Impersonation, DirectoryServices

[Joe Kaplan \(MVP - ADSI\)]

Do you get an UnauthorizedAccessException from the InnerException from the
TargetInvocationException that gets thrown or something else?

SetPassword can be very tricky to get working unfortunately as it fails for
many different reasons. Hopefully we can solve this.

Joe K.

"idstam" <idstam@discussions.microsoft.com> wrote in message
news:48393E8E-5559-4F80-AD94-27C9CFF60780@microsoft.com...

> Hi
>
> I'm trying to set the password for a user in AD, but I get Access Denied.
>
> I don't use the logged on users credentials when I add the user to AD,
> instead I supply username and password when I get the initial
> DirectoryEntry.
>
> I am NOT a user in the domain.
>
> When I run the code from a console-app, or an asp.net-app without
> impersonation it works. Even if I impersonate myself in asp.net it fails.
>
> Does anyone have a clue?
>
> /johan/
>
>
> Here's the code:
>
> private DirectoryEntry getRoot()
> {
> DirectoryEntry root = null;
> try
> {
> AuthenticationTypes authType =
> AuthenticationTypes.Secure|AuthenticationTypes.Sea ling;
> //AuthenticationTypes.ServerBind;
> root = new DirectoryEntry(_url + "/" + _root,_adAdmin,_password,
> authType);
> return root;
> }
> catch
> {
> }
> finally
> {
>
> }
> return root;
> }
>
>
> public bool addUser(string upn)
> {
>
>
> bool ret = true;
>
> DirectoryEntry användare = null;
>
> string clientName = "Acme";
> string clientRoot = "OU=" + clientName + ",OU=Clients";
> string cn = upn;
> string användarRoot = "CN=" + cn;
> string initialPassword = "AQaq12#¤";
>
> DirectoryEntry root = getRoot();
>
> DirectoryEntry client = null;
> DirectoryEntry domainUsers = null;
> DirectoryEntry applicationUsers = null;
>
> try
> {
>
> client = root.Children.Find(clientRoot);
>
> användare = client.Children.Add("CN=" + cn, "user");
> användare.Properties["sAMAccountName"].Value = createSamAccountName(upn);
> användare.Properties["userPrincipalName"].Value = upn;
> användare.CommitChanges();
>
> användare.Properties["userAccountControl"].Value = 0x200;
> användare.Invoke("SetPassword", new object[]{initialPassword});//*****
> THIS IS THE WHERE IT FAILS *****//
> användare.CommitChanges();
>
>
>
> }
> catch(Exception ex)
> {
> Debug.WriteLine(ex);
>
>
> throw;
> }
> finally
> {
> if(användare != null) användare.Dispose();
> if(client != null) client.Dispose();
> if(domainUsers != null) domainUsers.Dispose();
> if(applicationUsers != null) applicationUsers.Dispose();
>
> root.Dispose();
> }
> return ret;
> }
>
> private string createSamAccountName(string upn)
> {
> string ret = upn.Replace("@", "").Replace(".","").Replace("-",
> "").Replace("_","");
> if(ret.Length > 19)
> {
> return ret.Substring(0,19);
> }
> else
> {
> return ret;
> }
>
> }
>

[Joe Kaplan \(MVP - ADSI\)]

If you are supplying user name and pwd, then ADSI shouldn't be using
anything from the impersonated security context UNLESS you aren't supplying
a server name in your binding string. I have no idea why that would matter
in this case, but you might try adding an explicit server to your LDAP path
in your DirectoryEntry constructor and see if that fixes it.

Joe K.

"idstam" <idstam@discussions.microsoft.com> wrote in message
news:3A924F5F-4A41-48B8-BF6C-61DF846E3A65@microsoft.com...

> Thanks for the response, if someone's gonna solve it I guess it'll be you
> :)
>
> That's exactly the exception I get.
>
> Since it works when I run the code in a console app or in asp.net without
> impersonation I thought there might be a local security setting on some
> file
> containing the underlying COM-object.
>
> I want to emphasize that I'm not trying to impersonate the user that has
> write permissions in AD. I'm supplying the username and password in all 3
> cases.
>
> I forgot to mention that the computer I run the code on is a Win XP that
> is
> not part of a domain and AD is on a Win 2003 where it is the primary
> domain
> controller.
>
>
> best regards
>
> /johan/

[idstam]

My initial DirectoryEntry is fetched lite this:

My binding string looks like this :
"LDAP://server.department.company.se/DC=department,DC=company,DC=se"

i guess that means that I've supplied the server name.

I can't figure out why the impersonate setting in my web.config should
affect this.

/johan/

"Joe Kaplan (MVP - ADSI)" wrote:

> If you are supplying user name and pwd, then ADSI shouldn't be using
> anything from the impersonated security context UNLESS you aren't supplying
> a server name in your binding string. I have no idea why that would matter
> in this case, but you might try adding an explicit server to your LDAP path
> in your DirectoryEntry constructor and see if that fixes it.
>
> Joe K.
>

[Joe Kaplan \(MVP - ADSI\)]

Yeah, I'm not sure either unless the variable you have set for the password
is a null string or null reference.

Sorry I'm not too helpful,

Joe K.

"idstam" <idstam@discussions.microsoft.com> wrote in message
news:A9C4FFF7-DC2B-4170-AD53-11A94E748A65@microsoft.com...

> My initial DirectoryEntry is fetched lite this:
>
> My binding string looks like this :
> "LDAP://server.department.company.se/DC=department,DC=company,DC=se"
>
> i guess that means that I've supplied the server name.
>
> I can't figure out why the impersonate setting in my web.config should
> affect this.
>
> /johan/
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>

>> If you are supplying user name and pwd, then ADSI shouldn't be using
>> anything from the impersonated security context UNLESS you aren't
>> supplying
>> a server name in your binding string. I have no idea why that would
>> matter
>> in this case, but you might try adding an explicit server to your LDAP
>> path
>> in your DirectoryEntry constructor and see if that fixes it.
>>
>> Joe K.
>>

>