I'm trying to access AD data via ldap with the connection like:
LDAP://dc1.corp:port/OU=Users,DC=domain,DC=com
Then using the directorySearcher.FindOne().GetDirectoryEntry();
This 100% works on my machine, but when I do this on the server it throws DirectoryServicesCOMException (0x80072030) There is no such object on the server.
I found the similar question on so, but it doesn't help. Currently I'm looking for the way to at least understand why there is a difference for ldap access on my local PC and on the server.
For me the problem was in permissions under which the application pool was running. What I did to investigate was 1 console app and 1 web app. And I noticed, that when I ran the console app it got the data from AD immediately. And web app always throw that COM exception. I'm not 100% sure what exact permissions are needed to give web app the access to the AD( I dont know the exact difference between the local system account and my domain user account that matters) but hope this will help someone to solve the similar problem.
Related
Question edited to show some new screenshots of my attempt to give DefaultAppPool access to the database...(the rest of the question is the same, and unchanged):
The rest of the question, unchanged:
Database access was not a problem with the built-in IIS Express, because my program was running under the user logged into windows. I am new to Web Development.
With Windows Home, you are not allowed to use Windows Authentication--the option is not even present when you go to add\remove feature, and consensus is that you have to upgrade your OS for this to be available.
Hence, the program runs under the app pool account.
So I tried to go into SQL Server and give IIS APPPool\DefaultAppPool account access, but it would not let me.
So I went ahead and turned on impersonation, so that it will run under IUSR account, and I gave that account access to the database, as per screenshots.
But the program still crashes and reports that, "Login Failed..."
How do I run the program in IIS and not IIS Express?
As far as I know, there is no need to use impersonation to access the sql server. The reason why you get account not found error is you use the wrong application pool name.
If you type in the {yourcomputername}\DefaultAppPool, it is not regarded as the application pool identity.
You should use IIS AppPool\DefaultAppPool instead of the {yourcomputername}\DefaultAppPool.
Details, you could refer to below image:
I have a problem I hope you bright guys can answer for me:
On server “A” I have a service running that sometimes needs to be stopped or restarted for reasons I can’t control. The service is run by a dedicated network user, say “serviceusr”, that is a member of the domain.
The problem is, that in some installations, server “A” resides in a hosted environment without direct access to server “A”. I have access to server “B” through RDP, that resides on the same network and in the same domain.
My idea is to create a small utility in C# that can be installed on server “B” that can impersonate “serviceusr” on Server “A” to start and stop the service. The “serviceusr” must have rights granted access to start and stop the service, and this is no problem to obtain.
I have scoured the internet for hints and samples that could lead me on the right track, but haven’t found the “holy grail” yet. I have found a number of samples that claims to be able to do the job, but none have done the trick. I tried to tweak and/or combine them to the best of my abilities without any further progress. It seems to me that it isn’t possible to impersonate “servieusr” on server “A” from server “B”.
My question to you are: Is my idea even possible?
And if it is, all kinds of hints, links or sample code on how to implement would be really great.
Thanks for the help in advance
/Morny
I have a problem, and have scoured the web for a solution without luck. I therefor hope of a genius reads this and have useful answer to my problem.
I have a domain (“MyDomain”) and a server (“StandAloneServer”) outside “MyDomain”, but on the same physical network. On “StandAloneServer” there is a local user (“LocUsr”) that is used to run a service, and has rights to start and stop that service.
From a computer that resides inside “MyDomain”, I can access the “StandAloneServer” via RDP by using the IP address for the “StandAloneServer” and the credentials for “LocUsr”.
So far, so good - Now my problem occurs.
I would like to make a small program, that can be run on a computer that resides inside “MyDomain”, that can start and stop the service on “StandAloneServer” using the credentials of “LocUsr”. In this way a person with limited credentials and knowlagde of RDP and services can start and stop the service when needed.
All impersonation examples I can find builds on that the user to be impersonated is a member of “Mydomain” or that the program runs on the same computer as the local user – neither of this is true in my case.
How do I impersonate a local user that resides on a remote server, so that I can start and stop a service on the same remote server?
Try using psexec. This tool worked great for an application I was recently involved with for remotely restarting applications by impersonating the local user on a given pc.
Also WMI was a tool used in the project.
Here is an article on remote commands
Just remember that these tools are quite finicky and are unforgiving about syntax.
If you need a bit more, I would be happy to expand my answer
I'm trying to use a network path (create directory, write and read files) from a Web Service in ASP.NET.
Everything works fine from my office where the network path is in the same LAN of my laptop, but when I try to connect to the network path through a VPN, the creation of a directory fails with "Access to path is denied" error.
The strange thing is that from Windows Explorer I can perfectly access such path, given my VPN credentials, that I stored in Windows Credentials Wallet.
I also tried to set my IIS App Pool Identity to 'Network Service' but no luck.
Can you help me please?
Thank you very much
EDIT:
When I try to execute a statement like
Directory.CreateDirectory(#"\\my\network\path");
from a simple console application project in my Visual Studio 2010 it works perfectly and the directory is created.
The problem is when I hit such a statement inside the business logic of my web service that is running under local IIS (and which I'm connected to via "Attach Process..." debug tool in VS2010)
I may not have all the details of what you're asking straight, but if you're running this service via Visual Studio and VPN, take a look at this great article, at CodeBetter.
runas /netonly /user:domain\username “C:\ProgramFiles\Path\to\your\visualstudio”
I don't have the computer I have this on in front of me, but I recall that I created a batch file and ran it to start VS and Sql Server Management Studio, and it works like a charm.
If I've misunderstood the issue, sorry for the noise.
Sounds like when you are running locally, your local domain account is the context under which everything is being ran. When running the console app, it is still running under your user context since you initiated the application. When running in IIS, you are correct in that the app-pool account is being used, and the networkservice account has some pretty low privileges.
Instead of using a highly privileged account (such as yours), would impersonation solve your issue? Any work that needs to be done over the VPN can "wrapped" in a context the appropriate permissions. Here is another SO article on using impersonation, which I have implemented for related things:
How do you do Impersonation in .NET?
See Matt Johnson's answer where he creates a custom Impersonation class. Use that in a using block, then do your network stuff. It uses the advapi32.dll with p/invoke to do this kind of user account voodoo. He put together a NuGet package as well which may save you some time:
https://www.nuget.org/packages/SimpleImpersonation
I have a WCF Service running on Windows Server 2008 R2 Enterprise. The IIS Version is 7.5. One of the methods in the service reads from a file on the network. It's failing when it tries to do this, but I can't log a proper error to find out why. My guess is that this is a permissions issue, but not being savvy with IIS, I don't know where to start.
The site running my service is using an App Pool with NetwrokService as the Identity. I have tried other built-in accounts, but I get the same problem. When looking at the running processes in Task Manager, I see w3wp.exe is running under the NetworkService account - which is how the App Pool is configured.
I'm trying to reach a share such as: \Machine1\SharedFiles\MyFile.txt. I can access this same share easily from file explorer so I know it's valid. Every other part of the service runs as expected which leads me to believe my IIS configuration is fine - other than possibly a permission setting that allows reading of files on other machines.
Anyone have any idea what I am doing wrong?
Thanks,
Start here:
http://learn.iis.net/page.aspx/624/application-pool-identities/
It is a permission issue. The share, and the files within it, need to grant access to the IIS servers machine account.