asp.net and ldap

[Bryan]

Hello,
I have a asp.net app working with directory services on my Windows XP
development machine. However when I moved the application over to our
production server (Win 2000 Server) it no longer works.

I use this code to try to connect to ldap:
System.DirectoryServices.DirectoryEntry entry = new
System.DirectoryServices.DirectoryEntry(LDAP://corp.mydomain.com,user,pass);

I tried using my user name and password, the domain admin user/pass but keep
on getting "the server is not operational" error. Now I know this is
security related, but after a day and a half of trying to get it to work and
searching google i cannot find out how to make it work!

I even tried using ldp.exe on the webserver, it worked fine. I was able to
connect right to the ldap no problem...

Any and alll help is greatly appreciated!!!

Thanks,

Bryan

 

[Steven Cheng[MSFT]]

Hi Bryan,

Welcome to ASPNET newsgroup.
From your description, you have a certain asp.net web application which use
the System.DirectoryServices classes to make LDAP request to a remote
server. The application's ldap requery code works well on your development
machine, however you're encoutering "the server is not operational" error
when running a deployment server, yes?

AS for the LDAP query, are you accessing the ldap service through the SSL
port? If so , based on my experience, this should be a certificate related
issue. For SSL protected communication, when establishing the connection,
the clientside will validate the server certifiate in the local certificate
store, to find the Trusted root CA for that server certificate, if not
found , the connection establishing will fail. So if your ldap request is
really over SSL port, you can try checking your deployment server's
Computer Certificate Store's Trusted root CA to see whether you can find
the root CA for your ldap server's ssl server certificate. If you're not
quite sure on the root cert, you can checking the computer certificate
store on your development machine and compare them to see whether you can
find any clues.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| From: "Bryan" <[email protected]>
| Subject: asp.net and ldap
| Date: Wed, 7 Sep 2005 09:40:42 -0700
| Lines: 28
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: 208.46.205.150
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:122953
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Hello,
| I have a asp.net app working with directory services on my Windows XP
| development machine. However when I moved the application over to our
| production server (Win 2000 Server) it no longer works.
|
| I use this code to try to connect to ldap:
| System.DirectoryServices.DirectoryEntry entry = new
|
System.DirectoryServices.DirectoryEntry(LDAP://corp.mydomain.com,user,pass);
|
| I tried using my user name and password, the domain admin user/pass but
keep
| on getting "the server is not operational" error. Now I know this is
| security related, but after a day and a half of trying to get it to work
and
| searching google i cannot find out how to make it work!
|
| I even tried using ldp.exe on the webserver, it worked fine. I was able
to
| connect right to the ldap no problem...
|
| Any and alll help is greatly appreciated!!!
|
| Thanks,
|
| Bryan
|
|
|
|
|
|
|

 

[Bryan]

Thanks for your response. However I got it to work. I had to change the web
site from IUSR to ASPNET and everything worked fine after that.

 

[Steven Cheng[MSFT]]

Thanks for your followup Bryan,

Glad that you've got the code work. As you mentioned that changing IUSR to
ASPNET worked, do you mean switch the ASP.NET application's process
identity from IUSR to ASPNET? If so, I think the problem is due to the IUSR
account didn't have the permission to access the computer store certificate
since it's a very restricted account.

Anyway, thanks again for your posting. Please always feel free to post here
when you need assistance.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)




--------------------
| From: "Bryan" <[email protected]>
| References: <#[email protected]>
<#[email protected]>
| Subject: Re: asp.net and ldap
| Date: Thu, 8 Sep 2005 09:08:25 -0700
| Lines: 92
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: 208.46.205.150
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1
0.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:342649
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Thanks for your response. However I got it to work. I had to change the
web
| site from IUSR to ASPNET and everything worked fine after that.
|
|
| | > Hi Bryan,
| >
| > Welcome to ASPNET newsgroup.
| > From your description, you have a certain asp.net web application which
| > use
| > the System.DirectoryServices classes to make LDAP request to a remote
| > server. The application's ldap requery code works well on your
development
| > machine, however you're encoutering "the server is not operational"
error
| > when running a deployment server, yes?
| >
| > AS for the LDAP query, are you accessing the ldap service through the
SSL
| > port? If so , based on my experience, this should be a certificate
related
| > issue. For SSL protected communication, when establishing the
connection,
| > the clientside will validate the server certifiate in the local
| > certificate
| > store, to find the Trusted root CA for that server certificate, if not
| > found , the connection establishing will fail. So if your ldap request
is
| > really over SSL port, you can try checking your deployment server's
| > Computer Certificate Store's Trusted root CA to see whether you can find
| > the root CA for your ldap server's ssl server certificate. If you're not
| > quite sure on the root cert, you can checking the computer certificate
| > store on your development machine and compare them to see whether you
can
| > find any clues.
| >
| > Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure! www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| > --------------------
| > | From: "Bryan" <[email protected]>
| > | Subject: asp.net and ldap
| > | Date: Wed, 7 Sep 2005 09:40:42 -0700
| > | Lines: 28
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| > | X-RFC2646: Format=Flowed; Original
| > | Message-ID: <#[email protected]>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet
| > | NNTP-Posting-Host: 208.46.205.150
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.dotnet.framework.aspnet:122953
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| > |
| > | Hello,
| > | I have a asp.net app working with directory services on my Windows XP
| > | development machine. However when I moved the application over to our
| > | production server (Win 2000 Server) it no longer works.
| > |
| > | I use this code to try to connect to ldap:
| > | System.DirectoryServices.DirectoryEntry entry = new
| > |
| >
System.DirectoryServices.DirectoryEntry(LDAP://corp.mydomain.com,user,pass);
| > |
| > | I tried using my user name and password, the domain admin user/pass
but
| > keep
| > | on getting "the server is not operational" error. Now I know this is
| > | security related, but after a day and a half of trying to get it to
work
| > and
| > | searching google i cannot find out how to make it work!
| > |
| > | I even tried using ldp.exe on the webserver, it worked fine. I was
able
| > to
| > | connect right to the ldap no problem...
| > |
| > | Any and alll help is greatly appreciated!!!
| > |
| > | Thanks,
| > |
| > | Bryan
| > |
| > |
| > |
| > |
| > |
| > |
| > |
| >
|
|
|

 

[Bryan]

Ok, Now I have the same problem again with accessing active directory.
Because i started using "impersonate = true" in the web.config evertything
worked fine, because the user it was impersonating has permission to access
AD or is a user. That worked well and fine, until i wanted to give write
permissions to the aspnet account, so it could upload images to a folder.
So by turning off impersonate = true, made it so ASPNET was the user again
and had write permissions, but - AD was no longer accessable to the
application!!!!

HELP!
I need both to work!
I also tried explicitly putting the user name into this class -
System.DirectoryServices.DirectoryEntry entry = new
System.DirectoryServices.DirectoryEntry("LDAP://corp.companycom","company.com\myusername","mypassword");

and get the same error again stating that server is not operational!

What Shall I do???

Thanks,

Bryan

 

[Steven Cheng[MSFT]]

Hi Bryan,

Since the problem occurs when you turn back to impersonate=false which
cause the default ASPNET account to run the asp.net application which
haven't sufficient permission to qurey the remote AD, then it is ok that
you still use impersonate and grant the impersonated user the access
permission to the folder you want to write?

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| From: "Bryan" <[email protected]>
| References: <#[email protected]>
| Subject: Re: asp.net and ldap
| Date: Thu, 15 Sep 2005 11:31:55 -0700
| Lines: 55
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| X-RFC2646: Format=Flowed; Response
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: 208.46.205.150
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:124916
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Ok, Now I have the same problem again with accessing active directory.
| Because i started using "impersonate = true" in the web.config
evertything
| worked fine, because the user it was impersonating has permission to
access
| AD or is a user. That worked well and fine, until i wanted to give write
| permissions to the aspnet account, so it could upload images to a folder.
| So by turning off impersonate = true, made it so ASPNET was the user
again
| and had write permissions, but - AD was no longer accessable to the
| application!!!!
|
| HELP!
| I need both to work!
| I also tried explicitly putting the user name into this class -
| System.DirectoryServices.DirectoryEntry entry = new
|
System.DirectoryServices.DirectoryEntry("LDAP://corp.companycom","company.co
m\myusername","mypassword");
|
| and get the same error again stating that server is not operational!
|
| What Shall I do???
|
| Thanks,
|
| Bryan
|
| | > Hello,
| > I have a asp.net app working with directory services on my Windows XP
| > development machine. However when I moved the application over to our
| > production server (Win 2000 Server) it no longer works.
| >
| > I use this code to try to connect to ldap:
| > System.DirectoryServices.DirectoryEntry entry = new
| >
System.DirectoryServices.DirectoryEntry(LDAP://corp.mydomain.com,user,pass);
| >
| > I tried using my user name and password, the domain admin user/pass but
| > keep on getting "the server is not operational" error. Now I know this
is
| > security related, but after a day and a half of trying to get it to
work
| > and searching google i cannot find out how to make it work!
| >
| > I even tried using ldp.exe on the webserver, it worked fine. I was able
to
| > connect right to the ldap no problem...
| >
| > Any and alll help is greatly appreciated!!!
| >
| > Thanks,
| >
| > Bryan
| >
| >
| >
| >
| >
| >
|
|
|