Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: 19 Apr 2005 05:59:40 -0700,    group: microsoft.public.platformsdk.adsi        back       


"COMException (0x80004005): Unspecified error" when creating a user in AD via Web Service    
I want to add a new user account to the Active Directory. The C#-Code:

DirectoryEntry userList, newUser;
userList = new DirectoryEntry("LDAP://myServer/CN=Users,DC=myDomain,DC=de");
newUser = userList.Children.Add("CN=TestUser", "user");
newUser.CommitChanges();

This works fine when I do it in a Windows Application but if I
encapsulate the same code in a Web Service the Add-Method fails and I
get the following Exception:

System.Runtime.InteropServices.COMException (0x80004005): Unspecified
error at System.DirectoryServices.DirectoryEntry.Bind(Boolean
throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at
System.DirectoryServices.DirectoryEntry.get_IsContainer() at
System.DirectoryServices.DirectoryEntries.CheckIsContainer() at
System.DirectoryServices.DirectoryEntries.Add(String name, String
schemaClassName)

I'm using Windows Server 2003 with IIS 6.0. The application pool for
the Web Service uses an account with administrative privileges as
identity. This configuration seems to be ok. I tested it with a Web
Service in the same application pool which writes successfully
something into the registry (to HKEY_LOCAL_MACHINE which should be
only possible with administrative privilegs).

I tried to use credentials:

userList = new DirectoryEntry("LDAP://myServer/CN=Users,DC=myDomain,DC=de",
"adminUsername", "adminPassword");

but the same exception occurs.
I also tried other things but nothing works:
- added "<trust level="Full".../> to the web.config
- in the .NET Configuration I assigned FullTrust to the
LocalIntranet_Zone
- with the .NET Wizard I trusted the Web Service-Assembly

Can anybody point me to the right direction?

Frank Wehner
date: 19 Apr 2005 05:59:40 -0700   author:   (Frank Wehner)

Re: "COMException (0x80004005): Unspecified error" when creating a user in AD via Web Service    
>I want to add a new user account to the Active Directory. The C#-Code:
>This works fine when I do it in a Windows Application 
>encapsulate the same code in a Web Service the Add-Method fails and I
>get the following Exception:

I would think it's a security issue - when you're running it locally
on Windows directly, it's being executed under your own account, which
most likely has enough privileges to create the user.

When you do it through the web service, you run it as the "anonymous"
ASP.NET user which by default most likely won't have the permissions
to do this.

So when you bind to AD, you will need to supply credentials (username
and password) that are sufficiently priviledged to be able to create
users. You can do this in the "new DirectoryEntry()" constructor -
check it's overloads.

HTH
Marc
date: Tue, 19 Apr 2005 18:16:57 +0200   author:   Marc Scheuner [MVP ADSI]

Re: "COMException (0x80004005): Unspecified error" when creating a user in AD via Web Service    
Hallo Marc,

> I would think it's a security issue - when you're running it locally
> on Windows directly, it's being executed under your own account, which
> most likely has enough privileges to create the user.
> 
> When you do it through the web service, you run it as the "anonymous"
> ASP.NET user which by default most likely won't have the permissions
> to do this.

I changed the identity of the Web Service Application Pool in IIS to a
user with administrative privileges. By the way this is exactly the
same user account who executed the local Windows application
successfully.
 
> So when you bind to AD, you will need to supply credentials (username
> and password) that are sufficiently priviledged to be able to create
> users. You can do this in the "new DirectoryEntry()" constructor -
> check it's overloads.

I already tried this:

userList = new DirectoryEntry("LDAP://myServer/CN=Users,DC=myDomain,DC=de",
"adminUsername", "adminPassword");

as well as:

userList = new DirectoryEntry("LDAP://myServer/CN=Users,DC=myDomain,DC=de",
"adminUsername", "adminPassword", AuthenticationTypes.Secure);

Still no success. For "adminUsername" I tried:

adminUsername
domain\adminUsername
adminUsername@domain.de

in all cases (with and without passing credentials to the
DirectoryEntry() constructor) I receive the same exception.

In IIS manager anonymous access is disabled and "Integrated Windows
authentication", "Digest authentication" and "Basic authentication"
are enabled.

Any other ideas?

Regards

Frank Wehner
date: 20 Apr 2005 00:46:21 -0700   author:   (Frank Wehner)

Re: "COMException (0x80004005): Unspecified error" when creating a user in AD via Web Service    
Hi Frank,

>In IIS manager anonymous access is disabled and "Integrated Windows
>authentication", "Digest authentication" and "Basic authentication"
>are enabled.
>Any other ideas?

No, not really - I'm not doing any web dev myself, and don't know IIS
and ASP.NET too well. But the absolute cracks in this regard are Joe
Kaplan or Carlos Magalhaes - post your question into 

microsoft.public.adsi.general

and I'm sure they'll get back to you immediately with a useful answer.

Marc
date: Wed, 20 Apr 2005 15:20:29 +0200   author:   Marc Scheuner [MVP ADSI]

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us