomain,DC=local) includes a configuration
    > >> >> > file
    > >> >> > which
    > >> >> > is missing on the 2008 machine. Is there some configuration on the
    > >> >> > 2008
    > >> >> > server which prevent the configuration file from being created? How
    > >> >> > can
    > >> >> > I
    > >> >> > correct it?
    > >> >> > --
    > >> >> > Thank you,
    > >> >> > Ken
    > >> >> >
    > >> >> >
    > >> >> > "Joe Kaplan" wrote:
    > >> >> >
    > >> >> >> Are you sure all the data is stored in ADAM/LDS as expected? I
    > >> >> >> think
    > >> >> >> I'd
    > >> >> >> probably use the ldp.exe tool that comes with ADAM to look at the
    > >> >> >> data
    > >> >> >> in
    > >> >> >> both servers and see if it looks the same. Maybe there is
    > >> >> >> something
    > >> >> >> messed
    > >> >> >> up with the actual data in the directory. You might also try a
    > >> >> >> tool
    > >> >> >> like
    > >> >> >> LDIFDE to export the data into a text file.
    > >> >> >>
    > >> >> >> I really don't have any other ideas but if the store is
    > >> >> >> initializing
    > >> >> >> just
    > >> >> >> fine.
    > >> >> >>
    > >> >> >> --
    > >> >> >> Joe Kaplan-MS MVP Directory Services Programming
    > >> >> >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> >> >> Programming"
    > >> >> >> http://www.directoryprogramming.net
    > >> >> >> "Ken" <> wrote in message
    > >> >> >> news:...
    > >> >> >> > Hi Joe,
    > >> >> >> > Thank you. I tried to give permission on ADAM for authenticated
    > >> >> >> > users
    > >> >> >> > but
    > >> >> >> > I
    > >> >> >> > got the same error. I actually think that the problem is not with
    > >> >> >> > access
    > >> >> >> > right as the call:
    > >> >> >> > azStore.Initialize(0, appStoreLocation, null) is returning with
    > >> >> >> > no
    > >> >> >> > exceptions. It is the azStore.OpenApplication2(appName, null)
    > >> >> >> > call
    > >> >> >> > which
    > >> >> >> > return the 'element not found' exception. So I suspect the
    > >> >> >> > appName
    > >> >> >> > is
    > >> >> >> > not
    > >> >> >> > found in the ADAM store but I don't know why. The same calls
    > >> >> >> > works
    > >> >> >> > great
    > >> >> >> > with 2003 server... Any other ideas?
    > >> >> >> > --
    > >> >> >> > Thank you,
    > >> >> >> > Ken
    > >> >> >> >
    > >> >> >> >
    > >> >> >> > "Joe Kaplan" wrote:
    > >> >> >> >
    > >> >> >> >> Are you sure your app has the right read permissions to the ADAM
    > >> >> >> >> data?
    > >> >> >> >> I'm
    > >> >> >> >> guessing the app would be using Windows auth to bind to the ADAM
    > >> >> >> >> LDAP
    > >> >> >> >> server
    > >> >> >> >> and uses the process identity of the app pool (typically network
    > >> >> >> >> service)
    > >> >> >> >> to
    > >> >> >> >> do this. That would mean that you would either need to grant
    > >> >> >> >> the
    > >> >> >> >> machine
    > >> >> >> >> account for the domain computer object for the machine read
    > >> >> >> >> access
    > >> >> >> >> to
    > >> >> >> >> ADAM
    > >> >> >> >> or something more general (I typically give "authenticated
    > >> >> >> >> users"
    > >> >> >> >> read
    > >> >> >> >> access in ADAM unless there is something really sensitive in
    > >> >> >> >> there
    > >> >> >> >> that
    > >> >> >> >> requires specific restrictions).
    > >> >> >> >>
    > >> >> >> >> The error you are getting is not very helpful at all, but this
    > >> >> >> >> could
    > >> >> >> >> just
    > >> >> >> >> be
    > >> >> >> >> some sort of operational problem related to not being app to
    > >> >> >> >> read
    > >> >> >> >> the
    > >> >> >> >> data.
    > >> >> >> >> In LDAP, if you try to read data that you don't have permission
    > >> >> >> >> to
    > >> >> >> >> see,
    > >> >> >> >> the
    > >> >> >> >> result to the client is that it simply doesn't exist. You don't
    > >> >> >> >> get
    > >> >> >> >> an
    > >> >> >> >> access denied error.
    > >> >> >> >>
    > >> >> >> >> If there was a failure to authenticate, at the LDAP layer you'd
    > >> >> >> >> likely
    > >> >> >> >> get
    > >> >> >> >> an "operations error" from ADAM in this case.
    > >> >> >> >>
    > >> >> >> >> HTH!
    > >> >> >> >>
    > >> >> >> >> --
    > >> >> >> >> Joe Kaplan-MS MVP Directory Services Programming
    > >> >> >> >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> >> >> >> Programming"
    > >> >> >> >> http://www.directoryprogramming.net
    > >> >> >> >> "Ken" <> wrote in message
    > >> >> >> >> news:...
    > >> >> >> >> > Hi,
    > >> >> >> >> > I'm developing a WPF application which is using AzMan as its
    > >> >> >> >> > policy
    > >> >> >> >> > store.
    > >> >> >> >> > The AzMan in configured to work with AD LDS (aka ADAM). The
    > >> >> >> >> > development
    > >> >> >> >> > environment was with 2003 server and everything was fine. The
    > >> >> >> >> > deployment
    > >> >> >> >> > environment has 2008 server and when I'm trying to run the
    > >> >> >> >> > application
    > >> >> >> >> > I
    > >> >> >> >> > get
    > >> >> >> >> > an exception: "Element not found. (Exception from HRESULT:
    > >> >> >> >> > 0X80070490)".
    > >> >> >> >> > The
    > >> >> >> >> > stack trace points to
    > >> >> >> >> > AZROLESLib.AZAuthorizationStoreClass.OpenApplication2(String
    > >> >> >> >> > bstrApplicationName, Object varReserved). I call this method
    > >> >> >> >> > with
    > >> >> >> >> > "MyApp"
    > >> >> >> >> > and
    > >> >> >> >> > null and it was working fine on 2003 box.
    > >> >> >> >> > It seems to me that the application cannot locate "MyApp" in
    > >> >> >> >> > my
    > >> >> >> >> > AzMan
    > >> >> >> >> > store.
    > >> >> >> >> > Does The AZMan API expect something different on 2008 than on
    > >> >> >> >> > 2003?
    > >> >> >> >> > Do
    > >> >> >> >> > I
    > >> >> >> >> > need
    > >> >> >> >> > to replace interop.AZROLESLib.dll to a newer version?
    > >> >> >> >> > --
    > >> >> >> >> > Thank you,
    > >> >> >> >> > Ken
    > >> >> >> >>
    > >> >> >> >>
    > >> >> >>
    > >> >> >>
    > >> >>
    > >> >>
    > >>
    > >>

    >
    >
     
    Ken, Jun 12, 2009
    #11
  12. Ken

    Joe Kaplan Guest

    I'm out of ideas then. You may need to go to MS support on this. Maybe one
    of the guys who monitors the newsgroup will pick this up.

    At least your ADAM/LDS is in better shape now.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Ken" <> wrote in message
    news:...
    > So I unistall everything and re-started from scratch following this link:
    > http://msdn.microsoft.com/en-us/library/ms998331.aspx (though my app is
    > WPF
    > and not ASP. This was the best official documentation I could find). Now I
    > see all the Azman information inside ADAM as it should be. BUT, I still
    > get
    > the exception above!
    > --
    > Thank you,
    > Ken
    >
     
    Joe Kaplan, Jun 12, 2009
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Philipp Schumann
    Replies:
    2
    Views:
    5,401
    Philipp Schumann
    Apr 16, 2004
  2. AAaron123
    Replies:
    6
    Views:
    2,556
    AAaron123
    Oct 28, 2008
  3. Sam
    Replies:
    2
    Views:
    6,575
    squarepants
    Dec 9, 2010
  4. Michael Herman \(Parallelspace/OpenCanal\)

    AzMan: Has anyone created an HTML/Web management console as an alternative to the AzMan MMC?

    Michael Herman \(Parallelspace/OpenCanal\), Jan 6, 2006, in forum: ASP .Net Security
    Replies:
    0
    Views:
    271
    Michael Herman \(Parallelspace/OpenCanal\)
    Jan 6, 2006
  5. Lars Sundstrom

    Azman. Unable to recive rolls from Azman.

    Lars Sundstrom, Oct 9, 2008, in forum: ASP .Net Security
    Replies:
    0
    Views:
    772
    Lars Sundstrom
    Oct 9, 2008
Loading...

Share This Page