Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Authenticating ADAM user.

0 views
Skip to first unread message

kuma...@gmail.com

unread,
Nov 4, 2005, 12:22:38 PM11/4/05
to
Hi All,

I am trying to authenticate ADAM user, please look at the code I am
using.
when I am doing over a secure channel on the network it gives an error.

Any ideas would be greately appreciated.

int portNumber=389;
String serverName="10.144.153.27";
String partitionDir = "rootDSE";

DirectoryEntry verifiedUser = new
DirectoryEntry("LDAP://"+serverName+":"+portNumber+"/"+partitionDir,"te...@test.com","temp",AuthenticationTypes.Secure);

verifiedUser.RefreshCache();
Response.Write("signed in!");

error:

Runtime Error
Description: An application error occurred on the server. The current
custom error settings for this application prevent the details of the
application error from being viewed remotely (for security reasons). It
could, however, be viewed by browsers running on the local server
machine.

Details: To enable the details of this specific error message to be
viewable on remote machines, please create a <customErrors> tag within
a "web.config" configuration file located in the root directory of the
current web application. This <customErrors> tag should then have its
"mode" attribute set to "Off".


<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>


Notes: The current error page you are seeing can be replaced by a
custom error page by modifying the "defaultRedirect" attribute of the
application's <customErrors> configuration tag to point to a custom
error page URL.


<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="RemoteOnly"
defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>

Thanks,
kdsv

Joe Kaplan (MVP - ADSI)

unread,
Nov 4, 2005, 12:32:27 PM11/4/05
to
ADAM users must be authenticated with AuthenticationTypes.None (or
AuthenticationTypes.SecureSocketsLayer if you have SSL on ADAM).
Additionally, you must specify the username as either the full ADAM DN or
the UPN if you set the UPN of the ADAM user.

If you want to authenticate a Windows user (on the local machine or in a
domain that the machine trusts), then use AuthenticationTypes.Secure.

Joe K.

<kuma...@gmail.com> wrote in message
news:1131124958.4...@o13g2000cwo.googlegroups.com...

kuma...@gmail.com

unread,
Nov 4, 2005, 12:51:21 PM11/4/05
to
I have tried with AuthenticationTypes.None and also with
AuthenticationType.SecureSocketsLayer, but still I am getting the same
error.
Do I have to put it in the GAC or do I need to change anything in
web.config.

Thanks a lot,

kuma...@gmail.com

unread,
Nov 4, 2005, 2:35:04 PM11/4/05
to
I have used UPN for ADAM User, but same error.

Any ideas?

Thanks,

Anthony Yott

unread,
Nov 4, 2005, 3:11:07 PM11/4/05
to
I"ve got the following to work binding with an AD Principal

string user = "joe...@somedomain.com";
string pass = "password1";

DirectoryEntry dirEntry = new DirectoryEntry("LDAP://wasp:389/rootDSE", user,
pass, AuthenticationTypes.Secure);
object o = dirEntry.NativeObject;

When using an ADAM Principal the following also works

string user = ""cn=joeblow,ou=ADAM users,o=Microsoft,c=US"";
string pass = "password1";

DirectoryEntry dirEntry = new DirectoryEntry("LDAP://wasp:389/rootDSE", user,
pass, AuthenticationTypes.ServerBind);
object o = dirEntry.NativeObject;

--
Anthony Yott

kuma...@gmail.com

unread,
Nov 4, 2005, 3:32:32 PM11/4/05
to
No luck, get the same error message.. Do I have to change anything in
WEB.CONFIG file ?

I am using exactly same as you did above...

Any ideas?

Thanks

Joe Kaplan (MVP - ADSI)

unread,
Nov 4, 2005, 4:53:01 PM11/4/05
to
I'd suggest getting this working outside of ASP.NET (console app or
something) to avoid any confusion there. You shouldn't need to change
anything in web.config or GAC to get this to work though.

The other thing I'd do is make sure you can successfully authenticate these
users in ADAM using ldp.exe and a simple bind before I'd try S.DS as ldp
will give you more useful error messages.

Also, you need to make sure that the ADAM user's password is properly set
and the account is not disabled.

Joe K.

<kuma...@gmail.com> wrote in message
news:1131136352....@o13g2000cwo.googlegroups.com...

kuma...@gmail.com

unread,
Nov 4, 2005, 5:18:06 PM11/4/05
to
Joe,

I have successfully tested from ldp.exe it is working fine there, then
I have tested in ASP.NET locally there also it is working without any
problems,
but when I use the same code on the production WEB Server, it is giving
an error. Is it something related to network.?

see the simple code below:
DirectoryEntry Ds;
Ds = new
DirectoryEntry("LDAP://DSSS01:389/rootDSE","principl...@ss.com","tests",AuthenticationTypes.None);
Ds.RefreshCache();

Any ideas? I really appreciate your help on this

Thanks

Joe Kaplan (MVP - ADSI)

unread,
Nov 4, 2005, 9:36:13 PM11/4/05
to
What error is it giving you from the production web server? Could it be a
DNS or network issue?

Note that you never have to put :389 in the path if you are using port 389.
That is the default.

Joe K.

<kuma...@gmail.com> wrote in message
news:1131142686....@f14g2000cwb.googlegroups.com...

Anthony Yott

unread,
Nov 4, 2005, 10:53:04 PM11/4/05
to
This is a shot in the dark but I had to add the user that I'm binding as to
the "Reader" role to get this to work. I'm not at my work computer right now
so I can't give you exact instructions for doing so but I'll try to check
this post on Monday to see if your still stuck.
--
Anthony Yott

kuma...@gmail.com

unread,
Nov 7, 2005, 10:46:35 AM11/7/05
to
thanks for your ideas.

Can you tell me what access rights are needed for the user account
accessing ADAM server from production web server.

thanks,

kuma...@gmail.com

unread,
Nov 7, 2005, 11:03:22 AM11/7/05
to
Joe:

please see the following error message when I try on production server.
It could be Network issue, I am trying to find this one from network
folks.

Anthony Yott

unread,
Nov 7, 2005, 11:12:03 AM11/7/05
to
I think any user reading the directory needs at least Read access. I had
created a new user and I was trying to bind as the new user and having issues
even though it worked find with ldp.exe. I did a google search and someone
mentioned adding the user that I'm trying to bind as to the Readers role.
Once I done that everything worked fine.

To add a user to the Reader role do the following
1.) Open ADAM adsiedit mmc
2.) Navigate to your partition (e.g., O=Microsoft, c=US)
3.) Go the the CN=Roles container
4.) In the "right pane" right click the 'CN=Readers' node
5.) Scroll down the attribute list and find the 'member' attribute
6.) Select the 'member' attribute and click the 'Edit' button
7.) click the 'Add windows account...' or 'Add ADAM Account...' button. This
will depend on whether you are binding as an AD or and ADAM Principal. Just
choose the appropriate one.
8.) If you choose an ADAM account then put in the DN of the user (e.g.
CN=joeblow,OU=ADAM users,O=Microsoft,C=US)
9.) Click Ok
10.) Click OK

After this your AD or ADAM Princiapl should have read permissions to the
directory and your bind should work. If this fails (and this is another shot
in the dark), I'm wondering if you will need to add the identity (ASP.NET or
whatever idenitty your web site/service is running under) that the process is
running as to the Readers role.

--
Anthony Yott

Joe Kaplan (MVP - ADSI)

unread,
Nov 7, 2005, 11:17:37 AM11/7/05
to
Sorry, you need to get ASP.NET configured so you can get the full error
message and stack trace. Setting customErrors to "Off" should work, but I'm
not sure what to tell if you it doesn't. This isn't an ASP.NET newsgroup.

Like I said before, you might want to try getting this working in a console
application first.

Joe K.

<kuma...@gmail.com> wrote in message
news:1131378297.8...@o13g2000cwo.googlegroups.com...

kuma...@gmail.com

unread,
Nov 7, 2005, 5:31:45 PM11/7/05
to
guys,

I am able to authenticate now. great relief, thanks to you all.
But when I try to set the password I am getting the following error.
Pls. look at the following code and error message. I was able to sign
in with no errors,
but below code gets error!! Any ideas?

objUser.Invoke("SetOption", new object[]
{ADS_OPTION_PASSWORD_PORTNUMBER, intPort});
objUser.Invoke("SetOption", new object[] {ADS_OPTION_PASSWORD_METHOD,
ADS_PASSWORD_ENCODE_CLEAR});
objUser.Invoke("SetPassword", new object[] {"ADAMcomplexpassword1$"});

const long ADS_OPTION_PASSWORD_PORTNUMBER = 6;
const long ADS_OPTION_PASSWORD_METHOD = 7;
const int ADS_PASSWORD_ENCODE_CLEAR = 1;
int intPort;
DirectoryEntry objUser;
string strPath;
string strPort;
// User DN.
// Construct the binding string.
strPort = "389";
strPath =
string.Concat("LDAP://10.444.222.22:/CN=testuser,ou=ct,c=us,ou=people");

objUser = new DirectoryEntry(strPath, "admin_username",
"admin_password",AuthenticationTypes.Secure);
objUser.RefreshCache();

Response.Write("Signed IN");

// Set port number, method, and password.
intPort = Int32.Parse(strPort);

objUser.Invoke("SetOption", new object[]
{ADS_OPTION_PASSWORD_PORTNUMBER, intPort});
objUser.Invoke("SetOption", new object[] {ADS_OPTION_PASSWORD_METHOD,
ADS_PASSWORD_ENCODE_CLEAR});
objUser.Invoke("SetPassword", new object[] {"ADAMcomplexpassword1$"});


Thanks,

Error Message:

Bad variable type.
Description: An unhandled exception occurred during the execution of
the current web request. Please review the stack trace for more
information about the error and where it originated in the code.

Exception Details: System.Runtime.InteropServices.COMException: Bad
variable type.

Source Error:

An unhandled exception was generated during the execution of the
current web request. Information regarding the origin and location of
the exception can be identified using the exception stack trace below.


Stack Trace:


[COMException (0x80020008): Bad variable type.]

[TargetInvocationException: Exception has been thrown by the target of
an invocation.]
System.RuntimeType.InvokeDispMethod(String name, BindingFlags
invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers,
Int32 culture, String[] namedParameters) +0
System.RuntimeType.InvokeMember(String name, BindingFlags
invokeAttr, Binder binder, Object target, Object[] args,
ParameterModifier[] modifiers, CultureInfo culture, String[]
namedParameters) +473
System.Type.InvokeMember(String name, BindingFlags invokeAttr,
Binder binder, Object target, Object[] args) +29
System.DirectoryServices.DirectoryEntry.Invoke(String methodName,
Object[] args) +106
phin.WebForm4.Page_Load(Object sender, EventArgs e) +238
System.Web.UI.Control.OnLoad(EventArgs e) +67
System.Web.UI.Control.LoadRecursive() +35
System.Web.UI.Page.ProcessRequestMain() +731


Trace Message:
aspx.page Begin Init
aspx.page End Init 0.000626 0.000626
Unhandled Execution Error
Exception has been thrown by the target of an invocation.
at System.RuntimeType.InvokeDispMethod(String name, BindingFlags
invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers,
Int32 culture, String[] namedParameters)
at System.RuntimeType.InvokeMember(String name, BindingFlags
invokeAttr, Binder binder, Object target, Object[] args,
ParameterModifier[] modifiers, CultureInfo culture, String[]
namedParameters)
at System.Type.InvokeMember(String name, BindingFlags invokeAttr,
Binder binder, Object target, Object[] args)
at System.DirectoryServices.DirectoryEntry.Invoke(String methodName,
Object[] args)
at phin.WebForm4.Page_Load(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain()

Joe Kaplan (MVP - ADSI)

unread,
Nov 7, 2005, 11:19:20 PM11/7/05
to
What is the OS for the web server? If it is Windows 2000, you might have
some difficulty with this as the version of ADSI that supports changing the
password port number and such is a post SP4 hotfix.

XP SP2 and 2K3 SP1 both contain the fix and do not require a hotfix.

Joe K.

<kuma...@gmail.com> wrote in message
news:1131402705....@g47g2000cwa.googlegroups.com...

kuma...@gmail.com

unread,
Nov 8, 2005, 10:10:46 AM11/8/05
to
For the Web Server OS is W2K SP4. I am using the default port number,
does this matter? also is it because the administrator account on ADAM
server does not have enough previliges to set/change passwords?

Thanks

Joe Kaplan (MVP - ADSI)

unread,
Nov 8, 2005, 10:39:06 AM11/8/05
to
No, I think the problem is that when you are calling the IADsObjectOptions
methods to set the password port number and encoding type, the version of
ADSI on your server doesn't actually support those options as it is too new.

You need to get the latest hotfix for Windows 2000 ADSI or switch to one of
the newer OS versions that I mentioned such as 2K3 SP1.

You can verify this by trying the code out on XP SP2 and seeing if it works
(or at least gets futher).

I believe this Kbase article will help you find the latest hotfix:
http://support.microsoft.com/?id=817583

Joe K.

<kuma...@gmail.com> wrote in message
news:1131462646.7...@g43g2000cwa.googlegroups.com...

kuma...@gmail.com

unread,
Nov 8, 2005, 11:25:35 AM11/8/05
to
I am going to try after couple of weeks, by then we should be on 2K3.

I really appreciate for all your help in this. Thanks a lot

Regards,

0 new messages