Directory Programming .NET

Joe,

I am stuck in this for last 2 days.. For giving READER access to ASPNET Account in ADAM

dn: CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
changetype: modify
add: member
(local system)\ASPNET

prompted this error. This is in Windows 2003 Server machine. Dev server. I
am able to add aspnet account as reader in AzMan.

I think if you use the ADSI Edit GUI for this, it has an easier way to do add Windows accounts to a group.  I think if you try to do this with LDIF, you actually have to use the underlying syntax for adding a foreign security principal which is <SID=S-1-5-xxx> where the SID is the SID of the actual user or group.  I think in LDIF that also needs to be base64 encoded because <> are escapes.  Not sure on that part.  Easier to do in other tool.  :)

Also, make sure you really want to use the ASPNET account.  That account is only used by ASP.NET apps on Win2K IIS5, so I'd be surprised if you really need that.  On IIS 6 on up, it is the app pool identity (network service) that matters.  For network service, that account accesses remote resources as the AD computer account.

I usually solve this type of problem by adding the Windows built in Authenticated Users group (<SID=S-1-5-11>) as reader. MUCH easier to deal with although it does allow any domain user or local user on the ADAM server to do LDAP queries.

Thanks for immediate reply Joe. I am using ADSIEdit to add this.

For Windows XP I had the aspnet account in ADAM and AzMan as READER. I needed aspnet account in ADAM Readers, so that I can create WCF to interact ADAM and AzMan for Authorization. Is this access rights required in Windows Server 2003. What does an application require for accessing ADAM and AzMan in a remote server. If you know, please share with me.

FYI. I tried a WCF, ADAM and AzMan in my local Windows XP Machine. I needed the aspnet account in ADAM and AzMan as Readers. It is working successfully. Now I am trying to move it to my dev server which is a Windows Server 2003, having its own ADAM and AzMan. I am trying to point it to them and give access rights.

Also, I came across this link:
http://www.1-script.com/forums/Permission-issue-Accessing-AzMan-store-in-ADAM-from-ASP-NET-article6726--19.htm#6727

Could you share the solution you proposed. I am not able to view it.

I was confused on the tool you were using since the syntax you showed was for LDIF and you didn't mention ADSI Edit as I recall.  No matter though.

For XP ASP.NET does still run as ASPNET.  However, that will likely make it difficult ASP.NET to access ADAM on a remote server since ASPNET is a local machine account and would not be authenticated by a remote server, even if they were in the same domain.  This is one of the many good reasons to avoid using the IIS 5.1 version that comes with XP.  Working with app pools in IIS 6+ is much better.

That may also be the reason ADAM ADSI Edit won't add the local machine ASPNET user since the SID would not come from a trusted system.  With ADAM local to the XP server, the trust model would exist since ADAM can authenticate users on the machine it is hosted on.

Perhaps this is the root of the issue.  You could try changing ASP.NET to use a domain account instead so that the user you are trying to use could be authenticated on the remote 2003 server.

Joe,

Thanks for your time. Let my local system be 'A' and the remote system be 'B'. I have ADAM, AzMan, Server app, Client app in both the machines. Client app and service is working fine in 'A'. A is a Windows XP machine.

Coming to B, B is Windows Server Machine. I want to run the Client App(in B) which access the WCF(in B). For the same situation in system A, I added 'A's ASPNET account as Reader in ADAM and AzMan and things worked out positively. For B, Since it a Windows Server 2003,
1) Do I need to add 'B's ASPNET Account to ADAM and AzMan as Readers.
2) I tried adding that through ADAM AdsiEdit and AzMan. AzMan allowed me. But ADAM is prompting the mentioned error.

Am I clear?? In general, What configuration a Windows Server based ADAM and AzMan looks for in an application pinging them?

B is a 2003 server which uses IIS 6.  IIS does not use the IIS 5/5.1 process model (which uses the ASPNET local machine account by default) but instead uses app pools.  Those use the Network Service account by default.  Thus, you would grant access to Network Service in ADAM to allow your ASP.NET app access to ADAM for the 2003 IIS case, not ASPNET.

If IIS was running on one machine (say C) and ADAM was on a different machine (say D), then you don't grant access to the local machine network service account but instead grant access to the domain computer account of C in ADAM.

Alternately, you can grant access to authenticated users as I suggested before.  Then, as long as authentication is possible, read access is granted.  This is what I usually do.

Thanks Joe. That was a good explanation. Even I found the Network Service account today in my eventvwr log. I have all ADAM, AzMan and the IIS running in machine B. So I think giving access to this network service account of machine B in ADAM and AzMan of machine B, should solve the issue.

How will you grant access rights to Network service account in Windows2003. I am able to grant reader access in ADAM, for Users and groups in ADAM but not for ASPNET or Network Service account. I am a local administrator to the devServer. Thats where this error comes again and again. Is there any other way that I can grant access to the network service account.

Forgot to add: I am able to add the same Network service account in AzMan. I am able to see him in ADAM, But not able to add him in ADAM

The SID for network service is well-known (S-1-5-20), so if you know that, you can use a tool like LDIF or ldp.exe.  Let's go the ldp route since I think it is the most useful tool for LDAP programers to learn to use anyway.

1. Start up ldp from the ADAM program directory in C:\windows\adam
2. Connect to localhost or whatever the DNS name of the ADAM server is
3. Bind as an administrator in ADAM (if current user is administrator, you can just bind as current user)
4. Find the readers role group for the partition, first by doing View | Tree and finding the partition root where the important data is stored
5. Navigate to the Roles container and find the CN=Readers object
6. Right click on it and choose modify (you can also skip the tree thing if you know the DN of the group by simply typing it in from the Modify option on the menu)
7. For attribute name, use "member"
8. For value, use "<SID=S-1-5-20>"
9. For modification type, use "add"
10. Add the modification to the list and click the button to execute it

If all went well, the mod will succeed and the membership for the group in LDP will show an object in the FSP container with the SID of Network Service.

You can also use <SID=S-1-5-11> to use authenticated users instead.  You can also include both although Network Service will always have the authenticated users SID so you don't really need both.

Hopefully this will all help.  It is from memory but it should be close enough.

Learning to use LDP a little is good because you can see what's really going on at the LDAP data layer level and execute the actual LDAP operations directly.  ADSI puts it through a bit of a filter.  Sometimes it makes things easier but sometimes the filter makes it hard to know what's going on.  Usually, programmers want to know what's going on.

Joe,

Thanks for everything. You made my day. I actually tried adding Network Service account and things worked out positively.

I created a Domain Account then, and added it to the app pool identity. Then gave Reader access in ADAM and AzMan. My application worked like magic.

This whole week was tension. Good that worked on today. happy weekend.

Thanks again..