app works on local host, BUT NOT on the server... why?

[jmeckley]

I have finished testing my first asp.net appliation and I am now trying to deploy it to the server so our users can access the system.

Some of the code accesses active directory and these seem to be the areas that error out when I test the application on the server. Everything works fine on my local machine when I debug and test.

The first place the system errors/does nothing is the main menu screen. If the user is not part of the designated group a link button is hidden.

Here is the code:

Code:

Imports System.Data.SqlClient
Imports ActiveDs

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        Dim Cnn As New SqlConnection([connection string])
        Dim cmdName As New SqlCommand()
        Dim rdrName As SqlDataReader
        Dim ADuser As IADsUser
        Dim ADGrp As IADsGroup

        Try
            If Not IsPostBack Then
                With cmdName
                    .CommandType = CommandType.StoredProcedure
                    .CommandText = "sp_FullName_s"
                    .Parameters.Clear()
                    .Parameters.Add("@Name", SqlDbType.Char, 8).Value = Right(Trim(User.Identity.Name), Len(User.Identity.Name) - InStr(User.Identity.Name, "\"))
                    .CommandTimeout = 99
                    .Connection = Cnn
                End With

                Cnn.Open()
                rdrName = cmdName.ExecuteReader
                While rdrName.Read
                    Response.Write(Trim(rdrName("DisplayName")) & " is currently logged into the Dub Request System.")
                    ADuser = GetObject(CStr(Trim(rdrName("ADsPath"))))
                    For Each ADGrp In ADuser.Groups
                        If Trim(ADGrp.Name) = "CN=Dub Manager" And ADuser.AccountDisabled = False Then
                            lnkDelegate.Visible = True
                            Exit For
                        Else
                            lnkDelegate.Visible = False
                        End If
                    Next
                End While
                rdrName.Close()
                Cnn.Close()
            End If
        Catch
            Response.Redirect("errmsg.aspx?err=100")
        Finally
            Cnn.Dispose()
            cmdName.Dispose()
            Cnn = Nothing
            cmdName = Nothing
        End Try
    End Sub

End Class

When I log in the user's name is displayed correctly, but the logic to determine whether the button should be visible or not is ignored. The user I am testing with is not part of the group that should allow it to be visible.

The second place I experience this error is when I populate a check box list with users from a group in active directory:

Code:

Imports System.Data.SqlClient
Imports ActiveDs

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        Dim Cnn As New SqlConnection([connection string])
        Dim cmdEmail As New SqlCommand()
        Dim rdrEmail As SqlDataReader
        Dim ADGrp As IADsGroup
        Dim ADUsr As IADsUser
        Dim Emails As New ArrayList()

        WOID = CInt(Trim(Request.QueryString("ID")))

        If Not IsPostBack Then
            Try
                ADGrp = GetObject("LDAP://W2KRoot/CN=All Staff,CN=Users,DC=CORP,DC=WITF,DC=ORG")
                For Each ADUsr In ADGrp.Members
                    If ADUsr.AccountDisabled = False Then
                        Emails.Add(ADUsr.FullName)
                    End If
                Next
                Emails.Sort()
                cblEmail.DataSource = Emails
                cblEmail.DataBind()
                With cmdEmail
                    .CommandType = CommandType.StoredProcedure
                    .CommandText = "sp_EmailTo_s"
                    .Parameters.Clear()
                    .Parameters.Add("@WO", SqlDbType.Int).Value = WOID
                    .CommandTimeout = 99
                    .Connection = Cnn
                End With

                Cnn.Open()
                rdrEmail = cmdEmail.ExecuteReader
                While rdrEmail.Read
                    Try
                        cblEmail.Items.Item(cblEmail.Items.IndexOf(cblEmail.Items.FindByValue(rdrEmail.Item("DisplayName")))).Selected = True
                    Catch
                    End Try
                End While
                rdrEmail.Close()
                Cnn.Close()
            Catch
                Response.Redirect("ErrMsg.aspx?Err=110")
            Finally
                Cnn.Dispose()
                cmdEmail.Dispose()
                Cnn = Nothing
                cmdEmail = Nothing
            End Try
        End If
    End Sub

When testing I commented out the try/catch statement and got this error.

Code:

Server Error in '/DubRequest_Test' Application.
--------------------------------------------------------------------------------
Exception from HRESULT: 0x8000500C. 
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Runtime.InteropServices.COMException: Exception from HRESULT: 0x8000500C.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 

[COMException (0x8000500c): Exception from HRESULT: 0x8000500C.]
   ActiveDs.IADsUser.get_AccountDisabled() +0
   DubRequest.EmailListing.Page_Load(Object sender, EventArgs e) +310
   System.Web.UI.Control.OnLoad(EventArgs e) +67
   System.Web.UI.Control.LoadRecursive() +29
   System.Web.UI.Page.ProcessRequestMain() +724
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.0.3705.288; ASP.NET Version:1.0.3705.288

Any ideas what's going on? I think it has something to do with the C:/Windows/System32/activeds.tlb file.

any help would be greatly appreciated.

[Borry]

Maybe a small idea.... Couldn't it be the security context where your asp.net user runs under in machine.config ? (on server)

Have you been checking this out ? Cause normally it runs under (local) system or machine but I think you'll need to let it run under a known user/password in your domain to access ldap

HTH

Bjorn

[jmeckley]

Thank you for the lead. I have never touched the macine.config file and I am not to fimilar with what it does, or how it works.

In my continued struggle to get this to app depoyed I have narrowed down the cause (I think).

I am currently getting the following error message when I attempt to access the default form which has coding to query active directory.(same problem, new error. It has something to do with quering Active Directory and moving the app to another server)

Code:

Handling of this ADSVALUE type is not yet implemented (type = 0xb). 
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.NotImplementedException: Handling of this ADSVALUE type is not yet implemented (type = 0xb).

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 

[NotImplementedException: Handling of this ADSVALUE type is not yet implemented (type = 0xb).]
   System.DirectoryServices.ResultPropertyValueCollection.get_Item(Int32 index) +111
   DubRequest.WebForm1.Page_Load(Object sender, EventArgs e) +420
   System.Web.UI.Control.OnLoad(EventArgs e) +67
   System.Web.UI.Control.LoadRecursive() +35
   System.Web.UI.Page.ProcessRequestMain() +731
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET Version:1.1.4322.573

I have also rewritten how I query AD. I am now using Directory Services namespace instead of the ActiveDs COM object.
this is my new code for the main menu form

Code:

Dim DirEntry As New DirectoryEntry("LDAP://...")
Dim DirSearch As New DirectorySearcher(DirEntry)
Dim Result As SearchResult
Dim X As Integer
 
lnkDelegate.Visible = False
DirSearch.Filter = ("(sAMAccountName=" & Right(Trim(User.Identity.Name), Len(User.Identity.Name) - InStr(User.Identity.Name, "\")) & ")")
DirSearch.PropertiesToLoad.Add("DisplayName")
DirSearch.PropertiesToLoad.Add("memberof")
Result = DirSearch.FindOne
Response.Write(Result.Properties("DisplayName").Item(X) & " is currently logged into the Dub Request System.")
For X = 0 To Result.Properties("memberof").Count - 1
    If Result.Properties("memberof").Item(X) Like "*Dub Manager*" Then
      lnkDelegate.Visible = True
      Exit For
    End If
Next X

I have come across some postings that state I need a "Fully Trusted", "Strong Named" assembly on the server were this application would reside. I tried using the .Net Framework Wizard in Administrative Tools to set the trust permission to Full, but that didn't work. I have tested that this application runs fine on my computer, but does not run on the server. Other users have used my machine as the server and it worked without any errors.

[Borry]

I still think it's a problem with the security context asp.net runs under ....

Maybe you can try the following :

on the server, you go to c:\winnt\Microsoft.NET\Framework\v1.1.4322\CONFIG

There you open the machine.config file.. go to the processmodel section (do it with a find). There you'll probably see the following :

userName="System"
password="Autogenerate"

Right now, you can try to type in the following :
domain\username and your password (just to test it)

If it works right now, then you know that it's a security problem. Just try it

Bjorn

[jmeckley]

Does the machine.config file effect all applications on the server, or only this specific app?

We also have the I buy spy portal on this server and i wouldn't want to unexpectily break that?

[Borry]

The machine.config file is indeed the 'driver' of asp.net.

You could indeed be in trouble. The advantage of this file is that when you save it, you don't need to restart iis or something. It's just compiled in run-time. So you won't have that much problems if you replace it quickly. If you fill in a user with administrator privileges then you won't have (normally) troubles.

Bjorn

Shouldn't we better chat directly ? lol

[jmeckley]

The username and password on the machine.config file was
username="machine"
password="autogenerate"

I changed them to our adminstrators username and password but that didn't fix anything. I got the same error message as i did before.

[Borry]

And what happens if you make a type-o in the username or password ?

[jmeckley]

what do you mean by a "type-o"? I am not fimilar with this

[Borry]

Sorry,

I meant : if username = administrator that you type administrato. (without r)

[jmeckley]

I didn't quite follow that, but here is what I have tried in the machine.config file with usernames and passwords.

username="domain/myusername"
password="mypassword"

username="domain/admin account"
password="admin password"

username="administrato"
password="admin password"

none of these have worked. I have searched the VS.Net help files, but haven't found anything on the machine.config file.

[jmeckley]

I found the following article in the VS.Net Help
--------------------------------------------------------------
ASP.NET Configuration

The ASP.NET configuration system features an extensible infrastructure that enables you to define configuration settings at the time your ASP.NET applications are first deployed so that you can add or revise configuration settings at any time with minimal impact on operational Web applications and servers.

The ASP.NET configuration system provides the following benefits:

1. Configuration information is stored in XML-based text files. You can use any standard text editor or XML parser to create and edit ASP.NET configuration files.

2. Multiple configuration files, all named Web.config, can appear in multiple directories on an ASP.NET Web application server. Each Web.config file applies configuration settings to its own directory and all child directories below it. Configuration files in child directories can supply configuration information in addition to that inherited from parent directories, and the child directory configuration settings can override or modify settings defined in parent directories. The root configuration file named C:\WINNT\Microsoft.NET\Framework\ version\CONFIG\Machine.config provides ASP.NET configuration settings for the entire Web server.

3. At run time, ASP.NET uses the configuration information provided by the Web.config files in a hierarchical virtual directory structure to compute a collection of configuration settings for each unique URL resource. The resulting configuration settings are then cached for all subsequent requests to a resource. Note that inheritance is defined by the incoming request path (the URL), not the file system paths to the resources on disk (the physical paths).

4. ASP.NET detects changes to configuration files and automatically applies new configuration settings to Web resources affected by the changes. The server does not have to be rebooted for the changes to take effect. Hierarchical configuration settings are automatically recalculated and recached whenever a configuration file in the hierarchy is changed. The <processModel> section is an exception.

5. The ASP.NET configuration system is extensible. You can define new configuration parameters and write configuration section handlers to process them.

6. ASP.NET protects configuration files from outside access by configuring Internet Information Services (IIS) to prevent direct browser access to configuration files. HTTP access error 403 (forbidden) is returned to any browser attempting to request a configuration file directly.
-------------------------------------------------------------------------------
Would this mean that it would require a reboot of the server to have these changes take effect?

[Borry]

Hello,


indeed, this seems to be an exception. I didn't know about that. You can restart iis easily from your workstation through the command prompt :
iisreset servername

Then iis will restart. But anyway, I think we're in the good direction with the security. I don't say it IS security, but I'm suspicious about it

Here are some good documents about asp.net and security :
http://msdn.microsoft.com/library/de...cnetlpmsdn.asp


Bjorn

[jmeckley]

I found these articles this morning explaining directory services and security. This seems to be a problem for other people as well.

http://support.microsoft.com/default...b;en-us;329986

http://support.microsoft.com/default...b;en-us;317012

http://groups.google.com/groups?hl=e...com%26rnum%3D6

Here is how our security is setup.
IIS:
Integrated Windows Authentication
Allow Anonymous Access : Username IUSR_[ServerName] Password: [Auto Generate]

Web.Config:
authentication mode="Windows"
identity impersonate="true"
authorization deny users="?"

Thank you for all your assistance thus far.

[Borry]

Indeed, the 'double-hop' occurs a lot. I also ran into it when I installed IIS and SQL server on two seperate machines. The easiest thing was to install it on the same machine.

I really should suggest to read the articles I sent. (You need to look at the links to the chapters on the page)

I also learnt a lot about implementing and understanding security with multiple servers and so on.

I really hope I helped you much !

Bjorn

[jmeckley]

Borry

Thank you for all your assistance with this problem. The article posted above solved helped us identify the problem.

Our IIS and Sql Server are on the same box. but Active Directory is localed on a different machine. We needed to setup delegation between the different boxes AND we needed to change the user accounts involved with security between the boxes.

our machine.config file was using a local username and password. We needed to create a domain user and modify the .net framework and IIS to use the domain user instead of the local user.

I am still working out some kinks with users who do not have administrative access, but this is minor compared to the last hurdel. Again, thank you for you assistance.

[Borry]

Originally posted by jmeckley
Borry

Thank you for all your assistance with this problem. The article posted above solved helped us identify the problem.

You're welcome