|
Posted by chen on March 5, 2007, 12:33 pm
Please log in for more thread options Yes - the worker process is running under ASPNET account in XP.
Tried adding the built-in Windows 'Authenticated Users' group to the
Readers role as well. Same error.
And in the Security Audit log, i see a success audit:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: ASPNET
Source Workstation: <machine name>
Error Code: 0x0
Next i tried ADAM on a Windows Server 2003 m/c and tried connecting to
from my dev box. Once again, if the process runs under the current
logged-on user context, it is able to access the ADAM instance. But if
i access it from ASPNET worker process running on my dev m/c, it
returns a slightly different error now:
{System.Security.SecurityException: Unable to update the password. The
value provided as the current password is incorrect. (Exception from
HRESULT: 0x8007052B) ---> System.Runtime.InteropServices.COMException
(0x8007052B): Unable to update the password. The value provided as the
current password is incorrect. (Exception from HRESULT: 0x8007052B)
And i see the failure audit from event log:
Logon Failure:
Reason: Unknown user name or bad password
User Name: ASPNET
Domain: CONTRACTOR199B
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: CONTRACTOR199B
Eventually, i would like to access the ADAM instance running on a
different m/c than the web server. One thing that jumps out is that
the account being validated is a m/c account. So i added the m/c
account to the Readers role as well but still results in the same
error.
Not making any headway. Any further ideas?
On Mar 2, 4:54 pm, "Joe Kaplan"
> Are you sure ASP.NET is running under the ASPNET account? That would be the
> case if you were running on WinXP but not on 2003 Server.
>
> What I usually do in ADAM to faciliate a design that is more
> "directory-like", where users who can bind can automatically see most of the
> objects (the AD model) is to add the built in Windows "authenticate users"
> group to the readers role. Do this by adding this as a member:
> <SID=S-1-5-11> or use ADSIEdit to modify the group membership and add a
> Windows account (I use ldp...).
>
> You can certainly use more restrictive permissions and sometimes that's
> appropriate. It depends a lot on your use case.
>
> Then, unless the permissions on the container that stores the AzMan policy
> are different, any user that can bind can read the policy. The only
> remaining issue is getting a working bind. I would expect you'd be able to
> get that either way. To help troubleshoot what's happening, you can enable
> account logon auditing in your local security policy for both succes and
> failure and then check the security event log to see who got authenticated
> when AzMan tries to load.
>
> Good luck!
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
>
>
>
>
> > Running into a problem that fails in the
> > AzAuthorizationStoreClass.Initialize call with "The system cannot find
> > the file specified. (Exception from HRESULT: 0x80070002)".
>
> > I've followed the "How To: Use ADAM for Roles in ASP.NET 2.0" to setup
> > ADAM & AzMan store [http://msdn2.microsoft.com/en-us/library/
> > ms998331.aspx]
>
> > I'm able to access the AzMan store in ADAM from a simple console based
> > app running in the context of the logged-on user (which verifies &
> > validates the installation steps) but if i access the store from the
> > ASP.NET worker process it fails as mentioned earlier.
>
> > Note that both the ADAM instance & ASP.NET worker process are running
> > on the same m/c [XP with SP2]. ADAM instance is running under Network
> > Service account while the worker process is running under the ASPNET
> > account.
>
> > I've tried adding ASPNET and the m/c account to the Reader and
> > Adminstrator user role in the AzMan store to no avail. And there is
> > nothing in the Event Logs to give me a clue.
>
> > This looks to be a permissioning issue - not exactly sure what the
> > error is all about. Can anyone shed more light on this and how to go
> > about fixing it? TIA.
>
> > chen- Hide quoted text -
>
> - Show quoted text -
| 
XML Sitemap