Authentication exception calling ActiveDirectory.Domain.GetCompute

D

David Thielen

Hi;

I can call both:
using (DirectorySearcher objSearcher = new DirectorySearcher()) {
return (string) objSearcher.SearchRoot.Properties["name"].Value;
}
and:
return
System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain().Name;

When I run my app under WinXP using the VS 2005 web server. But when I use
IIS on the same system the call to
System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain() generates:

2007-01-10 21:49:28,081 [1] ac.server ERROR Error - An unexpected exception
for user:
System.Security.Authentication.AuthenticationException: Logon failure:
unknown user name or bad password.
---> System.DirectoryServices.DirectoryServicesCOMException (0x8007052E):
Logon failure: unknown user name or bad password.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry
entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String
propertyName)
at
System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
--- End of inner exception stack trace ---
at
System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
at
System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext
context)
at System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain()
at net.windward.portal.security.PortalRole.get_DomainName() in
C:\src\RePortal\WindwardPortalEngine\net\windward\portal\security\PortalRole.cs:line 114

Any ideas?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm
 
S

Steven Cheng[MSFT]

Hello Dave,

From the exception raise in your code, it indicate that the problem is due
to security authentication. (Login failed...........).

And according to your ASP.NET application, it works when hosted in VS test
server but failed when hosting in IIS(on XP). That means, when hosting in
VS test server, since test server running under your current logon user(I
assume it a domain user account), it can correctly login the domain. While
running in IIS, the default ASP.NET worker process identity is
machine\ASPNET(local account) that can not login domain, that's why the
exception occurs.

I think you can consider the following means:

1. Impersonate your application under a certain domain account when you
want to access the directory resource.

2. When constructing a DirectoryEntry, you can set authenticationType and
pass username/password credentials in the constructor, you can pass a
domain user credentials

Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.
 
J

Joe Kaplan

Sure, you can configure the process account to be a domain account. If you
are targeting 2003 server for deployment, that is the app pool identity.
You may also not have an issue here as the network service account will use
the machine account credentials when accessing AD.

In XP and 2000 server, you configure this in the processModel section of the
machine.config file.

Joe K.
 
J

Joe Kaplan

Your original message said WinXP, so I think that's why Steve and I were
both confused. I still don't know why it doesn't work with network service,
but it might have to do with the fact that they are trying to do a
serverless bind somewhere in there and that fails to resolve a DC because in
the local machine context, network service isn't a domain account. I'm not
sure.

However, this may be another reason to consider that p/invoke approach I
suggested in the other thread to try to get the same info. LDAP calls can
be tricky as they are highly dependent on the security context they are
running under.

Joe K.
 
S

Steven Cheng[MSFT]

Thanks for Joe's input.

Hi Dave,

As Joe has suggested, you can directly change your ASP.NET's worker process
identity to a domain account. See the following article:

#Configuring ASP.NET Process Identity
http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx

also, for ASP.NET 2.0, you can use "aspnet_regiis -ga customaccount" to
grant sufficient permissio to a given user(which will be used as ASP.NET
process identity).

#ASP.NET IIS Registration Tool (Aspnet_regiis.exe)
http://msdn2.microsoft.com/en-us/library/k6h9cz8h(VS.80).aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.
 
S

Steven Cheng[MSFT]

Hi Dave,

As Joe has also mentioned, we originally think that your ASP.NET process
identity is MACHINE\ASPNET local account. For Network Service account, it
should represent the computer's domain account and can correctly logon
domain. I've correctly call the following code under NETWORK SERVICE
account in my local test environment.


protected void btnAD_Click(object sender, EventArgs e)
{

using (DirectorySearcher objSearcher = new DirectorySearcher())
{
string name1 =
(string)objSearcher.SearchRoot.Properties["name"].Value;
Response.Write("<br/>name1: " + name1);
}

string name2 =
System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain().Name;

Response.Write("<br/>name2: " + name2);

}

it is apparent that the problem should specific to your local domain
environment.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.
 
J

Joe Kaplan

In the other thread we were discussing this in, I suggested trying a
p/invoke of a Windows API call that would get this info. Did you try that?

Joe K.
 
D

David Thielen

Somedays I positively HATE software.

Ok, we had 2 other problems with just the one server having this
problem so we formatted the hard drive, reinstalled Windows IIS, etc.
Installed the portal.

And now all 3 methods work! So I don't know what was going on but this
works now.

thanks to all of you - dave

ps - And the MS web interface to the newsgroups is not working
(another reason I am not happy with software today) so I can't mark
this as answered. Steven - can you mark it as answered?




Hello Dave,

From the exception raise in your code, it indicate that the problem is due
to security authentication. (Login failed...........).

And according to your ASP.NET application, it works when hosted in VS test
server but failed when hosting in IIS(on XP). That means, when hosting in
VS test server, since test server running under your current logon user(I
assume it a domain user account), it can correctly login the domain. While
running in IIS, the default ASP.NET worker process identity is
machine\ASPNET(local account) that can not login domain, that's why the
exception occurs.

I think you can consider the following means:

1. Impersonate your application under a certain domain account when you
want to access the directory resource.

2. When constructing a DirectoryEntry, you can set authenticationType and
pass username/password credentials in the constructor, you can pass a
domain user credentials

Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.


david@[email protected]
Windward Reports -- http://www.WindwardReports.com
me -- http://dave.thielen.com
 
S

Steven Cheng[MSFT]

Hi Dave,

Thanks for your followup.

As for the MS web interface, we have reported this issue to the
corresponding internal team. For the "mark as answer", only the thread
owner can do it(this is different frmo MSDN forum). Also, we've been
informed that the web interface has been restored, you can try accessing it
to verify the behavior now.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top