Solved

Active Directory doesn't work with <identity impersonate="true"/> in web.config

Posted on 2006-11-06
9
4,331 Views
Last Modified: 2008-03-04
I have a internal web app that I've developed on an XP Pro workstation and the app uses ActiveDirectory (AD) to grab the user's AD info like address, email, phone, etc... The app also allows these users to create an Excel file and email it as an attachment
to other selected users.

The app was developed in VB.NET/VS 2003 and so it's Framework 1.1.
The Internal Web server is Windows 2003 Server with sp1.
The settings for Directory Security for the web folder has "Anonymous Access" unchecked, "Digest authentication for Windows domain servers" is checked, "Basic authentication" is unchecked, "Integrated Windows authentication" is checked, and "Realm:" has our domain address in it (i.e. xxx.xyz.com).

The problem is this:
On my development workstation everything works fine.  The AD works and the Excel file creation and subsequent emailing of it works too.

But when I add the <identity impersonate="true"></identity> in the web.config of the Production Internal web server, the Excel file creation works but the email function fails since the AD code doesn't return the user's email address to plug in to the "FROM" field in the email.

Has anyone seen this AD problem when <identity impersonate="true"></identity> has been in the web.config file?

Thanks In Advance,
Steve.
0
Comment
Question by:ecircle99
9 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 17884684
Uncheck Digest authentication, I don't believe you need it here.  Have you been entering in a username/password with this site before?  If you are using IE, ensure that "Enable Integrated Windows Authentication" is checked under "Internet Options"
0
 

Author Comment

by:ecircle99
ID: 17886208
I've already had "Enable Integrated Windows Authentication" checked.  Anyway, I got the AD to work by taking out the "identity" setting from the web.config file and instead programmatically set impersonation to true and false in the function that creates the Excel file and that allows the Active Directory code to work but now I'm getting an "Access Denied" error when the function that creates the Excel file and tries to write the file to a subfolder on the web server even though I've given Full Rights to Everyone for that folder.  This problem doesn't occur if I have the "identity" setting in the web.config file.  It looks like the user that is accessing the web page has be in the local admin group on the web box in order for this function to not error out.

Any other ideas?
0
 
LVL 10

Expert Comment

by:jnhorst
ID: 17886839
What authentication method is specified in web.config.  Should be "Windows".

As for your permissions issue without the <identity impersonate="true" /> in web.config, here's one issue: On your dev workstation, which I am going to assume is either WinXP or Win2K, the local ASPNET account will be the security context in which your code will run (again, without the identity tag in web.config).  But on your prod server, since it is Win2003, the account would be NETWORK SERVICE.

This does not answer you problem  WITH the identity tag in web.config, though.

How are you getting the email address in codebehind from AD?

John
0
Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

 

Author Comment

by:ecircle99
ID: 17889491
Yes, the authentication method is set to "windows" in the web.config.  So maybe I'm asking the wrong question at this point and should post a new one with a more appropriate title.

As for the AD codebehind:

Insert the following Imports statement in your codebehind page:
Imports System.DirectoryServices

Then create a Page_Load for that page like:
    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        Dim strUserName As String

        Try
            strUserName = Request.ServerVariables("LOGON_USER")
            strUserName = Mid(strUserName, InStr(strUserName, "\") + 1)
            GetInfo(strUserName)
         Catch ex As Exception

        End Try
    End Sub

Then create a sub like:
    Public Sub GetInfo(ByVal loginName As String)
        Dim userName As String = loginName
        Dim search As DirectorySearcher = New DirectorySearcher

        Try
            search.Filter = String.Format("(SAMAccountName={0})", userName)
            search.PropertiesToLoad.Add("cn")
            search.PropertiesToLoad.Add("mail")
            search.PropertiesToLoad.Add("company")
            search.PropertiesToLoad.Add("description")
            search.PropertiesToLoad.Add("telephoneNumber")
            search.PropertiesToLoad.Add("facsimileTelephoneNumber")
            search.PropertiesToLoad.Add("streetAddress")
            search.PropertiesToLoad.Add("l")
            search.PropertiesToLoad.Add("st")
            search.PropertiesToLoad.Add("postalCode")

            Dim results As SearchResultCollection
            results = search.FindAll()
            Dim result As SearchResult

            For Each result In results
                Session("loguser") = result.Properties("cn")(0)
                Session("loguseremail") = result.Properties("mail")(0)
                Session("Company")= result.Properties("company")(0)
                Session("Title")= result.Properties("description")(0)
                Session("Phone")= result.Properties("telephoneNumber")(0)
                Session("Fax")= result.Properties("facsimileTelephoneNumber")(0)
                Session("Address1")= result.Properties("streetAddress")(0)
                Session("City")= result.Properties("l")(0)
                Session("State")= result.Properties("st")(0)
                Session("Zip")= result.Properties("postalCode")(0)
            Next

        Catch ex As Exception

        End Try

    End Sub
0
 
LVL 33

Expert Comment

by:raterus
ID: 17889602
I'm surprised your DirectorySearcher is even returning something without being instantiated with a proper DirectoryEntry.

I always do something like this, (This is just an example, you'll have to figure out your own ldap:// connection string for your organization)

Dim de as DirectoryEntry = new DirectoryEntry("ldap://yourdomain.com/DC=yourdomain,DC=com")
Dim search As DirectorySearcher = New DirectorySearcher(de)
0
 

Author Comment

by:ecircle99
ID: 17891733
Yeah, I thought you had to include a valid DirectoryEntry too but found out that the DirectorySearcher doesn't need it if the code is on a box that's on the domain you want to search.  If you had an app that is spread across multiple domains then you would have to use a fully qualified LDAP path for the domain you're wanting to search.
0
 

Author Comment

by:ecircle99
ID: 17893114
Update:

I had my network admin create a new user account on our Internal web server and added the new account to the Local Admin group.  I then used that new user account's credentials during the Impersonation while the Excel file was being created and then removed the impersonation after the file was created and now everything works without errors and I don't have to add each individual user as a local admin on that box.

So, consider this problem closed.  Thanks to raterus and jnhorst for trying to help.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18171151
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In .NET 2.0, Microsoft introduced the Web Site.  This was the default way to create a web Project in Visual Studio 2005.  In Visual Studio 2008, the Web Application has been restored as the default web Project in Visual Studio/.NET 3.x The Web Si…
ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now