Solved

Active Directory doesn't work with <identity impersonate="true"/> in web.config

Posted on 2006-11-06
9
4,326 Views
Last Modified: 2008-03-04
I have a internal web app that I've developed on an XP Pro workstation and the app uses ActiveDirectory (AD) to grab the user's AD info like address, email, phone, etc... The app also allows these users to create an Excel file and email it as an attachment
to other selected users.

The app was developed in VB.NET/VS 2003 and so it's Framework 1.1.
The Internal Web server is Windows 2003 Server with sp1.
The settings for Directory Security for the web folder has "Anonymous Access" unchecked, "Digest authentication for Windows domain servers" is checked, "Basic authentication" is unchecked, "Integrated Windows authentication" is checked, and "Realm:" has our domain address in it (i.e. xxx.xyz.com).

The problem is this:
On my development workstation everything works fine.  The AD works and the Excel file creation and subsequent emailing of it works too.

But when I add the <identity impersonate="true"></identity> in the web.config of the Production Internal web server, the Excel file creation works but the email function fails since the AD code doesn't return the user's email address to plug in to the "FROM" field in the email.

Has anyone seen this AD problem when <identity impersonate="true"></identity> has been in the web.config file?

Thanks In Advance,
Steve.
0
Comment
Question by:ecircle99
9 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 17884684
Uncheck Digest authentication, I don't believe you need it here.  Have you been entering in a username/password with this site before?  If you are using IE, ensure that "Enable Integrated Windows Authentication" is checked under "Internet Options"
0
 

Author Comment

by:ecircle99
ID: 17886208
I've already had "Enable Integrated Windows Authentication" checked.  Anyway, I got the AD to work by taking out the "identity" setting from the web.config file and instead programmatically set impersonation to true and false in the function that creates the Excel file and that allows the Active Directory code to work but now I'm getting an "Access Denied" error when the function that creates the Excel file and tries to write the file to a subfolder on the web server even though I've given Full Rights to Everyone for that folder.  This problem doesn't occur if I have the "identity" setting in the web.config file.  It looks like the user that is accessing the web page has be in the local admin group on the web box in order for this function to not error out.

Any other ideas?
0
 
LVL 10

Expert Comment

by:jnhorst
ID: 17886839
What authentication method is specified in web.config.  Should be "Windows".

As for your permissions issue without the <identity impersonate="true" /> in web.config, here's one issue: On your dev workstation, which I am going to assume is either WinXP or Win2K, the local ASPNET account will be the security context in which your code will run (again, without the identity tag in web.config).  But on your prod server, since it is Win2003, the account would be NETWORK SERVICE.

This does not answer you problem  WITH the identity tag in web.config, though.

How are you getting the email address in codebehind from AD?

John
0
 

Author Comment

by:ecircle99
ID: 17889491
Yes, the authentication method is set to "windows" in the web.config.  So maybe I'm asking the wrong question at this point and should post a new one with a more appropriate title.

As for the AD codebehind:

Insert the following Imports statement in your codebehind page:
Imports System.DirectoryServices

Then create a Page_Load for that page like:
    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        Dim strUserName As String

        Try
            strUserName = Request.ServerVariables("LOGON_USER")
            strUserName = Mid(strUserName, InStr(strUserName, "\") + 1)
            GetInfo(strUserName)
         Catch ex As Exception

        End Try
    End Sub

Then create a sub like:
    Public Sub GetInfo(ByVal loginName As String)
        Dim userName As String = loginName
        Dim search As DirectorySearcher = New DirectorySearcher

        Try
            search.Filter = String.Format("(SAMAccountName={0})", userName)
            search.PropertiesToLoad.Add("cn")
            search.PropertiesToLoad.Add("mail")
            search.PropertiesToLoad.Add("company")
            search.PropertiesToLoad.Add("description")
            search.PropertiesToLoad.Add("telephoneNumber")
            search.PropertiesToLoad.Add("facsimileTelephoneNumber")
            search.PropertiesToLoad.Add("streetAddress")
            search.PropertiesToLoad.Add("l")
            search.PropertiesToLoad.Add("st")
            search.PropertiesToLoad.Add("postalCode")

            Dim results As SearchResultCollection
            results = search.FindAll()
            Dim result As SearchResult

            For Each result In results
                Session("loguser") = result.Properties("cn")(0)
                Session("loguseremail") = result.Properties("mail")(0)
                Session("Company")= result.Properties("company")(0)
                Session("Title")= result.Properties("description")(0)
                Session("Phone")= result.Properties("telephoneNumber")(0)
                Session("Fax")= result.Properties("facsimileTelephoneNumber")(0)
                Session("Address1")= result.Properties("streetAddress")(0)
                Session("City")= result.Properties("l")(0)
                Session("State")= result.Properties("st")(0)
                Session("Zip")= result.Properties("postalCode")(0)
            Next

        Catch ex As Exception

        End Try

    End Sub
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 33

Expert Comment

by:raterus
ID: 17889602
I'm surprised your DirectorySearcher is even returning something without being instantiated with a proper DirectoryEntry.

I always do something like this, (This is just an example, you'll have to figure out your own ldap:// connection string for your organization)

Dim de as DirectoryEntry = new DirectoryEntry("ldap://yourdomain.com/DC=yourdomain,DC=com")
Dim search As DirectorySearcher = New DirectorySearcher(de)
0
 

Author Comment

by:ecircle99
ID: 17891733
Yeah, I thought you had to include a valid DirectoryEntry too but found out that the DirectorySearcher doesn't need it if the code is on a box that's on the domain you want to search.  If you had an app that is spread across multiple domains then you would have to use a fully qualified LDAP path for the domain you're wanting to search.
0
 

Author Comment

by:ecircle99
ID: 17893114
Update:

I had my network admin create a new user account on our Internal web server and added the new account to the Local Admin group.  I then used that new user account's credentials during the Impersonation while the Excel file was being created and then removed the impersonation after the file was created and now everything works without errors and I don't have to add each individual user as a local admin on that box.

So, consider this problem closed.  Thanks to raterus and jnhorst for trying to help.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18171151
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Lots of people ask this question on how to extend the “MembershipProvider” to make use of custom authentication like using existing database or make use of some other way of authentication. Many blogs show you how to extend the membership provider c…
I have developed many web applications with asp & asp.net and to add and use a dropdownlist was always a very simple task, but with the new asp.net, setting the value is a bit tricky and its not similar to the old traditional method. So in this a…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now