Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Domain could not be contacted problem

Reply
Thread Tools

Domain could not be contacted problem

 
 
Grant
Guest
Posts: n/a
 
      11-22-2004
Hello,

I got some sample code off the MSDN website on how to loop through a group
in active directory and list the members. I can run the code from a console
app but I cant run it from an ASP solution? I get the folowing message:

"The specified domain either does not exist or could not be contacted"

Heres the code Im using:
---------------------------------------------------
try
{
DirectoryEntry group = new
DirectoryEntry("LDAP://CN=Administrators,CN=builtin,DC=ourdomain,DC=com") ;
object members = group.Invoke("Members",null); //CODE IS FAILING HERE
foreach( object member in (IEnumerable) members)
{
DirectoryEntry x = new DirectoryEntry(member);
}
}
catch ( Exception ex )
{
lblResults.Text = ex.Message;

}
---------------------------------------------------

I havent done any ASP programming before. This is a standard webapplication
created using Visual Studio.NET 2003. I have IIS installed and Ive set the
permissions to interactive user. The above code works from my console app
and works a beaut but just not from my ASP page..

can anyone tell me what Im doing worng here?

Thanks,
Grant


 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      11-22-2004
This is a security context issue. The account your code is running under
might not be a domain account, so you can't use serverless binding (which is
what you are doing when you don't put a server name in the binding string
below).

This document has a lot more detail:

http://support.microsoft.com/default...b;en-us;329986

Joe K.

"Grant" <(E-Mail Removed)> wrote in message
news:u2KGc%(E-Mail Removed)...
> Hello,
>
> I got some sample code off the MSDN website on how to loop through a group
> in active directory and list the members. I can run the code from a
> console app but I cant run it from an ASP solution? I get the folowing
> message:
>
> "The specified domain either does not exist or could not be contacted"
>
> Heres the code Im using:
> ---------------------------------------------------
> try
> {
> DirectoryEntry group = new
> DirectoryEntry("LDAP://CN=Administrators,CN=builtin,DC=ourdomain,DC=com") ;
> object members = group.Invoke("Members",null); //CODE IS FAILING HERE
> foreach( object member in (IEnumerable) members)
> {
> DirectoryEntry x = new DirectoryEntry(member);
> }
> }
> catch ( Exception ex )
> {
> lblResults.Text = ex.Message;
>
> }
> ---------------------------------------------------
>
> I havent done any ASP programming before. This is a standard
> webapplication created using Visual Studio.NET 2003. I have IIS installed
> and Ive set the permissions to interactive user. The above code works from
> my console app and works a beaut but just not from my ASP page..
>
> can anyone tell me what Im doing worng here?
>
> Thanks,
> Grant
>



 
Reply With Quote
 
 
 
 
Grant
Guest
Posts: n/a
 
      11-22-2004
Thank you for the reply! Looking at my web.config file I dont have this
"identity impersonate="true"" section and also it says to "security
mechanism to Anonymous only" - where do I find this security mechanism, and
how would i set the identity impersonate setting?

-------------
When the Web.config file is set to identity impersonate="true"/ and
authentication mode="Windows", use the Anonymous account with the following
settings: . On the ASPX page, set the security mechanism to Anonymous only.
. Clear the Allow IIS to control the password check box.
. Set the Anonymous account to be a domain user.

-------------

Cheers
Grant


"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
in message news:(E-Mail Removed)...
> This is a security context issue. The account your code is running under
> might not be a domain account, so you can't use serverless binding (which
> is what you are doing when you don't put a server name in the binding
> string below).
>
> This document has a lot more detail:
>
> http://support.microsoft.com/default...b;en-us;329986
>
> Joe K.
>
> "Grant" <(E-Mail Removed)> wrote in message
> news:u2KGc%(E-Mail Removed)...
>> Hello,
>>
>> I got some sample code off the MSDN website on how to loop through a
>> group in active directory and list the members. I can run the code from a
>> console app but I cant run it from an ASP solution? I get the folowing
>> message:
>>
>> "The specified domain either does not exist or could not be contacted"
>>
>> Heres the code Im using:
>> ---------------------------------------------------
>> try
>> {
>> DirectoryEntry group = new
>> DirectoryEntry("LDAP://CN=Administrators,CN=builtin,DC=ourdomain,DC=com") ;
>> object members = group.Invoke("Members",null); //CODE IS FAILING HERE
>> foreach( object member in (IEnumerable) members)
>> {
>> DirectoryEntry x = new DirectoryEntry(member);
>> }
>> }
>> catch ( Exception ex )
>> {
>> lblResults.Text = ex.Message;
>>
>> }
>> ---------------------------------------------------
>>
>> I havent done any ASP programming before. This is a standard
>> webapplication created using Visual Studio.NET 2003. I have IIS installed
>> and Ive set the permissions to interactive user. The above code works
>> from my console app and works a beaut but just not from my ASP page..
>>
>> can anyone tell me what Im doing worng here?
>>
>> Thanks,
>> Grant
>>

>
>



 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      11-23-2004
The way I see it, you have two choices. You can either get your code
running under a domain account so that you don't have to supply credentials
and a server name, or you can supply a server or domain name and supply
credentials.

If you go the former route, you have a lot of options. Essentially, you can
either make the process run under a domain account, or you can impersonate a
domain account so that your current thread will take on that identity.

To change the process account, you can either make the worker process run as
a domain account or move the code into a COM+ component and run that under a
domain identity.

To impersonate a domain account, you generally do this by enabling
impersonation in web.config. If you do that, then you will be impersonating
the authenticated user in IIS. That will either be the user logging on or
the anonyous user account (which you can make a domain account if you want).

It is also possible to impersonate a specific user via web.config by
specifying credentials and you can impersonate an account through code.
Thus, you have lots of options. Some of these options vary by the OS you
are running and your security settings.

All of the IIS security settings are configured via the IIS MMC on the
directory security tab.

Normally, I just supply the server or domain in the binding string and
supply som credentials from a service account and don't worry about all of
the above.

HTH,

Joe K.

"Grant" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thank you for the reply! Looking at my web.config file I dont have this
> "identity impersonate="true"" section and also it says to "security
> mechanism to Anonymous only" - where do I find this security mechanism,
> and how would i set the identity impersonate setting?
>
> -------------
> When the Web.config file is set to identity impersonate="true"/ and
> authentication mode="Windows", use the Anonymous account with the
> following settings: . On the ASPX page, set the security mechanism to
> Anonymous only.
> . Clear the Allow IIS to control the password check box.
> . Set the Anonymous account to be a domain user.
>
> -------------
>
> Cheers
> Grant
>
>
> "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
> in message news:(E-Mail Removed)...
>> This is a security context issue. The account your code is running under
>> might not be a domain account, so you can't use serverless binding (which
>> is what you are doing when you don't put a server name in the binding
>> string below).
>>
>> This document has a lot more detail:
>>
>> http://support.microsoft.com/default...b;en-us;329986
>>
>> Joe K.
>>
>> "Grant" <(E-Mail Removed)> wrote in message
>> news:u2KGc%(E-Mail Removed)...
>>> Hello,
>>>
>>> I got some sample code off the MSDN website on how to loop through a
>>> group in active directory and list the members. I can run the code from
>>> a console app but I cant run it from an ASP solution? I get the folowing
>>> message:
>>>
>>> "The specified domain either does not exist or could not be contacted"
>>>
>>> Heres the code Im using:
>>> ---------------------------------------------------
>>> try
>>> {
>>> DirectoryEntry group = new
>>> DirectoryEntry("LDAP://CN=Administrators,CN=builtin,DC=ourdomain,DC=com") ;
>>> object members = group.Invoke("Members",null); //CODE IS FAILING HERE
>>> foreach( object member in (IEnumerable) members)
>>> {
>>> DirectoryEntry x = new DirectoryEntry(member);
>>> }
>>> }
>>> catch ( Exception ex )
>>> {
>>> lblResults.Text = ex.Message;
>>>
>>> }
>>> ---------------------------------------------------
>>>
>>> I havent done any ASP programming before. This is a standard
>>> webapplication created using Visual Studio.NET 2003. I have IIS
>>> installed and Ive set the permissions to interactive user. The above
>>> code works from my console app and works a beaut but just not from my
>>> ASP page..
>>>
>>> can anyone tell me what Im doing worng here?
>>>
>>> Thanks,
>>> Grant
>>>

>>
>>

>
>



 
Reply With Quote
 
Grant
Guest
Posts: n/a
 
      11-23-2004
Thanks for your help Joe. I put the "identity impersonate="true"" into the
web config file and it worked perfectly. So nice when t works when in fact
you were expecting an error - love that.

I also had to disable anonymous access and enable integrated authentication
in IIS before it worked. I do have to log in when I access the page for the
first time - not sure why thats happening but if the rest works then my
theory is - walk away veeeery slowly.

Cheers,
Grant

"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
in message news:(E-Mail Removed)...
> The way I see it, you have two choices. You can either get your code
> running under a domain account so that you don't have to supply
> credentials and a server name, or you can supply a server or domain name
> and supply credentials.
>
> If you go the former route, you have a lot of options. Essentially, you
> can either make the process run under a domain account, or you can
> impersonate a domain account so that your current thread will take on that
> identity.
>
> To change the process account, you can either make the worker process run
> as a domain account or move the code into a COM+ component and run that
> under a domain identity.
>
> To impersonate a domain account, you generally do this by enabling
> impersonation in web.config. If you do that, then you will be
> impersonating the authenticated user in IIS. That will either be the user
> logging on or the anonyous user account (which you can make a domain
> account if you want).
>
> It is also possible to impersonate a specific user via web.config by
> specifying credentials and you can impersonate an account through code.
> Thus, you have lots of options. Some of these options vary by the OS you
> are running and your security settings.
>
> All of the IIS security settings are configured via the IIS MMC on the
> directory security tab.
>
> Normally, I just supply the server or domain in the binding string and
> supply som credentials from a service account and don't worry about all of
> the above.
>
> HTH,
>
> Joe K.
>
> "Grant" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Thank you for the reply! Looking at my web.config file I dont have this
>> "identity impersonate="true"" section and also it says to "security
>> mechanism to Anonymous only" - where do I find this security mechanism,
>> and how would i set the identity impersonate setting?
>>
>> -------------
>> When the Web.config file is set to identity impersonate="true"/ and
>> authentication mode="Windows", use the Anonymous account with the
>> following settings: . On the ASPX page, set the security mechanism to
>> Anonymous only.
>> . Clear the Allow IIS to control the password check box.
>> . Set the Anonymous account to be a domain user.
>>
>> -------------
>>
>> Cheers
>> Grant
>>
>>
>> "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)>
>> wrote in message news:(E-Mail Removed)...
>>> This is a security context issue. The account your code is running
>>> under might not be a domain account, so you can't use serverless binding
>>> (which is what you are doing when you don't put a server name in the
>>> binding string below).
>>>
>>> This document has a lot more detail:
>>>
>>> http://support.microsoft.com/default...b;en-us;329986
>>>
>>> Joe K.
>>>
>>> "Grant" <(E-Mail Removed)> wrote in message
>>> news:u2KGc%(E-Mail Removed)...
>>>> Hello,
>>>>
>>>> I got some sample code off the MSDN website on how to loop through a
>>>> group in active directory and list the members. I can run the code from
>>>> a console app but I cant run it from an ASP solution? I get the
>>>> folowing message:
>>>>
>>>> "The specified domain either does not exist or could not be contacted"
>>>>
>>>> Heres the code Im using:
>>>> ---------------------------------------------------
>>>> try
>>>> {
>>>> DirectoryEntry group = new
>>>> DirectoryEntry("LDAP://CN=Administrators,CN=builtin,DC=ourdomain,DC=com") ;
>>>> object members = group.Invoke("Members",null); //CODE IS FAILING
>>>> HERE
>>>> foreach( object member in (IEnumerable) members)
>>>> {
>>>> DirectoryEntry x = new DirectoryEntry(member);
>>>> }
>>>> }
>>>> catch ( Exception ex )
>>>> {
>>>> lblResults.Text = ex.Message;
>>>>
>>>> }
>>>> ---------------------------------------------------
>>>>
>>>> I havent done any ASP programming before. This is a standard
>>>> webapplication created using Visual Studio.NET 2003. I have IIS
>>>> installed and Ive set the permissions to interactive user. The above
>>>> code works from my console app and works a beaut but just not from my
>>>> ASP page..
>>>>
>>>> can anyone tell me what Im doing worng here?
>>>>
>>>> Thanks,
>>>> Grant
>>>>
>>>
>>>

>>
>>

>
>



 
Reply With Quote
 
Ken Schaefer
Guest
Posts: n/a
 
      11-23-2004

"Grant" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I also had to disable anonymous access and enable integrated
> authentication in IIS before it worked. I do have to log in when I access
> the page for the first time - not sure why thats happening


Um - because IIS needs to impersonate a user account, and so you need to
supply valid user credentials?

Well, technically your browser needs to supply them, and so you enter them
into a dialogue the browser throws up, and the browser then sends them (or a
hash of your password) to the server.

Now, IE can attempt to logon on your behalf in certain circumstances without
bothering you. See this KB article for a list of conditions that must be
satisfied for this to happen:
http://support.microsoft.com/?id=258063

Cheers
Ken


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Specified Domain does not exist or could not be contacted Sanmic ASP .Net 1 10-11-2004 03:20 PM
Active Directory Error "The specified domain either does not exist or could not be contacted" Brad ASP .Net 1 06-22-2004 06:20 AM
"The specified domain either does not exist or could not be contacted" Kevin Buchan ASP .Net 0 02-16-2004 09:03 PM
How do you figure out the LDAP://? ("Error authenticating. Error authenticating user. The specified domain either does not exist or could not be contacted") mrwoopey ASP .Net 3 06-30-2003 10:11 PM



Advertisments