Domain could not be contacted problem

Discussion in 'ASP .Net Security' started by Grant, Nov 22, 2004.

  1. Grant

    Grant Guest


    I got some sample code off the MSDN website on how to loop through a group
    in active directory and list the members. I can run the code from a console
    app but I cant run it from an ASP solution? I get the folowing message:

    "The specified domain either does not exist or could not be contacted"

    Heres the code Im using:
    DirectoryEntry group = new
    object members = group.Invoke("Members",null); //CODE IS FAILING HERE
    foreach( object member in (IEnumerable) members)
    DirectoryEntry x = new DirectoryEntry(member);
    catch ( Exception ex )
    lblResults.Text = ex.Message;


    I havent done any ASP programming before. This is a standard webapplication
    created using Visual Studio.NET 2003. I have IIS installed and Ive set the
    permissions to interactive user. The above code works from my console app
    and works a beaut but just not from my ASP page..

    can anyone tell me what Im doing worng here?

    Grant, Nov 22, 2004
    1. Advertisements

  2. This is a security context issue. The account your code is running under
    might not be a domain account, so you can't use serverless binding (which is
    what you are doing when you don't put a server name in the binding string

    This document has a lot more detail:;en-us;329986

    Joe K.
    Joe Kaplan \(MVP - ADSI\), Nov 22, 2004
    1. Advertisements

  3. Grant

    Grant Guest

    Thank you for the reply! Looking at my web.config file I dont have this
    "identity impersonate="true"" section and also it says to "security
    mechanism to Anonymous only" - where do I find this security mechanism, and
    how would i set the identity impersonate setting?

    When the Web.config file is set to identity impersonate="true"/ and
    authentication mode="Windows", use the Anonymous account with the following
    settings: . On the ASPX page, set the security mechanism to Anonymous only.
    . Clear the Allow IIS to control the password check box.
    . Set the Anonymous account to be a domain user.
    Grant, Nov 22, 2004
  4. The way I see it, you have two choices. You can either get your code
    running under a domain account so that you don't have to supply credentials
    and a server name, or you can supply a server or domain name and supply

    If you go the former route, you have a lot of options. Essentially, you can
    either make the process run under a domain account, or you can impersonate a
    domain account so that your current thread will take on that identity.

    To change the process account, you can either make the worker process run as
    a domain account or move the code into a COM+ component and run that under a
    domain identity.

    To impersonate a domain account, you generally do this by enabling
    impersonation in web.config. If you do that, then you will be impersonating
    the authenticated user in IIS. That will either be the user logging on or
    the anonyous user account (which you can make a domain account if you want).

    It is also possible to impersonate a specific user via web.config by
    specifying credentials and you can impersonate an account through code.
    Thus, you have lots of options. Some of these options vary by the OS you
    are running and your security settings.

    All of the IIS security settings are configured via the IIS MMC on the
    directory security tab.

    Normally, I just supply the server or domain in the binding string and
    supply som credentials from a service account and don't worry about all of
    the above.


    Joe K.
    Joe Kaplan \(MVP - ADSI\), Nov 23, 2004
  5. Grant

    Grant Guest

    Thanks for your help Joe. I put the "identity impersonate="true"" into the
    web config file and it worked perfectly. So nice when t works when in fact
    you were expecting an error - love that.

    I also had to disable anonymous access and enable integrated authentication
    in IIS before it worked. I do have to log in when I access the page for the
    first time - not sure why thats happening but if the rest works then my
    theory is - walk away veeeery slowly.

    Grant, Nov 23, 2004
  6. Grant

    Ken Schaefer Guest

    Um - because IIS needs to impersonate a user account, and so you need to
    supply valid user credentials?

    Well, technically your browser needs to supply them, and so you enter them
    into a dialogue the browser throws up, and the browser then sends them (or a
    hash of your password) to the server.

    Now, IE can attempt to logon on your behalf in certain circumstances without
    bothering you. See this KB article for a list of conditions that must be
    satisfied for this to happen:

    Ken Schaefer, Nov 23, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.