Re: ASP.NET web app, Win2003, & Active Directory

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 02/12/05 

Date: Fri, 11 Feb 2005 23:25:17 -0600

This error generally results from the ADSI schema cache not getting read
properly. The primary cause of this is a security issue. The account you
are binding to AD to (which is generally the null or anonymous account)
doesn't have rights to read the schema from the directory, so ADSI falls
back on its LDAP V2 schema which contains very few of the AD attributes.

Normally, you end up binding to the directory because your current security
context cannot hop to a different machine. The quick test for this is to
change your DirectoryEntry binds to include some hard-coded usernames and
passwords. If that fixes it, then it is a security issue. To fix this
without supplying credentials, you typically need to understand exactly what
security context you are connecting with and why it can't hop to the remote
machine.

There are dozens of similar posts that you can search with Google groups
that will reveal all of the answers in details. This link is also quite
helpful.

http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

HTH,

Joe K.

"mcasthana" <mcasthana@discussions.microsoft.com> wrote in message
news:A8752F4E-746E-4B6E-90F6-4DB742B6550D@microsoft.com...
> All,
>
> I developed an ASP.NET web app on my local machine (W2K) and everything
> worked fine. I was able to grab all the attributes of the AD schema. I
> then
> moved my app to the development server (Win2003) and now 95% of the
> attributes come up as "System.NotImplementedException: Handling of this
> ADSVALUE type is not yet implemented (type = 0xb)". I tried impersonation
> with both Integrated Windows Authentication AND Basic Authentication with
> Anonymous disabled, but with no success. In my research, I found that
> even
> impersonation on IIS can be pretty shallow and not have sufficient rights
> when accessing AD. Does anyone know how I can overcome this problem? I
> would greatly appreciate any assistance.

Relevant Pages

  • Re: Publishing site system in AD
    ... Yes I am using Advance security. ... During install I did not update schema ... because Windows server 2003 is already extended allow update. ... your site system account needs a minimum of modify ...
    (microsoft.public.sms.setup)
  • Re: Schema as a security mechanism?
    ... grouping of db users for a purpose. ... A schema is basically a namespace to facilitate grouping related database objects. ... A role is a group of users with similar security requirements. ...
    (microsoft.public.sqlserver.security)
  • Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?
    ... Microsoft MVP (Windows Security) ... > INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema? ... > Controllers" ver 1.1, 15.Aug.2002), when I try to expand the AD schema ...
    (microsoft.public.windows.server.security)
  • Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?
    ... Microsoft MVP (Windows Security) ... > INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema? ... > Controllers" ver 1.1, 15.Aug.2002), when I try to expand the AD schema ...
    (microsoft.public.win2000.security)
  • Re: Export schema
    ... schema extensions seems to be pretty much completely undocumented to ... with the attribute I want to set default security on, ... I'm adding new ACEs - but instantiating a new object does get the new ... >partition head and the defaultSecurityDescriptor of the attributeSchema ...
    (microsoft.public.windows.server.active_directory)