asp create mailbox question

[Michael]

Hello,

I've created an ASP web page where users in our organization can create
Active Directory computer accounts.

The web page is running on a Server 2003 SP1 IIS 6 installation. The
Exchange System Manager is running on the web server and Exchange SP2 has
been installed. The IIS site is configured with Basic Authentication and
users are prompted to enter their Active Directory credentials when
connecting to the site.

The web page uses ADSI code to create a user, and then CDO code to create
the mailbox e.g.

set oOU=GetObject(<LDAP string for OU>)
set oUser=oOU.CreateUser("user",<CN for user>)
' set a bunch of attributes
' now create mailbox
set oMailbox=oUser
oMailbox.CreateMailbox <string representing MTA>

Now, when I connect to this site using my domain admin credentials, it
works. However, if a user connects to this site, after being prompted by
IIS' basic authentication for AD credentials, the user account is
successfully created in AD but upon reaching the "CreateMailbox" line, I get

Microsoft VBScript runtime error '800a01b6'
Object doesn't support this property or method

Thinking that this was most likely a permissions issue, I took the .asp page
containing the code and converted it to a .vbs file. Then, I logged in as the
user account and used cscript to execute the .vbs file. Both the user account
and the mailbox were created succesfully.

I don't understand why the code runs under the context of a user account as
a vbs script, but doesn't run as an ASP page unless the user is a domain
admin. It's not permissions on AD or Exchange or the code wouldn't have run
as a vbs script. What is different about running it as an ASP page?

Thanks for any help you can provide me!

Michael Gibbons
Bellevue, WA

 

[Egbert Nierop \(MVP for IIS\)]

Hello,

I've created an ASP web page where users in our organization can create
Active Directory computer accounts.

The web page is running on a Server 2003 SP1 IIS 6 installation. The
Exchange System Manager is running on the web server and Exchange SP2 has
been installed. The IIS site is configured with Basic Authentication and
users are prompted to enter their Active Directory credentials when
connecting to the site.

The web page uses ADSI code to create a user, and then CDO code to create
the mailbox e.g.

set oOU=GetObject(<LDAP string for OU>)
set oUser=oOU.CreateUser("user",<CN for user>)
' set a bunch of attributes
' now create mailbox
set oMailbox=oUser
oMailbox.CreateMailbox <string representing MTA>

Now, when I connect to this site using my domain admin credentials, it
works. However, if a user connects to this site, after being prompted by
IIS' basic authentication for AD credentials, the user account is
successfully created in AD but upon reaching the "CreateMailbox" line, I
get

Microsoft VBScript runtime error '800a01b6'
Object doesn't support this property or method

Thinking that this was most likely a permissions issue, I took the .asp
page
containing the code and converted it to a .vbs file. Then, I logged in as
the
user account and used cscript to execute the .vbs file. Both the user
account
and the mailbox were created succesfully.

I don't understand why the code runs under the context of a user account
as
a vbs script, but doesn't run as an ASP page unless the user is a domain
admin. It's not permissions on AD or Exchange or the code wouldn't have
run
as a vbs script. What is different about running it as an ASP page?

If you run it under IIS 6 the script is ran under the context of
NetworkService account, this is an account with very limited rights, for
instance, it is not allowed for this account, to utilize network resources.
Since Exchange is 'a network resource' the Network Service account is
'halted' as soon as you want to go over the borders of the Web Server!

It would be best to configure IIS, the application pool to run under an
account that has sufficient rights, or just to disable anonymous access.

 

[Michael]

I'm going to answer my own question, because I contacted MS-Premier for
support and got an answer.

The answer was, that although .vbs scripts can contain CDOEXM calls like
CreateMailbox, such a call in an ASP script is unsupported.

I was advised to create a COM+ object that included the create mailbox
functionality and call it from the ASP page.

Instead, what I will probably do is have two separate scripts, one which is
the existing ASP script that does everything but create the mailbox, and then
run a scheduled task on the web server that is a VBS script that looks for
accounts without mailboxes in a certain OU, creates the mailbox, and puts the
account in a "Finished Account" OU.

- Michael Gibbons

 

[Egbert Nierop \(MVP for IIS\)]

I'm going to answer my own question, because I contacted MS-Premier for
support and got an answer.

The answer was, that although .vbs scripts can contain CDOEXM calls like
CreateMailbox, such a call in an ASP script is unsupported.

I was advised to create a COM+ object that included the create mailbox
functionality and call it from the ASP page.

Instead, what I will probably do is have two separate scripts, one which
is
the existing ASP script that does everything but create the mailbox, and
then
run a scheduled task on the web server that is a VBS script that looks for
accounts without mailboxes in a certain OU, creates the mailbox, and puts
the
account in a "Finished Account" OU.

- Michael Gibbons

That's exactly the same reason, inside COM+, you can create a process that
impersonates 'someone' with sufficient rights to use CDOEXM.

In theory it can be done through ASP, but not on anonymous pages.

 

[Suman]

Heloo Mr. Egbert Nierop, Mr. Michael Gibbons,

I am relatively new to .NET. I am trying to create a user in AD and a
corresponding email account in the exchange server from an ASP.NET, C#
application.

-----------------------------
I have the exact same problem wherein I am able to create a user but am
unable to create a mailbox for the user. I "WAS" using exchange 2000.

The error that I was getting is a class cast exception when I try to do
this:

DirectoryEntry user1 = new DirectoryEntry(path, username, password);
IMailboxStore mailbox;
//exception caused in the next line
mailbox = (IMailboxStore)(user1.NativeObject);

Exception Details: System.InvalidCastException: Specified cast is not
valid.

I have read that CDOEXM does not work in asp.net. Most of the
discussions suggest using a COM object. I do not know how to deal with
COM objects or how they work. I dont know if the above error is well
before the execution needs the CDOEXM specific alteration or if its
just someother error.
-----------------------------

Anyways, now I am at a stage where, I have a seperate domain setup just
to test this application and that runs WIN 2003 and Exchange 2003 SP 2.


I want to not be able to do the same here on the new domain.
1) Create a user in AD and
2) Create a corresponding Mailbox through a asp.net, C# application.

I am able to do the first task. Could any of you provide some code for
creating an email account through an asp.net application and show how
the COM object would be implemented in C# and used from the asp.net
application.

OR
I still have access to the previous environment. If something strikes
you looking at the exception that I was getting in the previous domain
and that can be fixed to create email accounts in the Exchange 2000,
that should be fine too.

I would be really thankful to you for any help provided. I have been
trying to complete this project for a really long time now.

Thanks a lot in advance.
Suman

"I was advised to create a COM+ object that included the create mailbox

functionality and call it from the ASP page. "

 

[Mike Brind]

Heloo Mr. Egbert Nierop, Mr. Michael Gibbons,

I am relatively new to .NET. I am trying to create a user in AD and a
corresponding email account in the exchange server from an ASP.NET, C#
application.

Three things: first, this group covers classic ASP. Dotnet is a
different technology and has it's own group:
microsoft.public.dotnetframework.aspnet.

Second, you shouldn't append your question to an existing thread. When
you go to the other group, start a new thread for your question. That
will make it easier for other people with the same issue as you to find
your question and any answers when they search the archives.

Finally, it is always advisable to read some of the threads in a group
the first time you post to it. That way you can identify whether the
group you have chosen really is the right one for your subject matter.