Kerberos, ADSI, ASP .NET and the error of TYPE value

Kerberos, ADSI, ASP .NET and the error of TYPE value

Post by Pier » Wed, 02 Jul 2003 01:09:25



Hi,

Like a lot of people, I've got problem for retrieving certains
properties (ex : sAMAccountName, department...) of AD using ASP .NET
et DirectoryServices

"I think" (but it could be wrong and I hope you will tell me) that the
problem comes from schema cache of AD and for my part kerberos
authentication

The error messages are :
'Handling of this ADSVALUE type is not yet implemented (type = 0xb).'
Or
'The Active Directory datatype cannot be converted to/from a native DS
datatype'

depending if you are using DirectorySearcher or DirectoryEntry

All my code is correct : exemple using DirectoryEntry

string sn;
string samaccountname;
string path;
string dn;
DirectoryEntry oDE;
path = "LDAP://<server path>";
dn= <distinguished name of a user>
oDE = new DirectoryEntry(path + "/" + dn,
        null,
        null
        ,AuthenticationTypes.Secure | AuthenticationTypes.ServerBind);
sn=oDE.Properties["sn"][0].ToString();
try
{
        samaccountname = oDE.Properties["sAMAccountName"][0].ToString();

Quote:}

catch(Exception exc)
{
        samaccountname=exc.Message;
Quote:}

Response.Write("<br>dn :" + dn);
Response.Write("<br>sn :" + sn);
Response.Write("<br>samaccountname :" + samaccountname);

THE PROBLEM :
I am using two client computers windows 2000 SP3 using IE 6 SP1.
one (A) has the internet option selected : "enable integrated
authentification windows"
the other (B) is not selected.

SO, the scenario is :
I reset IIS
I open the page with A ==> it works
I open with B ==> it works as well

I reset IIS
I open with B ==> it doesn't work
I open with A ==> it doesn't work as well

The scenario is exactly the same if for the B we use a NT4 client
(which don't challenge Kerberos)

So there may be something with the first token used to query the
Active Directory, but could you explain me that please

Thank you for your response
Pierre

 
 
 

Kerberos, ADSI, ASP .NET and the error of TYPE value

Post by MVP - ADS » Wed, 02 Jul 2003 02:47:56


This definitely sounds like the standard issues that people have with S.DS
code in ASP.NET.  MS has written a good article here on resolving these
issues:

http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

It looks to me like you are using impersonation and Kerberos delegation with
Windows authentication in order to bind to the AD as the current logged on
user.  There are a bunch of things that can go wrong with this as explained
above.  The error you are receiving is indicative that the schema is not
being read and cached correctly, probably because you are doing an anonymous
bind to the directory at some point which is preventing the aggregate schema
from being downloaded.

If that doesn't resolve it, post more details with what you tried and we'll
see if we can help.

Joe K.


Quote:> Hi,

> Like a lot of people, I've got problem for retrieving certains
> properties (ex : sAMAccountName, department...) of AD using ASP .NET
> et DirectoryServices

> "I think" (but it could be wrong and I hope you will tell me) that the
> problem comes from schema cache of AD and for my part kerberos
> authentication

> The error messages are :
> 'Handling of this ADSVALUE type is not yet implemented (type = 0xb).'
> Or
> 'The Active Directory datatype cannot be converted to/from a native DS
> datatype'

> depending if you are using DirectorySearcher or DirectoryEntry

> All my code is correct : exemple using DirectoryEntry

> string sn;
> string samaccountname;
> string path;
> string dn;
> DirectoryEntry oDE;
> path = "LDAP://<server path>";
> dn= <distinguished name of a user>
> oDE = new DirectoryEntry(path + "/" + dn,
> null,
> null
> ,AuthenticationTypes.Secure | AuthenticationTypes.ServerBind);
> sn=oDE.Properties["sn"][0].ToString();
> try
> {
> samaccountname = oDE.Properties["sAMAccountName"][0].ToString();
> }
> catch(Exception exc)
> {
> samaccountname=exc.Message;
> }
> Response.Write("<br>dn :" + dn);
> Response.Write("<br>sn :" + sn);
> Response.Write("<br>samaccountname :" + samaccountname);

> THE PROBLEM :
> I am using two client computers windows 2000 SP3 using IE 6 SP1.
> one (A) has the internet option selected : "enable integrated
> authentification windows"
> the other (B) is not selected.

> SO, the scenario is :
> I reset IIS
> I open the page with A ==> it works
> I open with B ==> it works as well

> I reset IIS
> I open with B ==> it doesn't work
> I open with A ==> it doesn't work as well

> The scenario is exactly the same if for the B we use a NT4 client
> (which don't challenge Kerberos)

> So there may be something with the first token used to query the
> Active Directory, but could you explain me that please

> Thank you for your response
> Pierre


 
 
 

Kerberos, ADSI, ASP .NET and the error of TYPE value

Post by Pierr » Thu, 03 Jul 2003 00:32:54


Thank you for your response.

Yes, you're right, I've seen this article yesterday and it seems to be THE
problem. We've got :
. EVERYONE added to the Pre-Windows 2000 Compatible Access built-in group
for Compatible permissions with NT4
. ASP .NET application which retrieve data from Active Directory
. Kerberos and non Kerberos client

The problem occurs when the first connection is launched by a non-kerberos
client.

This article is very interesting :-)

So, for the moment, we've got four solutions but none of them give entire
satisfaction:
1. using a special account "trusted for delegate" => but we lose the user
context for the security
2. we modify the rights on aggregate object and register keys for the
Pre-Windows 2000 Compatible Access built-in group => but security problem
3. Using a web service to launch a connection periodically
(application_onstart, session_onstart) => but problem with timeout of the
cache
4. we delete programmaticaly the cache from time to time thanks to a timer
in the application => a bit complicated, no ?

Maybe you have a better solution (and it is welcomed)

Thank you
Pierre



> This definitely sounds like the standard issues that people have with S.DS
> code in ASP.NET.  MS has written a good article here on resolving these
> issues:

> http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

> It looks to me like you are using impersonation and Kerberos delegation
with
> Windows authentication in order to bind to the AD as the current logged on
> user.  There are a bunch of things that can go wrong with this as
explained
> above.  The error you are receiving is indicative that the schema is not
> being read and cached correctly, probably because you are doing an
anonymous
> bind to the directory at some point which is preventing the aggregate
schema
> from being downloaded.

> If that doesn't resolve it, post more details with what you tried and
we'll
> see if we can help.

> Joe K.



> > Hi,

> > Like a lot of people, I've got problem for retrieving certains
> > properties (ex : sAMAccountName, department...) of AD using ASP .NET
> > et DirectoryServices

> > "I think" (but it could be wrong and I hope you will tell me) that the
> > problem comes from schema cache of AD and for my part kerberos
> > authentication

> > The error messages are :
> > 'Handling of this ADSVALUE type is not yet implemented (type = 0xb).'
> > Or
> > 'The Active Directory datatype cannot be converted to/from a native DS
> > datatype'

> > depending if you are using DirectorySearcher or DirectoryEntry

> > All my code is correct : exemple using DirectoryEntry

> > string sn;
> > string samaccountname;
> > string path;
> > string dn;
> > DirectoryEntry oDE;
> > path = "LDAP://<server path>";
> > dn= <distinguished name of a user>
> > oDE = new DirectoryEntry(path + "/" + dn,
> > null,
> > null
> > ,AuthenticationTypes.Secure | AuthenticationTypes.ServerBind);
> > sn=oDE.Properties["sn"][0].ToString();
> > try
> > {
> > samaccountname = oDE.Properties["sAMAccountName"][0].ToString();
> > }
> > catch(Exception exc)
> > {
> > samaccountname=exc.Message;
> > }
> > Response.Write("<br>dn :" + dn);
> > Response.Write("<br>sn :" + sn);
> > Response.Write("<br>samaccountname :" + samaccountname);

> > THE PROBLEM :
> > I am using two client computers windows 2000 SP3 using IE 6 SP1.
> > one (A) has the internet option selected : "enable integrated
> > authentification windows"
> > the other (B) is not selected.

> > SO, the scenario is :
> > I reset IIS
> > I open the page with A ==> it works
> > I open with B ==> it works as well

> > I reset IIS
> > I open with B ==> it doesn't work
> > I open with A ==> it doesn't work as well

> > The scenario is exactly the same if for the B we use a NT4 client
> > (which don't challenge Kerberos)

> > So there may be something with the first token used to query the
> > Active Directory, but could you explain me that please

> > Thank you for your response
> > Pierre

 
 
 

Kerberos, ADSI, ASP .NET and the error of TYPE value

Post by MVP - ADS » Fri, 04 Jul 2003 04:29:32


I'm not sure what I would do in your situation.  In my applications, I
generally always bind with specified credentials and that gets me around the
issue.  Our applications use Basic authentication/SSL in almost all cases
instead of Integrated Windows authentication, so it is very easy to recover
the plaintext username and password from the request headers and bind with
that information.

Perhaps you could use some kind of a hybrid approach where you use a special
account in AD to do most of your binds in the application, and then switch
to using the user's context only when performing operations that require
their permissions (such as updates).  Depending on what you are doing and
the rights involved, that may or may not work.

I'm not sure if there is a way to limit non-Kerberos clients from accessing
your application, so you may not be able to prevent credentials that can't
be delegated from being passed to your application.  Maybe something in the
System.Security.Principal.WindowsIdentity class reveals this, but I don't
know.

Good luck,

Joe K.

> Thank you for your response.

> Yes, you're right, I've seen this article yesterday and it seems to be THE
> problem. We've got :
> . EVERYONE added to the Pre-Windows 2000 Compatible Access built-in group
> for Compatible permissions with NT4
> . ASP .NET application which retrieve data from Active Directory
> . Kerberos and non Kerberos client

> The problem occurs when the first connection is launched by a non-kerberos
> client.

> This article is very interesting :-)

> So, for the moment, we've got four solutions but none of them give entire
> satisfaction:
> 1. using a special account "trusted for delegate" => but we lose the user
> context for the security
> 2. we modify the rights on aggregate object and register keys for the
> Pre-Windows 2000 Compatible Access built-in group => but security problem
> 3. Using a web service to launch a connection periodically
> (application_onstart, session_onstart) => but problem with timeout of the
> cache
> 4. we delete programmaticaly the cache from time to time thanks to a timer
> in the application => a bit complicated, no ?

> Maybe you have a better solution (and it is welcomed)

> Thank you
> Pierre


crit

> > This definitely sounds like the standard issues that people have with
S.DS
> > code in ASP.NET.  MS has written a good article here on resolving these
> > issues:

> > http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

> > It looks to me like you are using impersonation and Kerberos delegation
> with
> > Windows authentication in order to bind to the AD as the current logged
on
> > user.  There are a bunch of things that can go wrong with this as
> explained
> > above.  The error you are receiving is indicative that the schema is not
> > being read and cached correctly, probably because you are doing an
> anonymous
> > bind to the directory at some point which is preventing the aggregate
> schema
> > from being downloaded.

> > If that doesn't resolve it, post more details with what you tried and
> we'll
> > see if we can help.

> > Joe K.



> > > Hi,

> > > Like a lot of people, I've got problem for retrieving certains
> > > properties (ex : sAMAccountName, department...) of AD using ASP .NET
> > > et DirectoryServices

> > > "I think" (but it could be wrong and I hope you will tell me) that the
> > > problem comes from schema cache of AD and for my part kerberos
> > > authentication

> > > The error messages are :
> > > 'Handling of this ADSVALUE type is not yet implemented (type = 0xb).'
> > > Or
> > > 'The Active Directory datatype cannot be converted to/from a native DS
> > > datatype'

> > > depending if you are using DirectorySearcher or DirectoryEntry

> > > All my code is correct : exemple using DirectoryEntry

> > > string sn;
> > > string samaccountname;
> > > string path;
> > > string dn;
> > > DirectoryEntry oDE;
> > > path = "LDAP://<server path>";
> > > dn= <distinguished name of a user>
> > > oDE = new DirectoryEntry(path + "/" + dn,
> > > null,
> > > null
> > > ,AuthenticationTypes.Secure | AuthenticationTypes.ServerBind);
> > > sn=oDE.Properties["sn"][0].ToString();
> > > try
> > > {
> > > samaccountname = oDE.Properties["sAMAccountName"][0].ToString();
> > > }
> > > catch(Exception exc)
> > > {
> > > samaccountname=exc.Message;
> > > }
> > > Response.Write("<br>dn :" + dn);
> > > Response.Write("<br>sn :" + sn);
> > > Response.Write("<br>samaccountname :" + samaccountname);

> > > THE PROBLEM :
> > > I am using two client computers windows 2000 SP3 using IE 6 SP1.
> > > one (A) has the internet option selected : "enable integrated
> > > authentification windows"
> > > the other (B) is not selected.

> > > SO, the scenario is :
> > > I reset IIS
> > > I open the page with A ==> it works
> > > I open with B ==> it works as well

> > > I reset IIS
> > > I open with B ==> it doesn't work
> > > I open with A ==> it doesn't work as well

> > > The scenario is exactly the same if for the B we use a NT4 client
> > > (which don't challenge Kerberos)

> > > So there may be something with the first token used to query the
> > > Active Directory, but could you explain me that please

> > > Thank you for your response
> > > Pierre

 
 
 

1. ASP and ADSI error: An unhandled data type was encountered

Hi!
I am using ADSI to connect to retrieve data from LDAP.
When trying  to display the data retrieved using
Response.Write I am getting the following error message:

Response object, ASP 0106 (0x80020005)
An unhandled data type was encountered.
/ldaptest/ldaptest.asp

Here is the source:

strCommandText= "<LDAP://c=US/o=CDWeb/companyID=test>;
(objectClass=companyObjectClass);companyID,companyName;base
"
set rsLDAP=cnnLDAP.Execute(strCommandText)
if NOT (rsLDAP.BOF and rsLDAP.EOF) then
           Response.Write rsLDAP.Fields(0).Name (WORKS)
            Response.Write rsLDAP.Fields(0).value (GIVES
ERROR)
end if

THANKS IN ADVANCE!
Julia

2. Send Thousand of Newsgroup Posts

3. ADSI/ASP using LDAP gives type mismatch error

4. Folders & Files

5. ADSI + ASP.NET (.NET Framework) System.Directoryservices

6. Win2k and identical hard drives on the same IDE

7. Type Mismatch error while accessing LDAP server through ASP

8. can procmail work without "passwd"?

9. ASP LDAP "unspecified error" or empty attribute values

10. Error Type 0x80070539 with ADSI

11. Error accessing ADSI Property Values in ASP.Net

12. ADSI in ASP and ASP.NET problem

13. error with C# and .NET w/ADSI