locked
general access denied error RRS feed

  • Question

  • User-517928126 posted

     I am writing a service to add and remove users from a security group that will grant WLAN access.  I am running the code on win2003 server with, Active Directory, IAS and IIS.  The code works fine on my local PC (XP, inside Visual Studio).  I am explicitly passing in a user/pwd for AD (in my case, i am passing in the local "Administrator" account which i am able to create and remove users with outside of the code with no issue.  I am able to do other AD functions like list users and groups, but if i try to add or remove, i get a one line error: general access denied error.  I know that the AD object is getting the user/pwd because if i set it to an invalid user, or an incorrect pwd, the error is: Logon failure: unknown user name or bad password. (Exception from HRESULT: 0x8007052E).  It is only when i pass it the correct user and pwd that i get the general access denied error (which leads me to believe its a lower level permission problem).  I have also tried adding the iUSR to the administrator group which failed with the same error.  I also tried turning off anonymous access and using integrated windows authenitcation (to which i provide the Administrator user and pwd and i also get the same error.  Not sure where to go from here.  Stupid question but, once i install AD, does it somehow override the local SAM database or something?  Also, what is the diff between usingWinNT:// and LDAP:// is it just a different protocol being used to access the same place? Thanks - code below...

    [WebMethod]
        public string RemoveUser(string userName) {
    
            DirectoryEntry objAD;
            DirectoryEntry objUser;
    
            using (objAD = new DirectoryEntry())
            {
                try
                {
                    objAD.Path = "WinNT://" + Environment.MachineName;
                    objAD.Username = AdUser;
                    objAD.Password = AdPassword;
    
                    using (objUser = new DirectoryEntry())
                    {
                        objUser = objAD.Children.Find(userName);
                        objAD.Children.Remove(objUser); 
                    }                
                }
                catch (Exception e)
                {
                    SoapException se = new SoapException(e.Message, SoapException.ClientFaultCode, Context.Request.Url.AbsoluteUri);
                    throw se;
                }
    
                return "Success";
            }


     

    Tuesday, July 14, 2009 12:24 PM

Answers

  • User-517928126 posted

     As per the read me first post http://forums.asp.net/t/897609.aspx (which i guess i should have), i tried adding the security type objAD.AuthenticationType = AuthenticationTypes.Secure which did not seem to fix the issue.  However, when i added <identity impersonate="true" userName="xx" password="xx"/> to the web.config, it worked great.  My guess is that the user and password i was passing to the AD object, was actually working, but it was only giving me permission to access the directory - it was not giving me permission to "use" the AD application - does that make sense?  I am still puzzled however, why adding the IUSR and IWAM to the administrator group did not work. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, July 15, 2009 9:45 AM