Table does not exist error

[Wake-Up-Jeff]

I am trying to get my asp.net code to modify the comment property of the
user object in AD.
The idea is that an AD user accesses the web page.
The user's credentials are used to access the user object and modify their
own comment field.
I don't want to use a single domain account to do this for all users. Each
user can do it for themselves.
I get the "table does not exist" error when calling the following code:

con = CreateObject("ADODB.Connection")
con.provider = "ADsDSOObject"
con.open("Active Directory Provider")
com = CreateObject("ADODB.Command")
com.ActiveConnection = con
strQuery = "Select distinguishedName from 'LDAP://" & strDomain & "'" & _
" Where objectCategory = 'Person' AND objectClass='user' AND
samAccountName='" & strUserID & "'"
com.commandtext = strQuery
RS = com.Execute

the error occurs on com.Execute.

I have read about impersonation, and have attempted to set this up, but I
obviously haven't got something correct yet.
The authentication for my virtual directory has Integrated Windows
Authentication checked, and no other options checked.
My web.config file has the following entries:
<authentication mode="Windows"/>
<identity impersonate ="true"/>

I have the computer account on which IIS is running as "Trusted for
delegation". It is running W2K3 R2. The domain and forest are both at W2K3
functional level.

Any hints????

 

[Joe Kaplan]

Why on earth would you use ADO for querying AD when you could just use the
DirectorySearcher in System.DirectoryServices? It is faster, easier to use
and more flexible.

The error you are getting is likely related to security. If you are trying
to delegate without protocol transition (don't have "trusted for delegation
with any protocol" configured in AD for the computer account along with
constrained delegation to AD), then you need Kerb auth in IIS to get this to
work. If you are getting NTLM instead (which is common), it will fail.
Typically, if you want to get delegation working, you need to read the
TechNet docs on troubleshooting Kerberos delegation to get a better idea of
what you are looking for to make this work.

I think you'll likely be better off switching to SDS for doing by the AD
search and the modification operation. The security considerations are the
same but you get an API that is easier to use in .NET and faster. The
troubleshooting is also likely be to be easier since the errors are slightly
less obscure.

 

[Wake-Up-Jeff]

Thanks for the tips.
I'm only using ADO because I'm used to VBScript programming, and was unaware
of the System.DirectoryServices namespace available in ASP.NET (a newbie at
this).
I've tried looking thru the Kerberos delegation docs, but can't see anything
obvious I'm doing wrong.
e.g. http://msdn.microsoft.com/en-us/library/aa291350(VS.71).aspx
and http://forums.asp.net/p/897609/971665.aspx#971665

I have the member server computer account trusted for delegation.
It's definitely the "2 hop" issue, as when I run IIS on a DC, it all works
fine.

 

[Joe Kaplan]

With Kerb delegation, unless you are using protocol transition/S4U login,
the part that frequently breaks is the Kerb login to the web server. Normal
delegation requires Kerb to Kerb, so if you don't get Kerb on the front end,
you can't do Kerb auth to the middle tier.

The easiest way to verify is to enable account login audits on the front end
web server and then look at the security event log events that are generated
for the logins from the browser to the web server. If they are NTLMssp,
Kerb delegation won't work. If they are Kerberos, then you at least have a
chance.

Protocol transition login allows the front end auth to be something other
than Kerb (basic, NTLM or Digest) and then the service in the middle (the
web app in this case) can "transition" to Kerberos when it needs to
delegate. In ADUC, you'll see this option as "trusted for delegation | with
any protocol" and you have to specify which services to delegate to. If you
don't have the delegation tab in ADUC that shows this, your forest is not
2003 FFL and you can't use this feature.

Look for the technet doc on troubleshooting Kerberos delegation. It is the
bible on this.