Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Active Directory doesn't work with <identity impersonate="true"/> in web.config

Posted on 2006-11-06
9
4,335 Views
Last Modified: 2008-03-04
I have a internal web app that I've developed on an XP Pro workstation and the app uses ActiveDirectory (AD) to grab the user's AD info like address, email, phone, etc... The app also allows these users to create an Excel file and email it as an attachment
to other selected users.

The app was developed in VB.NET/VS 2003 and so it's Framework 1.1.
The Internal Web server is Windows 2003 Server with sp1.
The settings for Directory Security for the web folder has "Anonymous Access" unchecked, "Digest authentication for Windows domain servers" is checked, "Basic authentication" is unchecked, "Integrated Windows authentication" is checked, and "Realm:" has our domain address in it (i.e. xxx.xyz.com).

The problem is this:
On my development workstation everything works fine.  The AD works and the Excel file creation and subsequent emailing of it works too.

But when I add the <identity impersonate="true"></identity> in the web.config of the Production Internal web server, the Excel file creation works but the email function fails since the AD code doesn't return the user's email address to plug in to the "FROM" field in the email.

Has anyone seen this AD problem when <identity impersonate="true"></identity> has been in the web.config file?

Thanks In Advance,
Steve.
0
Comment
Question by:ecircle99
9 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 17884684
Uncheck Digest authentication, I don't believe you need it here.  Have you been entering in a username/password with this site before?  If you are using IE, ensure that "Enable Integrated Windows Authentication" is checked under "Internet Options"
0
 

Author Comment

by:ecircle99
ID: 17886208
I've already had "Enable Integrated Windows Authentication" checked.  Anyway, I got the AD to work by taking out the "identity" setting from the web.config file and instead programmatically set impersonation to true and false in the function that creates the Excel file and that allows the Active Directory code to work but now I'm getting an "Access Denied" error when the function that creates the Excel file and tries to write the file to a subfolder on the web server even though I've given Full Rights to Everyone for that folder.  This problem doesn't occur if I have the "identity" setting in the web.config file.  It looks like the user that is accessing the web page has be in the local admin group on the web box in order for this function to not error out.

Any other ideas?
0
 
LVL 10

Expert Comment

by:jnhorst
ID: 17886839
What authentication method is specified in web.config.  Should be "Windows".

As for your permissions issue without the <identity impersonate="true" /> in web.config, here's one issue: On your dev workstation, which I am going to assume is either WinXP or Win2K, the local ASPNET account will be the security context in which your code will run (again, without the identity tag in web.config).  But on your prod server, since it is Win2003, the account would be NETWORK SERVICE.

This does not answer you problem  WITH the identity tag in web.config, though.

How are you getting the email address in codebehind from AD?

John
0
Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

 

Author Comment

by:ecircle99
ID: 17889491
Yes, the authentication method is set to "windows" in the web.config.  So maybe I'm asking the wrong question at this point and should post a new one with a more appropriate title.

As for the AD codebehind:

Insert the following Imports statement in your codebehind page:
Imports System.DirectoryServices

Then create a Page_Load for that page like:
    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        Dim strUserName As String

        Try
            strUserName = Request.ServerVariables("LOGON_USER")
            strUserName = Mid(strUserName, InStr(strUserName, "\") + 1)
            GetInfo(strUserName)
         Catch ex As Exception

        End Try
    End Sub

Then create a sub like:
    Public Sub GetInfo(ByVal loginName As String)
        Dim userName As String = loginName
        Dim search As DirectorySearcher = New DirectorySearcher

        Try
            search.Filter = String.Format("(SAMAccountName={0})", userName)
            search.PropertiesToLoad.Add("cn")
            search.PropertiesToLoad.Add("mail")
            search.PropertiesToLoad.Add("company")
            search.PropertiesToLoad.Add("description")
            search.PropertiesToLoad.Add("telephoneNumber")
            search.PropertiesToLoad.Add("facsimileTelephoneNumber")
            search.PropertiesToLoad.Add("streetAddress")
            search.PropertiesToLoad.Add("l")
            search.PropertiesToLoad.Add("st")
            search.PropertiesToLoad.Add("postalCode")

            Dim results As SearchResultCollection
            results = search.FindAll()
            Dim result As SearchResult

            For Each result In results
                Session("loguser") = result.Properties("cn")(0)
                Session("loguseremail") = result.Properties("mail")(0)
                Session("Company")= result.Properties("company")(0)
                Session("Title")= result.Properties("description")(0)
                Session("Phone")= result.Properties("telephoneNumber")(0)
                Session("Fax")= result.Properties("facsimileTelephoneNumber")(0)
                Session("Address1")= result.Properties("streetAddress")(0)
                Session("City")= result.Properties("l")(0)
                Session("State")= result.Properties("st")(0)
                Session("Zip")= result.Properties("postalCode")(0)
            Next

        Catch ex As Exception

        End Try

    End Sub
0
 
LVL 33

Expert Comment

by:raterus
ID: 17889602
I'm surprised your DirectorySearcher is even returning something without being instantiated with a proper DirectoryEntry.

I always do something like this, (This is just an example, you'll have to figure out your own ldap:// connection string for your organization)

Dim de as DirectoryEntry = new DirectoryEntry("ldap://yourdomain.com/DC=yourdomain,DC=com")
Dim search As DirectorySearcher = New DirectorySearcher(de)
0
 

Author Comment

by:ecircle99
ID: 17891733
Yeah, I thought you had to include a valid DirectoryEntry too but found out that the DirectorySearcher doesn't need it if the code is on a box that's on the domain you want to search.  If you had an app that is spread across multiple domains then you would have to use a fully qualified LDAP path for the domain you're wanting to search.
0
 

Author Comment

by:ecircle99
ID: 17893114
Update:

I had my network admin create a new user account on our Internal web server and added the new account to the Local Admin group.  I then used that new user account's credentials during the Impersonation while the Excel file was being created and then removed the impersonation after the file was created and now everything works without errors and I don't have to add each individual user as a local admin on that box.

So, consider this problem closed.  Thanks to raterus and jnhorst for trying to help.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18171151
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this Article, I will provide a few tips in problem and solution manner. Opening an ASPX page in Visual studio 2003 is very slow. To make it fast, please do follow below steps:   Open the Solution/Project. Right click the ASPX file to b…
ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question