Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / January 2007

Tip: Looking for answers? Try searching our database.

AzMan connection problems

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
bigbrorpi@gmail.com - 27 Jun 2006 14:56 GMT
Hi

I have an ASP .NET 2.0 app connecting to an ADAM AzMan Store on a DC. I
tested this from my machine and it worked fine. When I moved the app to
a server, I get an error when it tries to initialize the AzManStore:
The system cannot open the device or file specified (Exception from
HRESULT: 0x8007006E)

I have a feeling this is due to security on the store, but I have even
gone as far as giving Everyone the Reader permission and it still
fails. Can't seem to find much in the event logs either.

Does anybody have any ideas on how to fix this?

Thanks
Reply to this Message
DNo - 05 Jul 2006 07:26 GMT
I'm having the same problem in a similar environment.  In my case the ASP.Net
2.0 application can successfully call AzMan to access the AD datastore when
the application is opened on the server, however running the application from
a client causes the same error detailed below.  

Am very keen to here of any suggestions for this.
Thanks,
Dean.

> Hi
>
[quoted text clipped - 11 lines]
>
> Thanks
Reply to this Message
Andrew - 13 Jul 2006 14:43 GMT
I've got the same issue.  Were either of you able to resolve?

> I'm having the same problem in a similar environment.  In my case the ASP.Net
> 2.0 application can successfully call AzMan to access the AD datastore when
[quoted text clipped - 20 lines]
> >
> > Thanks
Reply to this Message
DNo - 14 Jul 2006 01:58 GMT
Not yet.  I have raised a support request with Microsoft which they are
currently working on.
Dean.

> I've got the same issue.  Were either of you able to resolve?
>
[quoted text clipped - 22 lines]
> > >
> > > Thanks
Reply to this Message
Joe Kaplan (MVP - ADSI) - 14 Jul 2006 02:38 GMT
I'm not an AzMan expert at all, but this sounds like an
impersonation/delegation issue as the symptoms are classic double hop
authentication.  Is impersonation enabled?  What security context is being
used to access the AzMan store?  If you are trying to use the authenticated
user's security context to do so, you may need to configure Kerberos
delegation.

Joe K.

Signature

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

> Not yet.  I have raised a support request with Microsoft which they are
> currently working on.
[quoted text clipped - 32 lines]
>> > >
>> > > Thanks
Reply to this Message
Geordie - 14 Jul 2006 22:02 GMT
Please post any answers you get from MS.  It appears there are several people
in the same situation.

> Not yet.  I have raised a support request with Microsoft which they are
> currently working on.
[quoted text clipped - 26 lines]
> > > >
> > > > Thanks
Reply to this Message
killajoe - 18 Dec 2006 22:40 GMT
Solution:  When you are configuring the ASP.NET app pool account for delegation, make sure you include an ldap entry in addition to the other services you need to delegate credentials to (like SQL Server) if you are storing the AzMan policy store in AD.  

This is called constrained delegation and it's one of the options available on the Delegation tab within AD, though not labled "constrained delegation" it's text is "Trust this user for delegation to specified services only".  To add services for delegation, you select the target server and pick the services (you'll see SPN entries for the most common services - you can also create these using setspn.exe). You should see one called ldap for the AD on the server where you're storing the AzMan policy store.

Hope this helps someone.  Sure killed a few hours of my day today...

From http://www.developmentnow.com/g/46_2006_6_0_0_779774/AzMan-connection-problems.ht
Reply to this Message
mc@pochta.ws - 26 Jan 2007 14:37 GMT
That's strange - I don't have any SPNs on my AD server. Anyway, I did
as killajoe explained and it don't seem to help.

But still when I run an ASP.NET WebSite from Visual Studio everything
works. When I publish it to IIS and run from IIS it doesn't...

> Solution:  When you are configuring the ASP.NET app pool account for delegation, make sure you include an ldap entry in addition to the other services you need to delegate credentials to (like SQL Server) if you are storing theAzManpolicy store in AD.  
>
[quoted text clipped - 5 lines]
>
> Posted via DevelopmentNow.com Groupshttp://www.developmentnow.com
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.