Create an Exchange Mailbox-Enabled user with an ASP.NET application
Num
I am trying to write an ASP.NET (with CodeBehind in c#) application
that adds an Exchange Mailbox-enabled user in an Active Directory.
I set up all the configurations issues:
* Install Advanced Server Admin Tools.
* Install Exchange Management Tools in order to be able to work with
CDOEXM.
* Validate my installation by running a VB sample application AND a C#
console application that do the job (adding a new E-mailboxed user in
AD).
But, now I am jammed because the code DOESN'T work within the ASP.NET
application...
NOTE: The IIS box is different from the Domain Controller box and the
Exchange box.
I think I am facing kinda permissions issues because the ASPNET user
(which runs the ASPNET code Within IIS) has not the requisite
credentials to run
the critical CDOEXM Com code?
Depending of how I set up the permissions (within IIS, within
web.config with <identity impersonate> tag),
I get differents errors when i call the CreateMailbox method in the
ASP.NET web app:
-System.InvalidArgument Exception
-"Catastrophic Failure" error (sic!)
The only way I managed to run the code is with:
-1- The web.config <identity> tag written as follows: <identity
impersonate="true" username=<MyDomain\MyAccount> password=<mypassword>
where MyDomain\MyAccount is my current login. Besides, this Account is
in the Domain a member of "Domain Admins" group. )
-2- The following settings of the "Authentication Methods" windows
from the "Directory Security" of "MyWebApp" Properties within IIS
Management Console:
--> "Anonymous access" checked with "IUSR_MACHINE" in the
"edit..." box.
--> "Integrated Windows authentication" checked in the
"Authenticated access"
But it is not acceptable, as I have in my Web application an
Applicative
login: only the person who logged in as the Admin user of my
application
(NOT the Domain Admin user) should be able to call the page that do
the "Mailbox enabled User" job...
So the question could be:
Where do I deal with this issue?
- In the "web.config" file of my WebApp with <impersonate="true"
etc...> ?
- In MyWebApp IIS properties?
- In the management of permissions for the differents ASP*
users:(IUSR_MYMACHINE user, ASPNET user, SYSTEM user)
- ElseWhere? (the machine.config .NET file?)
It is possible in ASP.NET to declare that ONE specific page must run
with specific permissions?
Sorry for being so verbose... I tried to be explicit.
Thanks for your help,
Num
Nicholas Paldino [MVP]
This definitely seems like a rights issue. When ASPX pages run
normally, they run under the IUSR_MACHINE account, which is used for all
authorization.
This would explain why your code worked when defining the user
explicitly.
Take away the anonymous access, make the user log in, and it should work
fine (assuming the logged in user has rights to perform the action you are
attempting).
Hope this helps.
--
- Nicholas Paldino [.NET MVP]
- nicholas...@exisconsulting.com
"Num" <emmanue...@laposte.net> wrote in message
news:4ce8336d.01113...@posting.google.com...
Num
> Num,
>
> This definitely seems like a rights issue. When ASPX pages run
> normally, they run under the IUSR_MACHINE account, which is used for all
> authorization.
> This would explain why your code worked when defining the user
> explicitly.
Yes, I agree.
> Take away the anonymous access, make the user log in,
It is not possible in my context!!!
I have an applicative logon where users are recorded in a SQL server
base. I check in this base to identify my users. I don't want to (and
I CAN'T) deal with Windows Users issues!!!
> and it should work fine (assuming the logged in user has rights to perform >the action you are> attempting).
Is it not possible to make the anonymous user that mapped in IIS
("IUSR_MACHINE" or "ASPNET" or NT "AUTHORITY\SYSTEM") able to run this
code?
I tried it with changing the CDOEXM.dll properties, Security panel. I
added Everyone with Full Control. This should work but it doesn't!!
Why?
I am really puzzled.
Thanks for any help,
Num