Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Code Project
CODE PROJECT For Those Who Code
  • Home
  • Articles
  • FAQ
Community
  1. Home
  2. General Programming
  3. C#
  4. CreateMailbox CDO, in Webservices with IIS 6

CreateMailbox CDO, in Webservices with IIS 6

Scheduled Pinned Locked Moved C#
windows-adminhelpsysadmintestingbeta-testing
8 Posts 3 Posters 0 Views 1 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E Offline
    E Offline
    ex3cut3
    wrote on last edited by
    #1

    Hello people, i'm having a big trouble with this thing of creating user, i developed a code to create users in Active directory and mailenable it, i always worked fine, (developer platform: Windows XP, IIS 5), but now the project is finished, and i passed it into production, so what appen: (production platform: Windows 2003 server, IIS6) Running as a console it works fine, no problem, but i need some part to run as a webservice, and boom it blows up on me. various error messages but the most consistent is "Catastrophic Error". Here is a simple code that i'm testing now, attention this works fine in IIS 5, and Windows XP, but not in IIS6, all permissions is set and ok. public string CreateMailbox(string user) { try { StringBuilder sb = new StringBuilder(); string ouDN = "LDAP://OU=domainuserOU,OU=GlobalOU,DC=LAB,DC=TASP,DC=LOCAL"; DirectoryEntry deOU = new DirectoryEntry(ouDN,"Administrator","password",AuthenticationTypes.Secure | AuthenticationTypes.ServerBind); object obj = deOU.NativeObject; sb.AppendFormat("CN={0}",user); DirectoryEntry deUser = deOU.Children.Add(sb.ToString(),"user"); deUser.Properties["sAMAccountName"].Add(user); sb = new StringBuilder(); sb.AppendFormat("{0}@lab.tasp.local", user); deUser.Properties["userPrincipalName"].Add(sb.ToString()); deUser.CommitChanges(); deUser.Invoke("SetPassword","userpassword"); deUser.CommitChanges(); deUser.Properties["userAccountControl"].Value = 0x200; deUser.CommitChanges(); IMailboxStore mailbox; obj = deUser.NativeObject; mailbox = (IMailboxStore)obj; mailbox.CreateMailbox("CN=SG1-DB1,CN=SG1,CN=InformationStore,CN=VMEX02,CN=Servers,CN=First Administrative Group," + "CN=Administrative Groups,CN=Portugal Telecom,CN=Microsoft Exchange,CN=Services,CN=Configuration," + "DC=lab,DC=tasp,DC=local"); deUser.CommitChanges(); }catch(Exception err) {return err.Message + err.StackTrace;} return "user created with success!"; } thank u veri much

    H J 2 Replies Last reply
    0
    • E ex3cut3

      Hello people, i'm having a big trouble with this thing of creating user, i developed a code to create users in Active directory and mailenable it, i always worked fine, (developer platform: Windows XP, IIS 5), but now the project is finished, and i passed it into production, so what appen: (production platform: Windows 2003 server, IIS6) Running as a console it works fine, no problem, but i need some part to run as a webservice, and boom it blows up on me. various error messages but the most consistent is "Catastrophic Error". Here is a simple code that i'm testing now, attention this works fine in IIS 5, and Windows XP, but not in IIS6, all permissions is set and ok. public string CreateMailbox(string user) { try { StringBuilder sb = new StringBuilder(); string ouDN = "LDAP://OU=domainuserOU,OU=GlobalOU,DC=LAB,DC=TASP,DC=LOCAL"; DirectoryEntry deOU = new DirectoryEntry(ouDN,"Administrator","password",AuthenticationTypes.Secure | AuthenticationTypes.ServerBind); object obj = deOU.NativeObject; sb.AppendFormat("CN={0}",user); DirectoryEntry deUser = deOU.Children.Add(sb.ToString(),"user"); deUser.Properties["sAMAccountName"].Add(user); sb = new StringBuilder(); sb.AppendFormat("{0}@lab.tasp.local", user); deUser.Properties["userPrincipalName"].Add(sb.ToString()); deUser.CommitChanges(); deUser.Invoke("SetPassword","userpassword"); deUser.CommitChanges(); deUser.Properties["userAccountControl"].Value = 0x200; deUser.CommitChanges(); IMailboxStore mailbox; obj = deUser.NativeObject; mailbox = (IMailboxStore)obj; mailbox.CreateMailbox("CN=SG1-DB1,CN=SG1,CN=InformationStore,CN=VMEX02,CN=Servers,CN=First Administrative Group," + "CN=Administrative Groups,CN=Portugal Telecom,CN=Microsoft Exchange,CN=Services,CN=Configuration," + "DC=lab,DC=tasp,DC=local"); deUser.CommitChanges(); }catch(Exception err) {return err.Message + err.StackTrace;} return "user created with success!"; } thank u veri much

      H Offline
      H Offline
      Heath Stewart
      wrote on last edited by
      #2

      Which line commonly throws the exception(s)? Also, the first thing that comes to my mind is permissions. IIS6 on Win2K3 (like it comes with anything else currently! :)) starts making effective use of code access security. I really haven't had time to play with it, but I have spent a lot of time from the 1.0 beta days of CAS so all I can do is give you pointers. Make sure that the web service is allowed to run with permissions appropriate to what you're doing. For example, invoking anything (DirectoryEntry.Invoke) requires the DirectoryServicesPermission so the web service must be granted that permission. How that's done for a web application in IIS6 is a bit of a mystery to me (if I ever have time to quite these constant last-minute changes from my PHB I will install it on our servers which need it anyway). If it's not CAS, perhaps the Win2K3's membership doesn't grant it access to write to a AD? :confused:

      -----BEGIN GEEK CODE BLOCK----- Version: 3.21 GCS/G/MU d- s: a- C++++ UL@ P++(+++) L+(--) E--- W+++ N++ o+ K? w++++ O- M(+) V? PS-- PE Y++ PGP++ t++@ 5 X+++ R+@ tv+ b(-)>b++ DI++++ D+ G e++>+++ h---* r+++ y+++ -----END GEEK CODE BLOCK-----

      E 1 Reply Last reply
      0
      • H Heath Stewart

        Which line commonly throws the exception(s)? Also, the first thing that comes to my mind is permissions. IIS6 on Win2K3 (like it comes with anything else currently! :)) starts making effective use of code access security. I really haven't had time to play with it, but I have spent a lot of time from the 1.0 beta days of CAS so all I can do is give you pointers. Make sure that the web service is allowed to run with permissions appropriate to what you're doing. For example, invoking anything (DirectoryEntry.Invoke) requires the DirectoryServicesPermission so the web service must be granted that permission. How that's done for a web application in IIS6 is a bit of a mystery to me (if I ever have time to quite these constant last-minute changes from my PHB I will install it on our servers which need it anyway). If it's not CAS, perhaps the Win2K3's membership doesn't grant it access to write to a AD? :confused:

        -----BEGIN GEEK CODE BLOCK----- Version: 3.21 GCS/G/MU d- s: a- C++++ UL@ P++(+++) L+(--) E--- W+++ N++ o+ K? w++++ O- M(+) V? PS-- PE Y++ PGP++ t++@ 5 X+++ R+@ tv+ b(-)>b++ DI++++ D+ G e++>+++ h---* r+++ y+++ -----END GEEK CODE BLOCK-----

        E Offline
        E Offline
        ex3cut3
        wrote on last edited by
        #3

        OK Forgot some issues, the object is created in the AD with perfection, everything works until.... mailbox.CreateMailbox("CN=SG1-DB1,CN=SG1,CN=InformationStore,CN=VMEX02,CN=Servers,CN=First Administrative Group," + "CN=Administrative Groups,CN=Portugal Telecom,CN=Microsoft Exchange,CN=Services,CN=Configuration," + "DC=lab,DC=tasp,DC=local"); this is when he trows an error of CATASTROPHIC ERROR The permissions are set in the machine.config, and the impersonation is done by the DirectoryEntry Object, this is, when i initalize the object i provide the credentials of an domain admin user. So permissions should be covered. I also tried to place the impersonationcontext in, but it didn't work also... Thx a lot, ricardo snatos

        H 1 Reply Last reply
        0
        • E ex3cut3

          OK Forgot some issues, the object is created in the AD with perfection, everything works until.... mailbox.CreateMailbox("CN=SG1-DB1,CN=SG1,CN=InformationStore,CN=VMEX02,CN=Servers,CN=First Administrative Group," + "CN=Administrative Groups,CN=Portugal Telecom,CN=Microsoft Exchange,CN=Services,CN=Configuration," + "DC=lab,DC=tasp,DC=local"); this is when he trows an error of CATASTROPHIC ERROR The permissions are set in the machine.config, and the impersonation is done by the DirectoryEntry Object, this is, when i initalize the object i provide the credentials of an domain admin user. So permissions should be covered. I also tried to place the impersonationcontext in, but it didn't work also... Thx a lot, ricardo snatos

          H Offline
          H Offline
          Heath Stewart
          wrote on last edited by
          #4

          Actually, I wasn't talking about AD permissions, per se. I was speaking of code access security (CAS) permissions. For instance, does the CreateMailbox method documentation say anything about a required permission to execute? It's a question of whether or not your web application has been granted the required permissions. This isn't necessarily through the machine.config file, either. If I remember correctly from the VS.NET 2003 / Windows Server 2003 launch event, you can grant permissions to web applications through IIS's administrative tool. I'm sorry that I don't remember specifics. I'm hoping I have a chance to purchase and install Win2K3 for our Internet-deployed application (touchless installation) for better security and availability. Also, have you tried turning tracing on in your Web.config file and checking the app's trace log (trace.axd from the app root)? Does it give any more details or a stack trace that might point to the exact error? If its a catastrphic failure, of course, you might not get this.

          -----BEGIN GEEK CODE BLOCK----- Version: 3.21 GCS/G/MU d- s: a- C++++ UL@ P++(+++) L+(--) E--- W+++ N++ o+ K? w++++ O- M(+) V? PS-- PE Y++ PGP++ t++@ 5 X+++ R+@ tv+ b(-)>b++ DI++++ D+ G e++>+++ h---* r+++ y+++ -----END GEEK CODE BLOCK-----

          E 1 Reply Last reply
          0
          • H Heath Stewart

            Actually, I wasn't talking about AD permissions, per se. I was speaking of code access security (CAS) permissions. For instance, does the CreateMailbox method documentation say anything about a required permission to execute? It's a question of whether or not your web application has been granted the required permissions. This isn't necessarily through the machine.config file, either. If I remember correctly from the VS.NET 2003 / Windows Server 2003 launch event, you can grant permissions to web applications through IIS's administrative tool. I'm sorry that I don't remember specifics. I'm hoping I have a chance to purchase and install Win2K3 for our Internet-deployed application (touchless installation) for better security and availability. Also, have you tried turning tracing on in your Web.config file and checking the app's trace log (trace.axd from the app root)? Does it give any more details or a stack trace that might point to the exact error? If its a catastrphic failure, of course, you might not get this.

            -----BEGIN GEEK CODE BLOCK----- Version: 3.21 GCS/G/MU d- s: a- C++++ UL@ P++(+++) L+(--) E--- W+++ N++ o+ K? w++++ O- M(+) V? PS-- PE Y++ PGP++ t++@ 5 X+++ R+@ tv+ b(-)>b++ DI++++ D+ G e++>+++ h---* r+++ y+++ -----END GEEK CODE BLOCK-----

            E Offline
            E Offline
            ex3cut3
            wrote on last edited by
            #5

            Ok thx for the tips, it fix the problem that was permissions of course, so here is the way to work; It's all on IIS 6. Create an Application Pool Add the Domain Admin User to the workstation group IIS WGL Ín the aplication pool, set the identity to work as that user. And that's it, it work on perfection, thank you alot again Ricardo José Santos

            H 1 Reply Last reply
            0
            • E ex3cut3

              Ok thx for the tips, it fix the problem that was permissions of course, so here is the way to work; It's all on IIS 6. Create an Application Pool Add the Domain Admin User to the workstation group IIS WGL Ín the aplication pool, set the identity to work as that user. And that's it, it work on perfection, thank you alot again Ricardo José Santos

              H Offline
              H Offline
              Heath Stewart
              wrote on last edited by
              #6

              You're running IIS as a domain admin?! Are you insane?! :omg: :) Seriously, though: that is a really, really bad idea. You've just given any anonymous user a back door into your entire domain with the keys to every machine in the domain. Not good. You've somewhat solved the problem though - it's about the permissions of the IIS user. Now you need to either add the normal user that IIS runs as (IUSR_MACHINENAME) to the appropriate groups and / or security rights, or have it run as a non-privileged user with the same constraints. First, you are trying to use impersonation, but IIS / ASP.NET is throwing an error. Since this is a Win2K3 box, make sure the IIS user has the SeImpersonatePrivilege (configurable in the local machine (or domain, but that's too broad) policy). Next, make sure that the IIS user has permissions to your CDO server (SMTP Services for IIS, or Microsoft Exchange). The whole idea is to find out what is wrong and make sure that the user that IIS runs under has the appropriate privileges and permissions. If you run as a privileged user you ultimately have all those things but at an extremely great cost!

              -----BEGIN GEEK CODE BLOCK----- Version: 3.21 GCS/G/MU d- s: a- C++++ UL@ P++(+++) L+(--) E--- W+++ N++ o+ K? w++++ O- M(+) V? PS-- PE Y++ PGP++ t++@ 5 X+++ R+@ tv+ b(-)>b++ DI++++ D+ G e++>+++ h---* r+++ y+++ -----END GEEK CODE BLOCK-----

              E 1 Reply Last reply
              0
              • H Heath Stewart

                You're running IIS as a domain admin?! Are you insane?! :omg: :) Seriously, though: that is a really, really bad idea. You've just given any anonymous user a back door into your entire domain with the keys to every machine in the domain. Not good. You've somewhat solved the problem though - it's about the permissions of the IIS user. Now you need to either add the normal user that IIS runs as (IUSR_MACHINENAME) to the appropriate groups and / or security rights, or have it run as a non-privileged user with the same constraints. First, you are trying to use impersonation, but IIS / ASP.NET is throwing an error. Since this is a Win2K3 box, make sure the IIS user has the SeImpersonatePrivilege (configurable in the local machine (or domain, but that's too broad) policy). Next, make sure that the IIS user has permissions to your CDO server (SMTP Services for IIS, or Microsoft Exchange). The whole idea is to find out what is wrong and make sure that the user that IIS runs under has the appropriate privileges and permissions. If you run as a privileged user you ultimately have all those things but at an extremely great cost!

                -----BEGIN GEEK CODE BLOCK----- Version: 3.21 GCS/G/MU d- s: a- C++++ UL@ P++(+++) L+(--) E--- W+++ N++ o+ K? w++++ O- M(+) V? PS-- PE Y++ PGP++ t++@ 5 X+++ R+@ tv+ b(-)>b++ DI++++ D+ G e++>+++ h---* r+++ y+++ -----END GEEK CODE BLOCK-----

                E Offline
                E Offline
                ex3cut3
                wrote on last edited by
                #7

                It should be report alright but for me it's no problem because the iis is internal, and it's to host a webservice, this is is only to be used from another iis server that its published on the outside, and the calls are made by C# code, the code makes all the changes to AD, exchange, iis, filesystem and etc, it's a provisioning service, there by i need those admin privileges. The machine it self is secure. so i believe that it's no problem. I need to authenticate myself in the AD and iis webservice machine. :D

                1 Reply Last reply
                0
                • E ex3cut3

                  Hello people, i'm having a big trouble with this thing of creating user, i developed a code to create users in Active directory and mailenable it, i always worked fine, (developer platform: Windows XP, IIS 5), but now the project is finished, and i passed it into production, so what appen: (production platform: Windows 2003 server, IIS6) Running as a console it works fine, no problem, but i need some part to run as a webservice, and boom it blows up on me. various error messages but the most consistent is "Catastrophic Error". Here is a simple code that i'm testing now, attention this works fine in IIS 5, and Windows XP, but not in IIS6, all permissions is set and ok. public string CreateMailbox(string user) { try { StringBuilder sb = new StringBuilder(); string ouDN = "LDAP://OU=domainuserOU,OU=GlobalOU,DC=LAB,DC=TASP,DC=LOCAL"; DirectoryEntry deOU = new DirectoryEntry(ouDN,"Administrator","password",AuthenticationTypes.Secure | AuthenticationTypes.ServerBind); object obj = deOU.NativeObject; sb.AppendFormat("CN={0}",user); DirectoryEntry deUser = deOU.Children.Add(sb.ToString(),"user"); deUser.Properties["sAMAccountName"].Add(user); sb = new StringBuilder(); sb.AppendFormat("{0}@lab.tasp.local", user); deUser.Properties["userPrincipalName"].Add(sb.ToString()); deUser.CommitChanges(); deUser.Invoke("SetPassword","userpassword"); deUser.CommitChanges(); deUser.Properties["userAccountControl"].Value = 0x200; deUser.CommitChanges(); IMailboxStore mailbox; obj = deUser.NativeObject; mailbox = (IMailboxStore)obj; mailbox.CreateMailbox("CN=SG1-DB1,CN=SG1,CN=InformationStore,CN=VMEX02,CN=Servers,CN=First Administrative Group," + "CN=Administrative Groups,CN=Portugal Telecom,CN=Microsoft Exchange,CN=Services,CN=Configuration," + "DC=lab,DC=tasp,DC=local"); deUser.CommitChanges(); }catch(Exception err) {return err.Message + err.StackTrace;} return "user created with success!"; } thank u veri much

                  J Offline
                  J Offline
                  JoostV
                  wrote on last edited by
                  #8

                  I have had the same experience creating users from a kix script. After creating the user and sets its groups, do a synchronize domain command.

                  1 Reply Last reply
                  0
                  Reply
                  • Reply as topic
                  Log in to reply
                  • Oldest to Newest
                  • Newest to Oldest
                  • Most Votes

                  • Login
                  • Don't have an account? Register
                  • Login or register to search.
                  • First post
                    Last post
                  0
                  • Categories
                  • Recent
                  • Tags
                  • Popular
                  • World
                  • Users
                  • Groups