Domain could not be contacted problem

[Grant]

Hello,

I got some sample code off the MSDN website on how to loop through a group
in active directory and list the members. I can run the code from a console
app but I cant run it from an ASP solution? I get the folowing message:

"The specified domain either does not exist or could not be contacted"

Heres the code Im using:
---------------------------------------------------
try
{
DirectoryEntry group = new
DirectoryEntry("LDAP://CN=Administrators,CN=builtin,DC=ourdomain,DC=com");
object members = group.Invoke("Members",null); //CODE IS FAILING HERE
foreach( object member in (IEnumerable) members)
{
DirectoryEntry x = new DirectoryEntry(member);
}
}
catch ( Exception ex )
{
lblResults.Text = ex.Message;

}
---------------------------------------------------

I havent done any ASP programming before. This is a standard webapplication
created using Visual Studio.NET 2003. I have IIS installed and Ive set the
permissions to interactive user. The above code works from my console app
and works a beaut but just not from my ASP page..

can anyone tell me what Im doing worng here?

Thanks,
Grant

 

[Joe Kaplan \(MVP - ADSI\)]

This is a security context issue. The account your code is running under
might not be a domain account, so you can't use serverless binding (which is
what you are doing when you don't put a server name in the binding string
below).

This document has a lot more detail:

http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

Joe K.

 

[Grant]

Thank you for the reply! Looking at my web.config file I dont have this
"identity impersonate="true"" section and also it says to "security
mechanism to Anonymous only" - where do I find this security mechanism, and
how would i set the identity impersonate setting?

-------------
When the Web.config file is set to identity impersonate="true"/ and
authentication mode="Windows", use the Anonymous account with the following
settings: . On the ASPX page, set the security mechanism to Anonymous only.
. Clear the Allow IIS to control the password check box.
. Set the Anonymous account to be a domain user.

 

[Joe Kaplan \(MVP - ADSI\)]

The way I see it, you have two choices. You can either get your code
running under a domain account so that you don't have to supply credentials
and a server name, or you can supply a server or domain name and supply
credentials.

If you go the former route, you have a lot of options. Essentially, you can
either make the process run under a domain account, or you can impersonate a
domain account so that your current thread will take on that identity.

To change the process account, you can either make the worker process run as
a domain account or move the code into a COM+ component and run that under a
domain identity.

To impersonate a domain account, you generally do this by enabling
impersonation in web.config. If you do that, then you will be impersonating
the authenticated user in IIS. That will either be the user logging on or
the anonyous user account (which you can make a domain account if you want).

It is also possible to impersonate a specific user via web.config by
specifying credentials and you can impersonate an account through code.
Thus, you have lots of options. Some of these options vary by the OS you
are running and your security settings.

All of the IIS security settings are configured via the IIS MMC on the
directory security tab.

Normally, I just supply the server or domain in the binding string and
supply som credentials from a service account and don't worry about all of
the above.

HTH,

Joe K.

 

[Grant]

Thanks for your help Joe. I put the "identity impersonate="true"" into the
web config file and it worked perfectly. So nice when t works when in fact
you were expecting an error - love that.

I also had to disable anonymous access and enable integrated authentication
in IIS before it worked. I do have to log in when I access the page for the
first time - not sure why thats happening but if the rest works then my
theory is - walk away veeeery slowly.

Cheers,
Grant

 

[Ken Schaefer]

I also had to disable anonymous access and enable integrated
authentication in IIS before it worked. I do have to log in when I access
the page for the first time - not sure why thats happening

Um - because IIS needs to impersonate a user account, and so you need to
supply valid user credentials?

Well, technically your browser needs to supply them, and so you enter them
into a dialogue the browser throws up, and the browser then sends them (or a
hash of your password) to the server.

Now, IE can attempt to logon on your behalf in certain circumstances without
bothering you. See this KB article for a list of conditions that must be
satisfied for this to happen:
http://support.microsoft.com/?id=258063

Cheers
Ken