• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4352
  • Last Modified:

Active Directory doesn't work with <identity impersonate="true"/> in web.config

I have a internal web app that I've developed on an XP Pro workstation and the app uses ActiveDirectory (AD) to grab the user's AD info like address, email, phone, etc... The app also allows these users to create an Excel file and email it as an attachment
to other selected users.

The app was developed in VB.NET/VS 2003 and so it's Framework 1.1.
The Internal Web server is Windows 2003 Server with sp1.
The settings for Directory Security for the web folder has "Anonymous Access" unchecked, "Digest authentication for Windows domain servers" is checked, "Basic authentication" is unchecked, "Integrated Windows authentication" is checked, and "Realm:" has our domain address in it (i.e. xxx.xyz.com).

The problem is this:
On my development workstation everything works fine.  The AD works and the Excel file creation and subsequent emailing of it works too.

But when I add the <identity impersonate="true"></identity> in the web.config of the Production Internal web server, the Excel file creation works but the email function fails since the AD code doesn't return the user's email address to plug in to the "FROM" field in the email.

Has anyone seen this AD problem when <identity impersonate="true"></identity> has been in the web.config file?

Thanks In Advance,
Steve.
0
ecircle99
Asked:
ecircle99
1 Solution
 
raterusCommented:
Uncheck Digest authentication, I don't believe you need it here.  Have you been entering in a username/password with this site before?  If you are using IE, ensure that "Enable Integrated Windows Authentication" is checked under "Internet Options"
0
 
ecircle99Author Commented:
I've already had "Enable Integrated Windows Authentication" checked.  Anyway, I got the AD to work by taking out the "identity" setting from the web.config file and instead programmatically set impersonation to true and false in the function that creates the Excel file and that allows the Active Directory code to work but now I'm getting an "Access Denied" error when the function that creates the Excel file and tries to write the file to a subfolder on the web server even though I've given Full Rights to Everyone for that folder.  This problem doesn't occur if I have the "identity" setting in the web.config file.  It looks like the user that is accessing the web page has be in the local admin group on the web box in order for this function to not error out.

Any other ideas?
0
 
jnhorstCommented:
What authentication method is specified in web.config.  Should be "Windows".

As for your permissions issue without the <identity impersonate="true" /> in web.config, here's one issue: On your dev workstation, which I am going to assume is either WinXP or Win2K, the local ASPNET account will be the security context in which your code will run (again, without the identity tag in web.config).  But on your prod server, since it is Win2003, the account would be NETWORK SERVICE.

This does not answer you problem  WITH the identity tag in web.config, though.

How are you getting the email address in codebehind from AD?

John
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
ecircle99Author Commented:
Yes, the authentication method is set to "windows" in the web.config.  So maybe I'm asking the wrong question at this point and should post a new one with a more appropriate title.

As for the AD codebehind:

Insert the following Imports statement in your codebehind page:
Imports System.DirectoryServices

Then create a Page_Load for that page like:
    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        Dim strUserName As String

        Try
            strUserName = Request.ServerVariables("LOGON_USER")
            strUserName = Mid(strUserName, InStr(strUserName, "\") + 1)
            GetInfo(strUserName)
         Catch ex As Exception

        End Try
    End Sub

Then create a sub like:
    Public Sub GetInfo(ByVal loginName As String)
        Dim userName As String = loginName
        Dim search As DirectorySearcher = New DirectorySearcher

        Try
            search.Filter = String.Format("(SAMAccountName={0})", userName)
            search.PropertiesToLoad.Add("cn")
            search.PropertiesToLoad.Add("mail")
            search.PropertiesToLoad.Add("company")
            search.PropertiesToLoad.Add("description")
            search.PropertiesToLoad.Add("telephoneNumber")
            search.PropertiesToLoad.Add("facsimileTelephoneNumber")
            search.PropertiesToLoad.Add("streetAddress")
            search.PropertiesToLoad.Add("l")
            search.PropertiesToLoad.Add("st")
            search.PropertiesToLoad.Add("postalCode")

            Dim results As SearchResultCollection
            results = search.FindAll()
            Dim result As SearchResult

            For Each result In results
                Session("loguser") = result.Properties("cn")(0)
                Session("loguseremail") = result.Properties("mail")(0)
                Session("Company")= result.Properties("company")(0)
                Session("Title")= result.Properties("description")(0)
                Session("Phone")= result.Properties("telephoneNumber")(0)
                Session("Fax")= result.Properties("facsimileTelephoneNumber")(0)
                Session("Address1")= result.Properties("streetAddress")(0)
                Session("City")= result.Properties("l")(0)
                Session("State")= result.Properties("st")(0)
                Session("Zip")= result.Properties("postalCode")(0)
            Next

        Catch ex As Exception

        End Try

    End Sub
0
 
raterusCommented:
I'm surprised your DirectorySearcher is even returning something without being instantiated with a proper DirectoryEntry.

I always do something like this, (This is just an example, you'll have to figure out your own ldap:// connection string for your organization)

Dim de as DirectoryEntry = new DirectoryEntry("ldap://yourdomain.com/DC=yourdomain,DC=com")
Dim search As DirectorySearcher = New DirectorySearcher(de)
0
 
ecircle99Author Commented:
Yeah, I thought you had to include a valid DirectoryEntry too but found out that the DirectorySearcher doesn't need it if the code is on a box that's on the domain you want to search.  If you had an app that is spread across multiple domains then you would have to use a fully qualified LDAP path for the domain you're wanting to search.
0
 
ecircle99Author Commented:
Update:

I had my network admin create a new user account on our Internal web server and added the new account to the Local Admin group.  I then used that new user account's credentials during the Impersonation while the Excel file was being created and then removed the impersonation after the file was created and now everything works without errors and I don't have to add each individual user as a local admin on that box.

So, consider this problem closed.  Thanks to raterus and jnhorst for trying to help.
0
 
Computer101Commented:
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now