DirectoryServices and ActiveDs Combined. Double Hop issue?

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Nikos Steiakakis - 21 Dec 2004 09:13 GMT

Greetings to all,

I have developed a Web service in which I have to access the active
directory, in order to retrieve all the groups in a domain, and also a list
of all the users in a group. I am using WinNT and not LDAP, and I am using
windows authentiaction and impersonation. In order to bypass the Double Hop
issue I pass the credentials to the DirectoryEntry contstructor. This works
just fine and I get the list of groups using only DirectoryServices.

However in order to get the list of Users in a specific group I use
IADsGroup and IADsMembers from ActiveDs. Everything is working fine in my
development machine, but when I upload the webservice to the actual server I
can only get the groups list (since it uses only DirectoryServices calls as a
specific user). When I try to retrieve the list of users in a specific group
I get an Exception 0x80005000, which is thrown when I try to invoke the
DirectoryEntry.NativeObject. So I suppose it has to do with the double hop
issue, concering the ActiveDs library... Is this so, and if yes what can I do
to overcome the problem?? Should I pass credentials to the activeDs and how??

Thank you very much in advance...
Nikos

Reply to this Message

Marc Scheuner [MVP ADSI] - 22 Dec 2004 08:14 GMT

>I have developed a Web service in which I have to access the active
>directory, in order to retrieve all the groups in a domain, and also a list
>of all the users in a group. I am using WinNT and not LDAP, and I am using
>windows authentiaction and impersonation. In order to bypass the Double Hop
>issue I pass the credentials to the DirectoryEntry contstructor. This works
>just fine and I get the list of groups using only DirectoryServices.

Two things:

1) I would try to *AVOID* the WinNT provider whenever possible - it's
obsolete, it's not being developed further, it's NOT giving you access
to many features, and it's not as finely tuned and optimized as the
LDAP provider

2) Post your message to one of the Active Directory specific NG's:

* microsoft.public.adsi.general
* microsoft.public.active.directory.interfaces
* microsoft.public.platformdsk.adsi
* microsoft.public.platformdsk.active.directory

Marc

================================================================
Marc Scheuner May The Source Be With You!
Bern, Switzerland m.scheuner(at)inova.ch

Reply to this Message

Nikos Steiakakis - 22 Dec 2004 08:40 GMT

Thank you for your answer Marc, but I would certainly not use WinNT unless I
had to. That is my main problem. I cannot use LDAP for the time being. So now
I am stuck with this problem and I have to find a solution.

I will post the question to the NGs you mentioned.
Thank you again.

> >I have developed a Web service in which I have to access the active
> >directory, in order to retrieve all the groups in a domain, and also a list
[quoted text clipped - 22 lines]
> Marc Scheuner May The Source Be With You!
> Bern, Switzerland m.scheuner(at)inova.ch

Reply to this Message

Nikos Steiakakis - 22 Dec 2004 13:53 GMT

As an update I would like to mention that I actually upgraded the system and
used an LDAP provider and it works just fine. So for anyone else having the
same problem I would like to second Marc's Suggestion that you should use an
LDAP provider.

If, however, you can't do that, then you will have to write a wrapper for
ADsOpenObject, where you can pass user credentials, but then again I am not
really sure that this will work because I haven't tried it.

> Thank you for your answer Marc, but I would certainly not use WinNT unless I
> had to. That is my main problem. I cannot use LDAP for the time being. So now
[quoted text clipped - 29 lines]
> > Marc Scheuner May The Source Be With You!
> > Bern, Switzerland m.scheuner(at)inova.ch

Reply to this Message

Rate this thread:

DirectoryServices and ActiveDs Combined. Double Hop issue?

Free Magazines