Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Active Directory Security & ASP.NET (VB.NET)

86 views
Skip to first unread message

techfuzz

unread,
Aug 27, 2002, 3:06:34 PM8/27/02
to
I am about at my wits end trying to figure out how to get ASP.NET to
work with Active Directory and user security groups! Please help!

I have a development server Win2k Svr SP2 hosting an ASP.NET page with
Integrated Windows Authentication turned on. I want to get the
LOGON_USER from the page and determine from the Active Directory
(located on a domain controller seperate from the IIS machine) which
domain security groups that user belongs to. I just want to print a
list of the groups out to the user in plain text on the ASP.NET page,
nothing special! BTW, sample code in VB is appreciated but I guess
I'll take C# if that's all you've got.

I keep running up against the ADSVALUE not implemented error, DS
datatype errors, and everything else under the sun!

Does ANYONE have WORKING code they can post to me and everyone else
out here that shows us how exactly to do this???

Thanks,
Chris R.

William Oldenburg

unread,
Aug 27, 2002, 3:40:25 PM8/27/02
to
I haven't tested this myself yet but this should be
something your looking for. I am doing something similar
to return all usernames in the domain. This was taken from
here http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/netdir/adsi/iadsuser.asp

Dim usr As IADsUser
On Error GoTo Cleanup
Set usr = GetObject("WinNT://Fabrikam/JeffSmith,user")
For Each grp In usr.Groups
Debug.Print grp.Name & " (" & grp.Class & ")"
Next

Cleanup:
If(Err.Number<>0) Then
MsgBox("An error has occurred. " & Err.Number)
End If
Set usr = Nothing

>.
>

Willy Denoyette [MVP]

unread,
Aug 27, 2002, 3:57:36 PM8/27/02
to
Post your failing code, we will try to help you out.

Willy.

"techfuzz" <crue...@heery.com> wrote in message news:639a482f.02082...@posting.google.com...

techfuzz

unread,
Aug 28, 2002, 8:47:14 AM8/28/02
to
The error message is:
System.NotImplementedException: Handling of this ADSVALUE type is not
yet implemented (type = 0xb).

Over 75% of the properties that are output to the page end up with
this error. I'm using Try/Catch/End Try to force everything to
display reguardless of errors, I hope to remove that in the final code
if it ever gets to that point.

The line in the code giving this error is marked below.

Here's my code:
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
'Put user code to initialize the page here
Dim sUserID As String = "sUsername"

Dim objDirEnt As DirectoryEntry = New
DirectoryEntry("LDAP://server/DC=domain,DC=net", "username",
"password", AuthenticationTypes.ServerBind)
Dim objDirSrch As DirectorySearcher = New
DirectorySearcher(objDirEnt)
Dim objDirSrchRes As SearchResult

'objDirSrch.PropertiesToLoad.Add("memberOf")
objDirSrch.Filter = "(&(objectClass=user)(sAMAccountName= " &
sUserID & "))"
objDirSrchRes = objDirSrch.FindOne()

Response.Write("Path = " & objDirSrchRes.Path)
Response.Write("")
Response.Write("Properties:")

Dim tab As String = " "
Dim Key As String
Dim objValue As Object
Try
For Each Key In objDirSrchRes.Properties.PropertyNames
Response.Write(tab & Key & " = ")
Response.Write("")
Try
For Each objValue In objDirSrchRes.Properties(Key)

'''Code fails on next line with error message

Response.Write(tab & tab &
objValue.ToString())
Response.Write("<br>")
Next objValue
Catch

End Try
Next
Catch

End Try
End Sub

"Willy Denoyette [MVP]" <willy.d...@pandora.be> wrote in message news:<eA8aMPgTCHA.1804@tkmsftngp13>...

Willy Denoyette [MVP]

unread,
Aug 28, 2002, 12:01:48 PM8/28/02
to

"techfuzz" <crue...@heery.com> wrote in message news:639a482f.02082...@posting.google.com...
> The error message is:
> System.NotImplementedException: Handling of this ADSVALUE type is not
> yet implemented (type = 0xb).
>

This works for me.
What happens if you run this simple console program?


Imports System.DirectoryServices
Imports System

Module Module1

Sub Main()
Try
Dim de As DirectoryEntry = _
New DirectoryEntry("LDAP://server/DC=domain,DC=net")
Dim mySearcher as DirectorySearcher = new DirectorySearcher(de)
mySearcher.Filter = "(&(objectClass=user)(samAccountName=administrator))"

Dim myResult as SearchResult
myResult = mySearcher.FindOne()

Dim tab As String = " "
Dim Key As String
Dim objValue As Object
Try

For Each Key In myResult.Properties.PropertyNames
Console.WriteLine(tab & Key & " = ")
Try
For Each objValue In myResult.Properties(Key)
Console.Write(tab & tab & objValue.ToString())
Console.WriteLine("<br>")


Next objValue
Catch
End Try
Next
Catch
End Try

Catch ex As Exception
Console.WriteLine(ex.Message)
End Try
End Sub

End Module

'vbc /r:system.directoryservices.dll,System.dll getprop.vb


techfuzz

unread,
Aug 29, 2002, 9:09:15 AM8/29/02
to
It runs perfectly as a console program on my computer; it displays all
the attributes and their corresponding values without a hitch. Ported
to an aspx web page and run on my development test server it bombs on
75% of the attributes with that error message.

My feeling is that Microsoft decided to release their framework
without finishing it. Sad but true.

Chris R.

"Willy Denoyette [MVP]" <willy.d...@pandora.be> wrote in message news:<uQaq8wqTCHA.2024@tkmsftngp08>...

Willy Denoyette [MVP]

unread,
Aug 29, 2002, 9:47:43 AM8/29/02
to
The exact same code I posted as a console program, except that I'm binding using explicit credentials, works from asp.net for me.
I'm quite certain, your problem is security context related.
You also seem to forget that the DirectoryServices are nothing but a thin wrapper around the COM ADSI provider, the Handling of this
ADSVALUE type is not yet implemented (type = 0xb), comes from the provider not from the framework classes.
.
Willy.

techfuzz

unread,
Aug 29, 2002, 10:16:17 AM8/29/02
to
I think I figured out my problem and the problems of many others out
there. On one network where I was developing the domain controller
was in mixed mode. On another network, where my production server
exists, the domain controller is in native mode. I believe that for
whatever reason, mixed mode does not behave as one would expect. I
find this rather strange because both domain controllers are Win 2K
but the same code runs differently on different domains.

I hope this helps anyone else who might run across this problem/bug in
the future!

Chris R.

"Willy Denoyette [MVP]" <willy.d...@pandora.be> wrote in message news:<uQaq8wqTCHA.2024@tkmsftngp08>...

Willy Denoyette [MVP]

unread,
Aug 29, 2002, 12:46:48 PM8/29/02
to
Hmm... How does this explain that the console version works as expected ?

Willy.

techfuzz

unread,
Aug 30, 2002, 3:47:35 PM8/30/02
to
I didn't try running your code, I ran my code. My code, run as a
console application ran 100% with no problems. The same code, run in
an ASPX web page wouldn't run properly. Go figure!? Running the code
in a native mode domain worked 100% for both the console and the web
page. There is something screwy about .NET and Active Directory in
mixed mode domains. I think (please don't hold me to this) that
because a mixed mode domain must support NT4 and less, the Active
Directory entries and/or the LDAP wrapper behaves differently than
when in native mode. That's just my opinion of my observations.

Chris R

"Willy Denoyette [MVP]" <willy.d...@pandora.be> wrote in message news:<#Ual5t3TCHA.1664@tkmsftngp13>...

Willy Denoyette [MVP]

unread,
Aug 30, 2002, 4:36:12 PM8/30/02
to
But this doesn't answer the question "why it would work from a console application", you are still connecting to the LDAP server
don't you.
Trust me this as nothing to do with mixed domains, take a look at the security context you are running in, do you have a domain
logon session if you ran the console program?
What credentials did you specify when binding?
Did you bind using a host name or a NetBIOS name?

Willy.


"techfuzz" <crue...@heery.com> wrote in message news:639a482f.02083...@posting.google.com...

techfuzz

unread,
Sep 4, 2002, 9:47:27 AM9/4/02
to
I used my own credentials in both situations when binding so that
shouldn't make a difference since I am a domain admin in both domains
where this was tested. As part of testing I also used an account with
"guest" access to the domain and it still worked as a console
application but not as a ASPX web page. I bound to the LDAP server
using the host name: "LDAP://SERVER/DC=domain,DC=com". Any other
ideas?

I have it working in the native domain but the same code still won't
work in the mixed domain. I am a domain admin in both domains and
have the same permissions.

Chris R.

"Willy Denoyette [MVP]" <willy.d...@pandora.be> wrote in message news:<#281eWGUCHA.3556@tkmsftngp08>...

Willy Denoyette [MVP]

unread,
Sep 4, 2002, 3:43:16 PM9/4/02
to
Sure you are binding using a domain admin account, but this account is only used to authenticate against the AD LDAP server, the
security context of asp.net and your console application is totally different.
Unless you run the aspnet_wp.exe worker process into something other than "aspnet", or if you are impersonating an account with
elevated privileges you can have problems accessing some local resources.

For instance one of the possible reasons for "the ADSVALUE not yet implemented error" , is that ADSI is not able to cache the schema
information to the local computer, because it has no access to HKLM\Software\Microsoft\ADs\Providers\LDAP\DN of schema container, or
it cannot write to %windir%\SchCache\<ldapservername>.sch, where it stores the RootDSE subschema information.

Other reasons for this message is
1. ADSI cannot process the schema info.
2. The server doesn't expsoe the correct properties.

But as you see, both 1 and 2 should give problems when running from the console.

Note that you aren't binding when you create an instance of the DirectoryEntry class, you are only binding when calling some methods
on the object returned, f.i when enumerating properties..

Willy.

"techfuzz" <crue...@heery.com> wrote in message news:639a482f.02090...@posting.google.com...

techfuzz

unread,
Sep 10, 2002, 4:51:48 PM9/10/02
to
Someone pointed me to the following KBase article:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q317012&

There is a line towards the bottom that is quite interesting that
reads:
"On Windows 2000 without service pack 3 (SP3) or later, or on Windows
XP without service pack 1 (SP1) or later, ASP.NET Web applications
that run under the ASPNET account may not work, and you may receive an
"Access Denied (0x80041003)" error message."

So I installed SP3 on the Win2K server where my web app wasn't working
and without changing any code it works perfectly fine now.

So you were right that it was a security security issue, but that
still does not fully explain why it works on our Win2K (SP2) server in
our production environment where the only difference is native vs.
mixed mode.

Chris R.


"Willy Denoyette [MVP]" <willy.d...@pandora.be> wrote in message news:<egvfWtEVCHA.3740@tkmsftngp08>...

0 new messages