I have a page to create new users in our active directory using VB.NET
I’m using the following code
Dim rootEntry As New DirectoryEntry
With rootEntry
.Path = "LDAP://" & strServer & "/" & strLDAP
.AuthenticationType = AuthenticationTypes.Secure
.Username = strServerUsername
.Password = strServerPassword
End With
Dim newUser As DirectoryEntry = rootEntry.Children.Add("CN=" & strCN, "user")
With newUser
.CommitChanges()
.Properties("userPrincipalName").Value = TextPN.Text
.Properties("sAMAccountName").Value = TextAlias.Text
.Properties("givenname").Value = TextGivenname.Text
.Properties("sn").Value = TextSurname.Text
……
.CommitChanges()
.Invoke("setPassword", New Object() {strDefaultPassword})
.CommitChanges()
.Properties("userAccountControl").Value = &H0001
.CommitChanges()
End With
This code worked fine in the past.
Now we’ve migrated our webserver to Windows Server 2008 R2 and IIS 7.5, and suddenly the code is not working anymore. (.net framework is 2.0 and cannot be changed)
The user is still created in our active directory, but the account is automatically disabled and the password is not set.
Investigating this issue shows that an exception is thrown at the line
.Invoke("setPassword", New Object() {strDefaultPassword})
Exception
The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
The user account which is used to connect to the AD is still the same and had domain admin rights.
Since nothing has changed to the code, I think there must be another reason why this is not working anymore? Firewall settings, IIS configuration,..?
Any ideas??
I know there is a similar case here Trying to create a new Active Directory user, Invoke("SetPassword",pwd) throws "The RPC server is unavailable"
, but this doesn’t help me out.
Check TCP/UDP 445 port is opened on your firewall.
To connect to an AD server from outside a domain, you need the following ports to be opened :
. TCP/UDP 389 (LDAP)
. TCP 3268 (GC)
. TCP/UDP 445 (SMB over IP)
DirectoryEntry.Invoke() requires AuthenticationType.Secure. What this means is that it needs to be able to authenticate the request via Kerberos or NTLM.
It attempts to use LDAPS (TCP 636) first, then falls back to CiFS (TCP445) if/when it times out or fails because of a missing or invalid certificate. If neither of these ports are open, it will fail with an "RPC Server unavailable" exception.
Related
My webpages are on secured server (https), and I am trying to connect the SQL Server 2008 Database, which is normal server.
I am writing connectionstring on page itself, not in web.config file. And I am getting following error:-
System.Data.SqlClient.SqlException: Login failed.
The login is from an untrusted domain and cannot be used with Windows authentication.
Please help, how can I connect it, does I have to make some webservices for it.
my code is as below:
public void FillCity()
{
SqlConnection con = new SqlConnection();
con.ConnectionString = "integrated security=SSPI;data source=dev-fcb; user id=sa;password=password;"
+"persist security info=False;database=mediapro";
con.Open();
SqlDataAdapter da = new SqlDataAdapter();
da.SelectCommand = new SqlCommand("select * from StateCityMaster where IsActive='1' order by CityName", con);
DataSet ds = new DataSet();
da.Fill(ds);
string CityName = string.Empty;
if (ds.Tables[0].Rows.Count > 0)
{
CityName = ds.Tables[0].Rows[0]["CityName"].ToString();
}
DataSet dset = new DataSet();
da.Fill(dset);
if (dset.Tables[0].Rows.Count > 0)
{
drpCity.DataSource = dset;
drpCity.DataTextField = "CityName";
drpCity.DataValueField = "CityName";
drpCity.DataBind();
}
drpCity.Items.Insert(0, new ListItem("--Select--", "0"));
con.Close();
}
Your connection string is telling it to use integrated security SSPI, which will use the Windows credentials.
Set Integrated Security to false if you are going to be providing the username and password.
Also, consider putting your connection string inside of the web.config file - it is more secure and reusable.
From http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(v=VS.100).aspx:
When false, User ID and Password are specified in the connection. When true, the current Windows account credentials are used for authentication.
Recognized values are true, false, yes, no, and sspi (strongly recommended), which is equivalent to true.
If User ID and Password are specified and Integrated Security is set to true, the User ID and Password will be ignored and Integrated Security will be used.
I created a new Asp.Net Core MVC site and I had this same error. I was attempting to connect to my company's database while connected to the network via VPN. Here's what worked for me:
Instead of
"DevConnection": "Server=DevDBServer;Database=MyDatabase;User ID=some_userid;Password=some_password;Integrated Security=SSPI;Trusted_Connection=True;"
I used
"DevConnection": "Server=DevDBServer;Database=MyDatabase;User ID=some_userid;Password=some_password;Integrated Security=False;Trusted_Connection=False;"
The key change was to make sure that Trusted_Connection=False, which is consistent with the error message. Generally I would not use an untrusted connection. In this case I was connecting to a dev/test database so it's fine.
For future googlers:
If you do need Integrated Security and are getting this error it might be you're using a local account instead of a domain account.
I came across this running Visual Studio locally and trying to connect to a database on another machine. A workaround was to run Visual Studio as a different user, the prompt didn't work but running the command below did (make sure to replace DOMAIN\USER and you will be asked to provide credentials):
runas /netonly /user:DOMAIN\USER "C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\devenv.exe"
(This is for VS2019, your path may vary).
Old question, and my symptoms are slightly different, but same error. My connection string was correct (Integrated security, and I don't provide user and pwd) with data source set to 127.0.0.1. It worked fine for years.
But recently I added a line in the static host file for testing purposes (C:\Windows\System32\drivers\etc\hosts)
127.0.0.1 www.blablatestsite.com
Removing this line and the error is gone.
I got a clue from this article (https://support.microsoft.com/en-gb/kb/896861) which talks about hostnames and loopback.
Other possible fix (if you need to keep that line in the hosts file) is to use the hostname (like MYSERVER01) instead of 127.0.0.1 in the data source of the connection string.
I had this same issue while accessing this through work where we use Azure authentication - I'd changed my password through the Azure password reset service but this only pushed through after I manually updated the password on the schema settings in my RDBMS (in my case, DataGrip).
My website (I'll call it mydomain.com) is hosted on a dedicated server from 1&1 running Windows Server 2008 R2. For antivirus protection, it has AVG File Server Edition 2013. Windows Firewall is not enabled.
On that server I have installed SmarterMail and use it for all my email through a subdomain mail.mydomain.com. From my site, I send email and it's working fine.
Today I set up an account for email hosting with Rackspace and am trying to test it as a replacement for hosting on my own server. I'm testing with a different domain, myotherdomain.com. I have set up two user accounts in Rackspace as well as Outlook on my local system to send and receive email for this new domain, and it works fine in Outlook.
However, when I try to send email from my site, I get an error. Here is the VB.NET code I'm using in Page_Load of my test page:
Dim Msg As New MailMessage("orders#myotherdomain.com", "customer#yahoo.com")
With Msg
.Subject = "Email test"
.Body = "This is a test message."
.IsBodyHtml = True
End With
Dim Smtp As New SmtpClient
With Smtp
.UseDefaultCredentials = False
.Credentials = New NetworkCredential("orders#myotherdomain.com", strPassword)
.DeliveryMethod = SmtpDeliveryMethod.Network
.EnableSsl = True
.Host = "secure.emailsrvr.com"
.Port = 465
End With
Try
Smtp.Send(Msg)
lblMessage.Text = "Success!"
Catch SmtpEx As SmtpException
lblMessage.Text = "SMTP exception: " & SmtpEx.Message
If SmtpEx.InnerException IsNot Nothing Then lblMessage.Text &= " (InnerException: " & SmtpEx.InnerException.Message & ")"
Catch GeneralEx As Exception
lblMessage.Text = "General exception: " & GeneralEx.Message
End Try
I can log in to the Rackspace email portal with orders#myotherdomain.com and the value of strPassword.
The SMTP error message I get from attempting to send email from my site is: Failure sending mail. (InnerException: Unable to read data from the transport connection: net_io_connectionclosed.)
In my 1&1 Control Panel, I have configured the DNS settings for myotherdomain.com for an IP address that isn't used anywhere else, and I've defined the reverse mapping for that IP address to myotherdomain.com. I have also specified that it uses another mail server and have defined the mx0 and mx1 server names, as specified by Rackspace.
Can someone please help with ideas as to why email is not working from my site when it's the domain that is hosted on Rackspace? Thanks!
I've just come across the same issue using Rackspace SMTP. The problem is that the .net SmtpClient doesn't support Implicit SSL, which is what is provided on port 465 on that SMTP server. I switched to using port 587 and it worked correctly.
See http://blogs.msdn.com/b/webdav_101/archive/2008/06/02/system-net-mail-with-ssl-to-authenticate-against-port-465.aspx
We have a VB.NET application that uses LDAP to authenticate users through Active Directory.
Never had an issue before but this afternoon my co-worker applied Windows Updates and restarted our domain controller (and AD server) and now whenever anyone tries to login and use the application they get the following error:
Error Number: -2147016646
Error Descr: The server is not operational.
Using the following code to authenticate:
Dim adEntry As New System.DirectoryServices.DirectoryEntry("LDAP://" & gsDomainName, sUserName, sPassword)
Dim adSearcher As New System.DirectoryServices.DirectorySearcher(adEntry)
adSearcher.SearchScope = DirectoryServices.SearchScope.OneLevel
Try
Dim adResults As System.DirectoryServices.SearchResult = adSearcher.FindOne
...
It fails on the adSearcher.FindOne piece of code.
The immediate window gives more detailed error information
A first chance exception of type 'System.Runtime.InteropServices.COMException' occurred in System.DirectoryServices.dll
Anyone have any ideas?
Things I've tried:
Flushing the DNS on the domain controller
Restarting the DHCP server
Restarting DNS services.
Thanks!
My webpages are on secured server (https), and I am trying to connect the SQL Server 2008 Database, which is normal server.
I am writing connectionstring on page itself, not in web.config file. And I am getting following error:-
System.Data.SqlClient.SqlException: Login failed.
The login is from an untrusted domain and cannot be used with Windows authentication.
Please help, how can I connect it, does I have to make some webservices for it.
my code is as below:
public void FillCity()
{
SqlConnection con = new SqlConnection();
con.ConnectionString = "integrated security=SSPI;data source=dev-fcb; user id=sa;password=password;"
+"persist security info=False;database=mediapro";
con.Open();
SqlDataAdapter da = new SqlDataAdapter();
da.SelectCommand = new SqlCommand("select * from StateCityMaster where IsActive='1' order by CityName", con);
DataSet ds = new DataSet();
da.Fill(ds);
string CityName = string.Empty;
if (ds.Tables[0].Rows.Count > 0)
{
CityName = ds.Tables[0].Rows[0]["CityName"].ToString();
}
DataSet dset = new DataSet();
da.Fill(dset);
if (dset.Tables[0].Rows.Count > 0)
{
drpCity.DataSource = dset;
drpCity.DataTextField = "CityName";
drpCity.DataValueField = "CityName";
drpCity.DataBind();
}
drpCity.Items.Insert(0, new ListItem("--Select--", "0"));
con.Close();
}
Your connection string is telling it to use integrated security SSPI, which will use the Windows credentials.
Set Integrated Security to false if you are going to be providing the username and password.
Also, consider putting your connection string inside of the web.config file - it is more secure and reusable.
From http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(v=VS.100).aspx:
When false, User ID and Password are specified in the connection. When true, the current Windows account credentials are used for authentication.
Recognized values are true, false, yes, no, and sspi (strongly recommended), which is equivalent to true.
If User ID and Password are specified and Integrated Security is set to true, the User ID and Password will be ignored and Integrated Security will be used.
I created a new Asp.Net Core MVC site and I had this same error. I was attempting to connect to my company's database while connected to the network via VPN. Here's what worked for me:
Instead of
"DevConnection": "Server=DevDBServer;Database=MyDatabase;User ID=some_userid;Password=some_password;Integrated Security=SSPI;Trusted_Connection=True;"
I used
"DevConnection": "Server=DevDBServer;Database=MyDatabase;User ID=some_userid;Password=some_password;Integrated Security=False;Trusted_Connection=False;"
The key change was to make sure that Trusted_Connection=False, which is consistent with the error message. Generally I would not use an untrusted connection. In this case I was connecting to a dev/test database so it's fine.
For future googlers:
If you do need Integrated Security and are getting this error it might be you're using a local account instead of a domain account.
I came across this running Visual Studio locally and trying to connect to a database on another machine. A workaround was to run Visual Studio as a different user, the prompt didn't work but running the command below did (make sure to replace DOMAIN\USER and you will be asked to provide credentials):
runas /netonly /user:DOMAIN\USER "C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\devenv.exe"
(This is for VS2019, your path may vary).
Old question, and my symptoms are slightly different, but same error. My connection string was correct (Integrated security, and I don't provide user and pwd) with data source set to 127.0.0.1. It worked fine for years.
But recently I added a line in the static host file for testing purposes (C:\Windows\System32\drivers\etc\hosts)
127.0.0.1 www.blablatestsite.com
Removing this line and the error is gone.
I got a clue from this article (https://support.microsoft.com/en-gb/kb/896861) which talks about hostnames and loopback.
Other possible fix (if you need to keep that line in the hosts file) is to use the hostname (like MYSERVER01) instead of 127.0.0.1 in the data source of the connection string.
I had this same issue while accessing this through work where we use Azure authentication - I'd changed my password through the Azure password reset service but this only pushed through after I manually updated the password on the schema settings in my RDBMS (in my case, DataGrip).
I'm trying to make a post, from an asp classic server side page, using the user credentials...
I'm using msxml2.ServerXMLHTTP to programatically make the post
I've tried with several configurations in the IIS 5.1 site, but there's no way I can make IIS run with a specified account...
I made a little asp page that runs whoami to verify what account the iis process i using...
with IIS 5.1, using integrated security the process uses:
my_machine\IWAM_my_machine
I disable integrated security, and leave a domain account as anonymous access, and I get the same (¿?)
to test the user I do the following
private function whoami()
dim shell, cmd
set shell = createObject("wscript.shell")
set cmd = shell.exec( server.mapPath( "whoami.exe" ) )
whoami = cmd.stdOut.readAll()
set shell = nothing: set cmd = nothing
end function
is it because I'm issuing a shell command?
I'd like to make http post calls, to another site that works with integrated security...
So I need some way to pass the credentials, or at least to run with a specified account, and then configure the remote site to thrust that account...
I thought that just setting the site to work with integrated security would be enough...
How can I achieve such a thing?
ps: with IIS6,happens the same
but if I change the pool canfiguration I get the following info from whoami
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\SYSTEM
if I set a domain account, I get a "service unavailable" message...
edit: found this
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/275269ee-1b9f-4869-8d72-c9006b5bd659.mspx?mfr=true
it says what I supossed, "If an authenticated user makes a request, the thread token is based on the authenticated account of the user", but somehow I doesn't seem to work like that... what could I possibly be missing?
edit:
well the whoami thing is obviously fooling me, I tried with the following function
private function whoami_db( serverName, dbName )
dim conn, data
set conn = server.createObject("adodb.connection")
conn.open "Provider=SQLOLEDB.1;Integrated Security=SSPI;" & _
"Initial Catalog=" & dbName & ";Data Source=" & serverName
set data = conn.execute( "select suser_sname() as user_name" )
whoami_db = data("user_name")
data.close: conn.close
set data = nothing: set conn = nothing
end function
and everything seemed to be working fine...
but how can I make msxml2.ServerXMLHTTP work with the user credentials???
You are correct whoami.exe was confusing you. Launching a separate process caused the new process to run as the user of the current process. On XP that would be the COM+ application host (DLLHOST) and would normally run as IWAM_<machine>. On IIS6 it would the w3wp.exe work process and typically runs as NT AUTHORITY\Network Service.
However a thread processing a HTTP request will impersonate a different security token. With integrated security as you have discovered this would the security token of the user making the request, as your SSPI experiment bears out. With anonymous access the anonymous user configured on the site/application is used, this is typically <MACHINE>\IUSR_<machine>.
As to your specific problem with ServerXMLHTTP this goes back to the underlying component WinHTTP. This by default will only send the current users credentials if the server being accessed is the proxy bypass list. Even then it possible to the ServerXMLHTTP configures it to never send the user credentials, I've not test that scenario myself.
Unfortunately ServerXMLHTTP provides very limited access to the configuration details on WinHTTP. However if this is a show stopper then you could always use the WinHTTP component directly yourself:-
Dim oWinHTTP
Dim oDOM
Const AutoLogonPolicy_Always = 0
Set oWinHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
oWinHTTP.SetAutoLogonPolicy AutoLogonPolicy_Always
oWinHTTP.Open "GET", "http://remoteserver.org/getsomexml.xxx", False
oWinHTTP.Send
If oWinHTTP.Status = 200 Then
Set oDOM = CreateObject("MSXML2.DOMDocument.3.0")
oDOM.async = false
oDOM.Load oWinHTTP.ResponseStream
End If
Set oWinHTTP = Nothing
That should work for http, for https it gets real messy.