Table does not exist error

Discussion in 'ASP .Net Security' started by Wake-Up-Jeff, Apr 14, 2009.

  1. Wake-Up-Jeff

    Wake-Up-Jeff Guest

    I am trying to get my asp.net code to modify the comment property of the
    user object in AD.
    The idea is that an AD user accesses the web page.
    The user's credentials are used to access the user object and modify their
    own comment field.
    I don't want to use a single domain account to do this for all users. Each
    user can do it for themselves.
    I get the "table does not exist" error when calling the following code:

    con = CreateObject("ADODB.Connection")
    con.provider = "ADsDSOObject"
    con.open("Active Directory Provider")
    com = CreateObject("ADODB.Command")
    com.ActiveConnection = con
    strQuery = "Select distinguishedName from 'LDAP://" & strDomain & "'" & _
    " Where objectCategory = 'Person' AND objectClass='user' AND
    samAccountName='" & strUserID & "'"
    com.commandtext = strQuery
    RS = com.Execute

    the error occurs on com.Execute.

    I have read about impersonation, and have attempted to set this up, but I
    obviously haven't got something correct yet.
    The authentication for my virtual directory has Integrated Windows
    Authentication checked, and no other options checked.
    My web.config file has the following entries:
    <authentication mode="Windows"/>
    <identity impersonate ="true"/>

    I have the computer account on which IIS is running as "Trusted for
    delegation". It is running W2K3 R2. The domain and forest are both at W2K3
    functional level.

    Any hints????
    Wake-Up-Jeff, Apr 14, 2009
    #1
    1. Advertising

  2. Wake-Up-Jeff

    Joe Kaplan Guest

    Why on earth would you use ADO for querying AD when you could just use the
    DirectorySearcher in System.DirectoryServices? It is faster, easier to use
    and more flexible.

    The error you are getting is likely related to security. If you are trying
    to delegate without protocol transition (don't have "trusted for delegation
    with any protocol" configured in AD for the computer account along with
    constrained delegation to AD), then you need Kerb auth in IIS to get this to
    work. If you are getting NTLM instead (which is common), it will fail.
    Typically, if you want to get delegation working, you need to read the
    TechNet docs on troubleshooting Kerberos delegation to get a better idea of
    what you are looking for to make this work.

    I think you'll likely be better off switching to SDS for doing by the AD
    search and the modification operation. The security considerations are the
    same but you get an API that is easier to use in .NET and faster. The
    troubleshooting is also likely be to be easier since the errors are slightly
    less obscure.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Wake-Up-Jeff" <> wrote in message
    news:...
    >I am trying to get my asp.net code to modify the comment property of the
    > user object in AD.
    > The idea is that an AD user accesses the web page.
    > The user's credentials are used to access the user object and modify their
    > own comment field.
    > I don't want to use a single domain account to do this for all users. Each
    > user can do it for themselves.
    > I get the "table does not exist" error when calling the following code:
    >
    > con = CreateObject("ADODB.Connection")
    > con.provider = "ADsDSOObject"
    > con.open("Active Directory Provider")
    > com = CreateObject("ADODB.Command")
    > com.ActiveConnection = con
    > strQuery = "Select distinguishedName from 'LDAP://" & strDomain & "'" & _
    > " Where objectCategory = 'Person' AND objectClass='user' AND
    > samAccountName='" & strUserID & "'"
    > com.commandtext = strQuery
    > RS = com.Execute
    >
    > the error occurs on com.Execute.
    >
    > I have read about impersonation, and have attempted to set this up, but I
    > obviously haven't got something correct yet.
    > The authentication for my virtual directory has Integrated Windows
    > Authentication checked, and no other options checked.
    > My web.config file has the following entries:
    > <authentication mode="Windows"/>
    > <identity impersonate ="true"/>
    >
    > I have the computer account on which IIS is running as "Trusted for
    > delegation". It is running W2K3 R2. The domain and forest are both at W2K3
    > functional level.
    >
    > Any hints????
    >
    >
    >
    Joe Kaplan, Apr 14, 2009
    #2
    1. Advertising

  3. Wake-Up-Jeff

    Wake-Up-Jeff Guest

    Thanks for the tips.
    I'm only using ADO because I'm used to VBScript programming, and was unaware
    of the System.DirectoryServices namespace available in ASP.NET (a newbie at
    this).
    I've tried looking thru the Kerberos delegation docs, but can't see anything
    obvious I'm doing wrong.
    e.g. http://msdn.microsoft.com/en-us/library/aa291350(VS.71).aspx
    and http://forums.asp.net/p/897609/971665.aspx#971665

    I have the member server computer account trusted for delegation.
    It's definitely the "2 hop" issue, as when I run IIS on a DC, it all works
    fine.

    "Joe Kaplan" <> wrote in message
    news:uiz%...
    > Why on earth would you use ADO for querying AD when you could just use the
    > DirectorySearcher in System.DirectoryServices? It is faster, easier to
    > use and more flexible.
    >
    > The error you are getting is likely related to security. If you are
    > trying to delegate without protocol transition (don't have "trusted for
    > delegation with any protocol" configured in AD for the computer account
    > along with constrained delegation to AD), then you need Kerb auth in IIS
    > to get this to work. If you are getting NTLM instead (which is common),
    > it will fail. Typically, if you want to get delegation working, you need
    > to read the TechNet docs on troubleshooting Kerberos delegation to get a
    > better idea of what you are looking for to make this work.
    >
    > I think you'll likely be better off switching to SDS for doing by the AD
    > search and the modification operation. The security considerations are
    > the same but you get an API that is easier to use in .NET and faster. The
    > troubleshooting is also likely be to be easier since the errors are
    > slightly less obscure.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > "Wake-Up-Jeff" <> wrote in message
    > news:...
    >>I am trying to get my asp.net code to modify the comment property of the
    >> user object in AD.
    >> The idea is that an AD user accesses the web page.
    >> The user's credentials are used to access the user object and modify
    >> their
    >> own comment field.
    >> I don't want to use a single domain account to do this for all users.
    >> Each
    >> user can do it for themselves.
    >> I get the "table does not exist" error when calling the following code:
    >>
    >> con = CreateObject("ADODB.Connection")
    >> con.provider = "ADsDSOObject"
    >> con.open("Active Directory Provider")
    >> com = CreateObject("ADODB.Command")
    >> com.ActiveConnection = con
    >> strQuery = "Select distinguishedName from 'LDAP://" & strDomain & "'" & _
    >> " Where objectCategory = 'Person' AND objectClass='user' AND
    >> samAccountName='" & strUserID & "'"
    >> com.commandtext = strQuery
    >> RS = com.Execute
    >>
    >> the error occurs on com.Execute.
    >>
    >> I have read about impersonation, and have attempted to set this up, but I
    >> obviously haven't got something correct yet.
    >> The authentication for my virtual directory has Integrated Windows
    >> Authentication checked, and no other options checked.
    >> My web.config file has the following entries:
    >> <authentication mode="Windows"/>
    >> <identity impersonate ="true"/>
    >>
    >> I have the computer account on which IIS is running as "Trusted for
    >> delegation". It is running W2K3 R2. The domain and forest are both at
    >> W2K3
    >> functional level.
    >>
    >> Any hints????
    >>
    >>
    >>

    >
    Wake-Up-Jeff, Apr 20, 2009
    #3
  4. Wake-Up-Jeff

    Joe Kaplan Guest

    With Kerb delegation, unless you are using protocol transition/S4U login,
    the part that frequently breaks is the Kerb login to the web server. Normal
    delegation requires Kerb to Kerb, so if you don't get Kerb on the front end,
    you can't do Kerb auth to the middle tier.

    The easiest way to verify is to enable account login audits on the front end
    web server and then look at the security event log events that are generated
    for the logins from the browser to the web server. If they are NTLMssp,
    Kerb delegation won't work. If they are Kerberos, then you at least have a
    chance.

    Protocol transition login allows the front end auth to be something other
    than Kerb (basic, NTLM or Digest) and then the service in the middle (the
    web app in this case) can "transition" to Kerberos when it needs to
    delegate. In ADUC, you'll see this option as "trusted for delegation | with
    any protocol" and you have to specify which services to delegate to. If you
    don't have the delegation tab in ADUC that shows this, your forest is not
    2003 FFL and you can't use this feature.

    Look for the technet doc on troubleshooting Kerberos delegation. It is the
    bible on this.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Wake-Up-Jeff" <> wrote in message
    news:%...
    > Thanks for the tips.
    > I'm only using ADO because I'm used to VBScript programming, and was
    > unaware of the System.DirectoryServices namespace available in ASP.NET (a
    > newbie at this).
    > I've tried looking thru the Kerberos delegation docs, but can't see
    > anything obvious I'm doing wrong.
    > e.g. http://msdn.microsoft.com/en-us/library/aa291350(VS.71).aspx
    > and http://forums.asp.net/p/897609/971665.aspx#971665
    >
    > I have the member server computer account trusted for delegation.
    > It's definitely the "2 hop" issue, as when I run IIS on a DC, it all works
    > fine.
    >
    > "Joe Kaplan" <> wrote in message
    > news:uiz%...
    >> Why on earth would you use ADO for querying AD when you could just use
    >> the DirectorySearcher in System.DirectoryServices? It is faster, easier
    >> to use and more flexible.
    >>
    >> The error you are getting is likely related to security. If you are
    >> trying to delegate without protocol transition (don't have "trusted for
    >> delegation with any protocol" configured in AD for the computer account
    >> along with constrained delegation to AD), then you need Kerb auth in IIS
    >> to get this to work. If you are getting NTLM instead (which is common),
    >> it will fail. Typically, if you want to get delegation working, you need
    >> to read the TechNet docs on troubleshooting Kerberos delegation to get a
    >> better idea of what you are looking for to make this work.
    >>
    >> I think you'll likely be better off switching to SDS for doing by the AD
    >> search and the modification operation. The security considerations are
    >> the same but you get an API that is easier to use in .NET and faster.
    >> The troubleshooting is also likely be to be easier since the errors are
    >> slightly less obscure.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "Wake-Up-Jeff" <> wrote in message
    >> news:...
    >>>I am trying to get my asp.net code to modify the comment property of the
    >>> user object in AD.
    >>> The idea is that an AD user accesses the web page.
    >>> The user's credentials are used to access the user object and modify
    >>> their
    >>> own comment field.
    >>> I don't want to use a single domain account to do this for all users.
    >>> Each
    >>> user can do it for themselves.
    >>> I get the "table does not exist" error when calling the following code:
    >>>
    >>> con = CreateObject("ADODB.Connection")
    >>> con.provider = "ADsDSOObject"
    >>> con.open("Active Directory Provider")
    >>> com = CreateObject("ADODB.Command")
    >>> com.ActiveConnection = con
    >>> strQuery = "Select distinguishedName from 'LDAP://" & strDomain & "'" &
    >>> _
    >>> " Where objectCategory = 'Person' AND objectClass='user' AND
    >>> samAccountName='" & strUserID & "'"
    >>> com.commandtext = strQuery
    >>> RS = com.Execute
    >>>
    >>> the error occurs on com.Execute.
    >>>
    >>> I have read about impersonation, and have attempted to set this up, but
    >>> I
    >>> obviously haven't got something correct yet.
    >>> The authentication for my virtual directory has Integrated Windows
    >>> Authentication checked, and no other options checked.
    >>> My web.config file has the following entries:
    >>> <authentication mode="Windows"/>
    >>> <identity impersonate ="true"/>
    >>>
    >>> I have the computer account on which IIS is running as "Trusted for
    >>> delegation". It is running W2K3 R2. The domain and forest are both at
    >>> W2K3
    >>> functional level.
    >>>
    >>> Any hints????
    >>>
    >>>
    >>>

    >>

    >
    >
    Joe Kaplan, Apr 20, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brad
    Replies:
    1
    Views:
    26,251
    [MSFT]
    Jun 22, 2004
  2. LT
    Replies:
    7
    Views:
    2,072
    Phlip
    Jul 25, 2004
  3. Wake-Up-Jeff

    Table does not exist error.

    Wake-Up-Jeff, Apr 14, 2009, in forum: ASP .Net
    Replies:
    3
    Views:
    1,060
    Wake-Up-Jeff
    Apr 20, 2009
  4. Aaron_TekRecycle.com

    table does not exist error in AD query?

    Aaron_TekRecycle.com, Jul 25, 2003, in forum: ASP General
    Replies:
    0
    Views:
    239
    Aaron_TekRecycle.com
    Jul 25, 2003
  5. Ollie
    Replies:
    1
    Views:
    1,258
    Ollie
    Apr 29, 2004
Loading...

Share This Page