Table does not exist error

Discussion in 'ASP .Net Security' started by Wake-Up-Jeff, Apr 14, 2009.

  1. Wake-Up-Jeff

    Wake-Up-Jeff Guest

    I am trying to get my code to modify the comment property of the
    user object in AD.
    The idea is that an AD user accesses the web page.
    The user's credentials are used to access the user object and modify their
    own comment field.
    I don't want to use a single domain account to do this for all users. Each
    user can do it for themselves.
    I get the "table does not exist" error when calling the following code:

    con = CreateObject("ADODB.Connection")
    con.provider = "ADsDSOObject""Active Directory Provider")
    com = CreateObject("ADODB.Command")
    com.ActiveConnection = con
    strQuery = "Select distinguishedName from 'LDAP://" & strDomain & "'" & _
    " Where objectCategory = 'Person' AND objectClass='user' AND
    samAccountName='" & strUserID & "'"
    com.commandtext = strQuery
    RS = com.Execute

    the error occurs on com.Execute.

    I have read about impersonation, and have attempted to set this up, but I
    obviously haven't got something correct yet.
    The authentication for my virtual directory has Integrated Windows
    Authentication checked, and no other options checked.
    My web.config file has the following entries:
    <authentication mode="Windows"/>
    <identity impersonate ="true"/>

    I have the computer account on which IIS is running as "Trusted for
    delegation". It is running W2K3 R2. The domain and forest are both at W2K3
    functional level.

    Any hints????
    Wake-Up-Jeff, Apr 14, 2009
    1. Advertisements

  2. Wake-Up-Jeff

    Joe Kaplan Guest

    Why on earth would you use ADO for querying AD when you could just use the
    DirectorySearcher in System.DirectoryServices? It is faster, easier to use
    and more flexible.

    The error you are getting is likely related to security. If you are trying
    to delegate without protocol transition (don't have "trusted for delegation
    with any protocol" configured in AD for the computer account along with
    constrained delegation to AD), then you need Kerb auth in IIS to get this to
    work. If you are getting NTLM instead (which is common), it will fail.
    Typically, if you want to get delegation working, you need to read the
    TechNet docs on troubleshooting Kerberos delegation to get a better idea of
    what you are looking for to make this work.

    I think you'll likely be better off switching to SDS for doing by the AD
    search and the modification operation. The security considerations are the
    same but you get an API that is easier to use in .NET and faster. The
    troubleshooting is also likely be to be easier since the errors are slightly
    less obscure.
    Joe Kaplan, Apr 14, 2009
    1. Advertisements

  3. Wake-Up-Jeff

    Wake-Up-Jeff Guest

    Thanks for the tips.
    I'm only using ADO because I'm used to VBScript programming, and was unaware
    of the System.DirectoryServices namespace available in ASP.NET (a newbie at
    I've tried looking thru the Kerberos delegation docs, but can't see anything
    obvious I'm doing wrong.

    I have the member server computer account trusted for delegation.
    It's definitely the "2 hop" issue, as when I run IIS on a DC, it all works
    Wake-Up-Jeff, Apr 20, 2009
  4. Wake-Up-Jeff

    Joe Kaplan Guest

    With Kerb delegation, unless you are using protocol transition/S4U login,
    the part that frequently breaks is the Kerb login to the web server. Normal
    delegation requires Kerb to Kerb, so if you don't get Kerb on the front end,
    you can't do Kerb auth to the middle tier.

    The easiest way to verify is to enable account login audits on the front end
    web server and then look at the security event log events that are generated
    for the logins from the browser to the web server. If they are NTLMssp,
    Kerb delegation won't work. If they are Kerberos, then you at least have a

    Protocol transition login allows the front end auth to be something other
    than Kerb (basic, NTLM or Digest) and then the service in the middle (the
    web app in this case) can "transition" to Kerberos when it needs to
    delegate. In ADUC, you'll see this option as "trusted for delegation | with
    any protocol" and you have to specify which services to delegate to. If you
    don't have the delegation tab in ADUC that shows this, your forest is not
    2003 FFL and you can't use this feature.

    Look for the technet doc on troubleshooting Kerberos delegation. It is the
    bible on this.
    Joe Kaplan, Apr 20, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.