Help with vbscript in asp.net

[teejayem]

Set objUser = GetObject("WinNT://WALKER_MORRIS/hup^,user")
If objUser.IsAccountLocked = True Then .......

I am using the above code as part of my asp.net web application.
I have tested the code and it works fine except when the code executes
as part of my webpage i receive the following error:-

ActiveX component can't create object 'CreateObject'

Any ideas?

 

[Mark Rae [MVP]]

Set objUser = GetObject("WinNT://WALKER_MORRIS/hup^,user")
If objUser.IsAccountLocked = True Then .......

I am using the above code as part of my asp.net web application.
I have tested the code and it works fine except when the code executes
as part of my webpage i receive the following error:-

ActiveX component can't create object 'CreateObject'

Any ideas?

That's Classic ASP code...

To interface with ActiveDirectory in .NET, you need to use the
System.DirectoryServices namespace...

 

[Aidy]

Also can you confirm if this code is running on the client via <script>
tags? If it is then you're probably running into security issues, you can't
just create any old ActiveX object on the client.

 

[teejayem]

Also can you confirm if this code is running on the client via <script>
tags? If it is then you're probably running into security issues, you can't
just create any old ActiveX object on the client.









- Show quoted text -

Yes I am running the code on the client using <script> tags
Think this is probably a security issue.
Is there any way round this?

 

[Mark Rae [MVP]]

Yes I am running the code on the client using <script> tags

You didn't say that in your original post...

Think this is probably a security issue.
Is there any way round this?

Do your AD work server-side using the System.DirectoryServices namespace,
after setting ASP.NET up to impersonate a user with sufficient privileges...

 

[teejayem]

You didn't say that in your original post...


Do your AD work server-side using the System.DirectoryServices namespace,
after setting ASP.NET up to impersonate a user with sufficient privileges...

This works when I run it on my webserver. Not in VS but when i go
into my web browser and type the address http://computername/stripnet
If i run from any other application i get the a run time error.
Do i have to add the directoryservices.dll into my root web folder or
something?

 

[Mark Rae [MVP]]

Do i have to add the directoryservices.dll into my root web folder or
something?

You have to add a reference to it in your project...

 

[teejayem]

You have to add a reference to it in your project...

I have added the reference to the project.

 

[teejayem]

I have added the reference to the project.

i get the following error

Server Error in '/StripNET' Application.

Runtime Error
Description: An application error occurred on the server. The current
custom error settings for this application prevent the details of the
application error from being viewed remotely (for security reasons).
It could, however, be viewed by browsers running on the local server
machine.

if i remove the part using directory services it runs without an error.

 

[Mark Rae [MVP]]

i get the following error

Server Error in '/StripNET' Application.

Then there's either a bug in your code somewhere, or you're not using
Windows 2003...

Presumably your code looks something like this:
http://en.csharp-online.net/User_Management_with_Active_Directory—Determining_Account_Lockout

How are you actually referencing the User object...?

 

[teejayem]

Then there's either a bug in your code somewhere, or you're not using
Windows 2003...

Presumably your code looks something like this:http://en.csharp-online.net/User_Management_with_Active_Directory%E2%...

How are you actually referencing the User object...?

No, the code works fine. It works fine on my PC which is running
IIS. Even if I am browsing to it out of VS. But if any other user
tried to use it on their machine it throws up the error. If i remove
this code that checks if the account is locked out then other users
don't receive the error.

my code is as follows:-

imports system.directoryservices

' some code above here which is not causing the problem.
Dim objUser As New DirectoryEntry("LDAP://" & strLDAP)
Dim objSearcher As DirectorySearcher = New
DirectorySearcher(objUser)
Dim objResults As SearchResultCollection
Dim objResult As SearchResult
Const lockoutFlag As Integer = 16

objSearcher.PropertiesToLoad.Add("msds-User-Account-Control-
Computed")

objResults = objSearcher.FindAll()

For Each objResult In objResults
Dim status As Integer =
DirectCast(objResult.Properties("msds-User-Account-Control-Computed")
(0), Integer)
If (status And lockoutFlag) = lockoutFlag Then
IsAccountLocked = True
Session("LDAP") = strLDAP
Else
IsAccountLocked = False
End If
Next

objUser.Close()
objUser.Dispose()


thanks for your help by the way. I really appreciate it!

 

[Mark Rae [MVP]]

No, the code works fine. It works fine on my PC which is running
IIS. Even if I am browsing to it out of VS. But if any other user
tried to use it on their machine it throws up the error. If i remove
this code that checks if the account is locked out then other users
don't receive the error.

my code is as follows:-

imports system.directoryservices

' some code above here which is not causing the problem.
Dim objUser As New DirectoryEntry("LDAP://" & strLDAP)
Dim objSearcher As DirectorySearcher = New
DirectorySearcher(objUser)
Dim objResults As SearchResultCollection
Dim objResult As SearchResult
Const lockoutFlag As Integer = 16

objSearcher.PropertiesToLoad.Add("msds-User-Account-Control-
Computed")

objResults = objSearcher.FindAll()

For Each objResult In objResults
Dim status As Integer =
DirectCast(objResult.Properties("msds-User-Account-Control-Computed")
(0), Integer)
If (status And lockoutFlag) = lockoutFlag Then
IsAccountLocked = True
Session("LDAP") = strLDAP
Else
IsAccountLocked = False
End If
Next

objUser.Close()
objUser.Dispose()


thanks for your help by the way. I really appreciate it!

 

[Mark Rae [MVP]]

No, the code works fine. It works fine on my PC which is running
IIS. Even if I am browsing to it out of VS. But if any other user
tried to use it on their machine it throws up the error. If i remove
this code that checks if the account is locked out then other users
don't receive the error.

As I mentioned a couple of replies back, the user under which ASP.NET runs
by default doesn't have sufficient privileges to query ActiveDirectory, so
you will need to set up impersonation. Pretty much any standard DomainUser
account will do unless you need to make changes to AD objects...

 

[teejayem]

As I mentioned a couple of replies back, the user under which ASP.NET runs
by default doesn't have sufficient privileges to query ActiveDirectory, so
you will need to set up impersonation. Pretty much any standard DomainUser
account will do unless you need to make changes to AD objects...

Yes that seemed to be the problem.
Although my IIS is set up to use Windows Authentication.
I have set my web site up for <identity impersonation=True />
Still didn't work.
I have to explicitly add the userName and Password attributed to the
identity element tag for it to work. I was under the impression that
impersonation should run as the user that the IIS session is running
as. If I am using Windows Authentication this should be the user who
is viewing the website, true? Well these users definatly have
sufficient privilages.

 

[Mark Rae [MVP]]

Yes that seemed to be the problem.
Although my IIS is set up to use Windows Authentication.
I have set my web site up for <identity impersonation=True />
Still didn't work.

That's correct.

I have to explicitly add the userName and Password attributed to the
identity element tag for it to work.

That's also correct.

I was under the impression that impersonation should run as the user that
the IIS session is running as. If I am using Windows Authentication this
should be the user who is viewing the website, true?

That's not correct - the user who is viewing the website has nothing
whatsoever to do with the user under which ASP.NET is running...

 

[teejayem]

Also can you confirm if this code is running on the client via <script>
tags? If it is then you're probably running into security issues, you can't
just create any old ActiveX object on the client.









- Show quoted text -

Is ther a way around this? I have decided to do my AD work server
side but now I am wanting to add some scripts that will need to be run
client side and will need to create activex objects?

 

[Aidy]

Is ther a way around this? I have decided to do my AD work server

side but now I am wanting to add some scripts that will need to be run
client side and will need to create activex objects?

You'll need to mark the objects as safe in each user's registry, or (better)
develop your own activex control that will do the coding for you. Users
will need to accept to download and install the activex control.

 

[teejayem]

You'll need to mark the objects as safe in each user's registry, or (better)
develop your own activex control that will do the coding for you. Users
will need to accept to download and install the activex control.

How do I mark the object as safe in a users registry?

 

[Aidy]

http://msdn2.microsoft.com/en-us/library/aa751977.aspx