Re: Active Directory calls failing in production....
From: Imran Masud (imranish_at_hotmail.com)
Date: 08/16/04
- Next message: Andrew Clancy: "Re: restated: VS Develper (non Admin) missing IIS MMC Management"
- Previous message: Rob Teixeira [MVP]: "Re: How does LogonUser API work to prevent impersonating users?"
- In reply to: Ollie: "Active Directory calls failing in production...."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 16 Aug 2004 06:48:44 -0700
Hi Ollie,
The problem that you are having is called Double Hop Problem I think.
1. Make sure the machine on which you deploy the webservice is also on
the same domain.
2. Goto the Users and COmputer MMC and go the COmputer Container and
select that webservice computer and enable the delegate option.
3. If you are hosting the main webapplication on the domain controller
make sure the delegate option is also set for the domain controller
computer.
4. Make sure you restart the computers after setting that option.
5. Whenever u use the delegation in web.config and u are connecting to
AD through DirectoryServices using integrated login then you have to
set the delegate option.
Read this article I hope it should solve the problem.
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
Cheers
and best of luck
Imran
"Ollie" <why do they need this!!!!> wrote in message news:<OXJ00NvgEHA.1764@TK2MSFTNGP10.phx.gbl>...
> I know this has been asked before, I have read the answers given and I am
> unable to get this work ( I don't know that much about AD configuration)
>
> I have an asp.net web service that is designed to authenticate and maintain
> accounts in active directory. It all works fine when the web service is on
> the same machine as the domain controller but when the web service is on a
> remote machine it fails on any active directory calls.
>
> I have configured the ProcessModel in the machine.config to run under the
> 'SYSTEM' account and have set the identity element in the web.config of the
> web service to be:
> <identity impersonate="true", userName="DOMAIN\ollie" password="password">
>
> this account is a domain administrator account so it will have the
> prviliedges required. I have NOT disabled anonymous access for the website.
> ( I tried this but it still fails)
>
> The LDAP string for connection to the directory service is
> LDAP://FB2/DC=DOMAIN,DC=COM
>
> The error that it is returning is "The directory property cannot be found in
> the cache" with error code 0x8000500D. I guess that it is able to find the
> AD but unable to access the information because of a security restricition
> as I said it all works perfectly fine when the web service is on the same
> machine as the domain controller, or it could be that the information I am
> looking for in the AD is not published for remote access.
>
> Does anyone know what bit of configuration information I am missing to get
> the damn thiing working......
>
> Cheers in Advance
>
> Ollie
- Next message: Andrew Clancy: "Re: restated: VS Develper (non Admin) missing IIS MMC Management"
- Previous message: Rob Teixeira [MVP]: "Re: How does LogonUser API work to prevent impersonating users?"
- In reply to: Ollie: "Active Directory calls failing in production...."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
