How is the imperstonation done? Are you just using <identity
impersonate="true"/> in web.config or are you programmatically impersonating
with a p/invoke call to LogonUser?
If you are doing the former and are using IWA auth in IIS, then the problem
is likely that of delegation and can be fixed by configuring Kerberos
delegation or deciding not to impersonate in the first place and using a
domain account for the process account instead.
If you are doing the latter, then it should work fine as it is.
Regarding your hack, it is better to use
System.Text.Encoding.UTF8.GetString(), passing in your byte array, to
convert the byte array to a string. That way, if the string happens to
contain any UTF8 data, it will get converted properly. It is also a little
less code.
Note that if impersonation is off, the Network Service account under 2003
SHOULD have rights to query the domain, as it uses the AD machine account
when accessing the network and that is a valid domain account. You may need
to supply a domain hint in your binding string to get the DC location to
work though. The path might look like LDAP://domain.com/DC=domain,DC=com
instead of LDAP://DC=domain,DC=com.
One other thing worth knowing is that if they ever upgrade the domain to
2003, it is likely that the code will break unless you fix the security
issue. Win2K AD allows anonymous searches by default, but 2K3 does not, so
if you accidentally bind as the anonymous user, you'll get an Operations
Error when you call FindAll.
I hope that helps.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Hi Joe, thank you. I'm using an impersonation in the code and I've
checked that account used to make a request is correct.
Here's a piece of code (it's an asp.net app)
Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
.....impersonation....
Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
DirectoryEntry entry = new DirectoryEntry("LDAP://.....");
DirectorySearcher searcher = new DirectorySearcher(entry);
searcher.Filter = "(objectCategory=computer)";
searcher.PropertiesToLoad.Add("name");
searcher.PropertiesToLoad.Add("operatingsystem");
SearchResult r = searcher.FindOne();
string name = (string)r.Properties["name"][0].ToString();
string os = (string)r.Properties["operatingsystem"][0].ToString();
And here how it is working:
on XP:
box\ASPNET
.....impersonation....
DOMAIN\account
.....doing the request....
name = "comp999"
os = "Windows 2000 Professional"
On Win2003:
NT AUTHORITY\NETWORK SERVICE
.....impersonation....
DOMAIN\account
.....doing the request....
name = "comp999"
os = System.Byte[]
To get a string on the server I do some little hack as
foreach (byte t in byteArray)
{
char c = Convert.ToChar(t);
os += c.ToString();
}
then on the server I can read that
os = "Windows 2000 Professional"
It's not a big deal, I can live with it, but it's still interesting
why it work differently
BTW, DC is Win2000
Richard, thank you too, and special thanks for your website, I'm using
it quite often
-- Alexey [MVP ASP.NET]