Re: Invoke(SetPassword) in Active Directory, Works, Then Access is

Joe,

Thanks for your help.

The server OS is Windows Server 2003, with .NET 2.0 installed. I'm not
sure which version of AD, but Microsoft Management Console is 2.0 Version 5.2
and ADSI Edit 5.2.

This is how I make the call:

internal static DirectoryEntry GetDirectoryObject(string UserName, string
Password)
{
DirectoryEntry oDE;
oDE = new DirectoryEntry(ADPath, UserName, Password,
AuthenticationTypes.Secure);
return oDE;
}

public static DirectoryEntry GetUser(string UserName)
{
DirectoryEntry de = Utility.GetDirectoryObject();
DirectorySearcher deSearch = new DirectorySearcher();
deSearch.SearchRoot = de;
deSearch.Filter = "(&(objectClass=user)(CN=" + UserName + "))";
deSearch.SearchScope = SearchScope.Subtree;
SearchResult results = deSearch.FindOne();
if (!(results == null))
{
de = new DirectoryEntry(results.Path, Utility.ADUser,
Utility.ADPassword, AuthenticationTypes.Secure);
return de;
}
else
{
return null;
}
}

//
// Actual call to set the password, which runs fine 10 minutes then begins
failing.
//
try
{
string Password = "password";
DirectoryEntry oDE = GetUser("Doe, John");
oDE.Invoke("SetPassword", new object[] {Password});
}
catch (Exception excep)
{
//
// "Access is Denied" error may occur here after 10 mins.
// Run the invoke from a console app, launched via Process.Start() instead.
//
}

I believe I have found a work-around though. I created a command-line
console app, which uses impersonation as an admin user, and has a
SetPassword() function with the same code as above. The web app tries to use
the Invoke(SetPassword) first, but if that fails, it does a Process.Start()
to let the console app do the Invoke command. This seems to be reliable and
(so-far) is working after the 10 minute failing from the web app's invoke.
Maybe some weird permissions bug?

ptstesting

"Joe Kaplan (MVP - ADSI)" wrote:

This depends on how the password modification is being done. SetPassword
tries 3 different approaches and they all have different failure modes.

The most reliable method involves using LDAP password modifications, but
that requires that your DCs have SSL certs so that you can connect to LDAP
using SSL. This is not done in AD by default, though. You would need to
get your domain admins to configure it.

The other two methods, Kerberos set password and NetUserSetInfo, may not be
as reliable. It is hard to tell which one is being used without sniffing
the network traffic.

What is the OS the ASP.NET runs on (with SP)? That determines the version
of ADSI that .NET uses. Also, what version of AD are you using (2003 or
2000)?

Joe K.

"ptstesting" <ptstesting@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F407D2D0-620E-4377-BAC9-1EC3D548CCA4@xxxxxxxxxxxxxxxx
My setup:
Using ASP.NET web app, have permissions setup properly, using
impersonation
as admin account before modifying active directory entry. I have the
latest
.NET 2.0 and service packs installed.

The problem:
I can call Active Directory's

myDE.Invoke("SetPassword", new object[] {Password});

successfully a few times, but after about 10 minutes, if I try the call
again, I receive "Access is Denied". I have to re-upload my web
application
files to restart the web application for it to resume working correctly.

Why would this work several calls in a row, and then begin failing after
10
minutes?

I read this post from a Microsoft techie:
http://www.gotdotnet.com/Community/MessageBoard/Thread.aspx?id=157773

It mentions something about a bug in .NET where the server stub runs down
after several successful calls? Something about a Microsoft fix is
available,
but no download link?

Does anyone know more about this issue?



.

Relevant Pages

  • Re: Angemeldeter Benutzer
    ... Du gehst *viele* Umwege, in Deinem bisherigen Quellcode, ... Mach es also etwa analog folgendem (u.a. DirectoryEntry): ... Querying Microsoft Active Directory Using Microsoft .NET Framework Library] ... Dipl.Inf. Frank Dzaebel ...
    (microsoft.public.de.german.entwickler.dotnet.vb)
  • Re: browsing AD with asp.net
    ... I instantiated DirectoryEntry this way: ... console application. ... irectorySearcher searcher = new DirectorySearcher; ...
    (microsoft.public.windows.server.active_directory)
  • User Search Code Throws on Vista
    ... I am trying to create a user on a Vista Ultimate system, ... What is the proper syntax to let this check properly work. ... DirectoryEntry root = new DirectoryEntry; ... ..NET Framework 3.5 Console app. ...
    (microsoft.public.dotnet.framework)