Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Table does not exist error

Reply
Thread Tools

Table does not exist error

 
 
Wake-Up-Jeff
Guest
Posts: n/a
 
      04-14-2009
I am trying to get my asp.net code to modify the comment property of the
user object in AD.
The idea is that an AD user accesses the web page.
The user's credentials are used to access the user object and modify their
own comment field.
I don't want to use a single domain account to do this for all users. Each
user can do it for themselves.
I get the "table does not exist" error when calling the following code:

con = CreateObject("ADODB.Connection")
con.provider = "ADsDSOObject"
con.open("Active Directory Provider")
com = CreateObject("ADODB.Command")
com.ActiveConnection = con
strQuery = "Select distinguishedName from 'LDAP://" & strDomain & "'" & _
" Where objectCategory = 'Person' AND objectClass='user' AND
samAccountName='" & strUserID & "'"
com.commandtext = strQuery
RS = com.Execute

the error occurs on com.Execute.

I have read about impersonation, and have attempted to set this up, but I
obviously haven't got something correct yet.
The authentication for my virtual directory has Integrated Windows
Authentication checked, and no other options checked.
My web.config file has the following entries:
<authentication mode="Windows"/>
<identity impersonate ="true"/>

I have the computer account on which IIS is running as "Trusted for
delegation". It is running W2K3 R2. The domain and forest are both at W2K3
functional level.

Any hints????



 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      04-14-2009
Why on earth would you use ADO for querying AD when you could just use the
DirectorySearcher in System.DirectoryServices? It is faster, easier to use
and more flexible.

The error you are getting is likely related to security. If you are trying
to delegate without protocol transition (don't have "trusted for delegation
with any protocol" configured in AD for the computer account along with
constrained delegation to AD), then you need Kerb auth in IIS to get this to
work. If you are getting NTLM instead (which is common), it will fail.
Typically, if you want to get delegation working, you need to read the
TechNet docs on troubleshooting Kerberos delegation to get a better idea of
what you are looking for to make this work.

I think you'll likely be better off switching to SDS for doing by the AD
search and the modification operation. The security considerations are the
same but you get an API that is easier to use in .NET and faster. The
troubleshooting is also likely be to be easier since the errors are slightly
less obscure.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Wake-Up-Jeff" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am trying to get my asp.net code to modify the comment property of the
> user object in AD.
> The idea is that an AD user accesses the web page.
> The user's credentials are used to access the user object and modify their
> own comment field.
> I don't want to use a single domain account to do this for all users. Each
> user can do it for themselves.
> I get the "table does not exist" error when calling the following code:
>
> con = CreateObject("ADODB.Connection")
> con.provider = "ADsDSOObject"
> con.open("Active Directory Provider")
> com = CreateObject("ADODB.Command")
> com.ActiveConnection = con
> strQuery = "Select distinguishedName from 'LDAP://" & strDomain & "'" & _
> " Where objectCategory = 'Person' AND objectClass='user' AND
> samAccountName='" & strUserID & "'"
> com.commandtext = strQuery
> RS = com.Execute
>
> the error occurs on com.Execute.
>
> I have read about impersonation, and have attempted to set this up, but I
> obviously haven't got something correct yet.
> The authentication for my virtual directory has Integrated Windows
> Authentication checked, and no other options checked.
> My web.config file has the following entries:
> <authentication mode="Windows"/>
> <identity impersonate ="true"/>
>
> I have the computer account on which IIS is running as "Trusted for
> delegation". It is running W2K3 R2. The domain and forest are both at W2K3
> functional level.
>
> Any hints????
>
>
>


 
Reply With Quote
 
 
 
 
Wake-Up-Jeff
Guest
Posts: n/a
 
      04-20-2009
Thanks for the tips.
I'm only using ADO because I'm used to VBScript programming, and was unaware
of the System.DirectoryServices namespace available in ASP.NET (a newbie at
this).
I've tried looking thru the Kerberos delegation docs, but can't see anything
obvious I'm doing wrong.
e.g. http://msdn.microsoft.com/en-us/libr...50(VS.71).aspx
and http://forums.asp.net/p/897609/971665.aspx#971665

I have the member server computer account trusted for delegation.
It's definitely the "2 hop" issue, as when I run IIS on a DC, it all works
fine.

"Joe Kaplan" <(E-Mail Removed)> wrote in message
news:uiz%(E-Mail Removed)...
> Why on earth would you use ADO for querying AD when you could just use the
> DirectorySearcher in System.DirectoryServices? It is faster, easier to
> use and more flexible.
>
> The error you are getting is likely related to security. If you are
> trying to delegate without protocol transition (don't have "trusted for
> delegation with any protocol" configured in AD for the computer account
> along with constrained delegation to AD), then you need Kerb auth in IIS
> to get this to work. If you are getting NTLM instead (which is common),
> it will fail. Typically, if you want to get delegation working, you need
> to read the TechNet docs on troubleshooting Kerberos delegation to get a
> better idea of what you are looking for to make this work.
>
> I think you'll likely be better off switching to SDS for doing by the AD
> search and the modification operation. The security considerations are
> the same but you get an API that is easier to use in .NET and faster. The
> troubleshooting is also likely be to be easier since the errors are
> slightly less obscure.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> "Wake-Up-Jeff" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I am trying to get my asp.net code to modify the comment property of the
>> user object in AD.
>> The idea is that an AD user accesses the web page.
>> The user's credentials are used to access the user object and modify
>> their
>> own comment field.
>> I don't want to use a single domain account to do this for all users.
>> Each
>> user can do it for themselves.
>> I get the "table does not exist" error when calling the following code:
>>
>> con = CreateObject("ADODB.Connection")
>> con.provider = "ADsDSOObject"
>> con.open("Active Directory Provider")
>> com = CreateObject("ADODB.Command")
>> com.ActiveConnection = con
>> strQuery = "Select distinguishedName from 'LDAP://" & strDomain & "'" & _
>> " Where objectCategory = 'Person' AND objectClass='user' AND
>> samAccountName='" & strUserID & "'"
>> com.commandtext = strQuery
>> RS = com.Execute
>>
>> the error occurs on com.Execute.
>>
>> I have read about impersonation, and have attempted to set this up, but I
>> obviously haven't got something correct yet.
>> The authentication for my virtual directory has Integrated Windows
>> Authentication checked, and no other options checked.
>> My web.config file has the following entries:
>> <authentication mode="Windows"/>
>> <identity impersonate ="true"/>
>>
>> I have the computer account on which IIS is running as "Trusted for
>> delegation". It is running W2K3 R2. The domain and forest are both at
>> W2K3
>> functional level.
>>
>> Any hints????
>>
>>
>>

>



 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      04-20-2009
With Kerb delegation, unless you are using protocol transition/S4U login,
the part that frequently breaks is the Kerb login to the web server. Normal
delegation requires Kerb to Kerb, so if you don't get Kerb on the front end,
you can't do Kerb auth to the middle tier.

The easiest way to verify is to enable account login audits on the front end
web server and then look at the security event log events that are generated
for the logins from the browser to the web server. If they are NTLMssp,
Kerb delegation won't work. If they are Kerberos, then you at least have a
chance.

Protocol transition login allows the front end auth to be something other
than Kerb (basic, NTLM or Digest) and then the service in the middle (the
web app in this case) can "transition" to Kerberos when it needs to
delegate. In ADUC, you'll see this option as "trusted for delegation | with
any protocol" and you have to specify which services to delegate to. If you
don't have the delegation tab in ADUC that shows this, your forest is not
2003 FFL and you can't use this feature.

Look for the technet doc on troubleshooting Kerberos delegation. It is the
bible on this.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Wake-Up-Jeff" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Thanks for the tips.
> I'm only using ADO because I'm used to VBScript programming, and was
> unaware of the System.DirectoryServices namespace available in ASP.NET (a
> newbie at this).
> I've tried looking thru the Kerberos delegation docs, but can't see
> anything obvious I'm doing wrong.
> e.g. http://msdn.microsoft.com/en-us/libr...50(VS.71).aspx
> and http://forums.asp.net/p/897609/971665.aspx#971665
>
> I have the member server computer account trusted for delegation.
> It's definitely the "2 hop" issue, as when I run IIS on a DC, it all works
> fine.
>
> "Joe Kaplan" <(E-Mail Removed)> wrote in message
> news:uiz%(E-Mail Removed)...
>> Why on earth would you use ADO for querying AD when you could just use
>> the DirectorySearcher in System.DirectoryServices? It is faster, easier
>> to use and more flexible.
>>
>> The error you are getting is likely related to security. If you are
>> trying to delegate without protocol transition (don't have "trusted for
>> delegation with any protocol" configured in AD for the computer account
>> along with constrained delegation to AD), then you need Kerb auth in IIS
>> to get this to work. If you are getting NTLM instead (which is common),
>> it will fail. Typically, if you want to get delegation working, you need
>> to read the TechNet docs on troubleshooting Kerberos delegation to get a
>> better idea of what you are looking for to make this work.
>>
>> I think you'll likely be better off switching to SDS for doing by the AD
>> search and the modification operation. The security considerations are
>> the same but you get an API that is easier to use in .NET and faster.
>> The troubleshooting is also likely be to be easier since the errors are
>> slightly less obscure.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> "Wake-Up-Jeff" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>I am trying to get my asp.net code to modify the comment property of the
>>> user object in AD.
>>> The idea is that an AD user accesses the web page.
>>> The user's credentials are used to access the user object and modify
>>> their
>>> own comment field.
>>> I don't want to use a single domain account to do this for all users.
>>> Each
>>> user can do it for themselves.
>>> I get the "table does not exist" error when calling the following code:
>>>
>>> con = CreateObject("ADODB.Connection")
>>> con.provider = "ADsDSOObject"
>>> con.open("Active Directory Provider")
>>> com = CreateObject("ADODB.Command")
>>> com.ActiveConnection = con
>>> strQuery = "Select distinguishedName from 'LDAP://" & strDomain & "'" &
>>> _
>>> " Where objectCategory = 'Person' AND objectClass='user' AND
>>> samAccountName='" & strUserID & "'"
>>> com.commandtext = strQuery
>>> RS = com.Execute
>>>
>>> the error occurs on com.Execute.
>>>
>>> I have read about impersonation, and have attempted to set this up, but
>>> I
>>> obviously haven't got something correct yet.
>>> The authentication for my virtual directory has Integrated Windows
>>> Authentication checked, and no other options checked.
>>> My web.config file has the following entries:
>>> <authentication mode="Windows"/>
>>> <identity impersonate ="true"/>
>>>
>>> I have the computer account on which IIS is running as "Trusted for
>>> delegation". It is running W2K3 R2. The domain and forest are both at
>>> W2K3
>>> functional level.
>>>
>>> Any hints????
>>>
>>>
>>>

>>

>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Table does not exist error. Wake-Up-Jeff ASP .Net 3 04-20-2009 02:59 PM
Does my object exist? So why its HWND doesn't exist? That's a question... (CMonthCalCtrl control) LT C++ 7 07-25-2004 07:08 PM
ADSI, ADsDSOObject, Error '80040e37' Table does not exist??? Ollie ASP General 1 04-29-2004 09:18 AM
table does not exist error in AD query? Aaron_TekRecycle.com ASP General 0 07-25-2003 08:07 AM
How do you figure out the LDAP://? ("Error authenticating. Error authenticating user. The specified domain either does not exist or could not be contacted") mrwoopey ASP .Net 3 06-30-2003 10:11 PM



Advertisments