Calling DirectoryEntry class's property to get SID fail with Network path not found error
Hi,I have implemented Custom Security Extension to my Reports project. I am implementing it in both SSR2000 & ssrs 2005 32bit & 64 bit. All is working well except on 64 bit. Iawant that any user who has logged using Windows authentication should be able to call DirectoryEntry(...) class's property to get "objectSID".Following is the code :-private static string GetSid(string loginUser) { string userSID = ""; try { // Parse the string to check if domain name is present. int idx = loginUser.IndexOf('\\'); if (idx == -1) { idx = loginUser.IndexOf('@'); } string userDomain; string userName; if (idx != -1) { userDomain = loginUser.Substring(0, idx); userName = loginUser.Substring(idx + 1); } else { return userSID; } DirectoryEntry obDirEntry = null; obDirEntry = new DirectoryEntry("WinNT://" + userDomain + "/" + userName); System.DirectoryServices.PropertyCollection coll = obDirEntry.Properties; object obVal = coll["objectSid"].Value; if (null != obVal) { userSID = ConvertByteToStringSid((Byte[])obVal); } } catch (Exception ex) { userSID = ""; } return userSID; }Following is the errror :-System.Runtime.Interopservices.COMException (0x80005000): Unknown error (0x80005000)| at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)| at System.DirectoryServices.DirectoryEntry.Bind()| at System.DirectoryServices.DirectoryEntry.get_AdsObject()| at System.DirectoryServices.PropertyValueCollection.PopulateList()| at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)| at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)|Any help will be highly appreciated.Peace
March 21st, 2009 12:00pm

Hi Chiranjiv, Using System.DirectoryService to retrieve information from Active Directory is an unattended report processing. Unattended report processing refers to any report execution process that is triggered by an event (either a schedule-driven event or data refresh event) rather than a user request. The report server uses the unattended report processing account to log on to the computer that hosts the external data source. This account is necessary because the credentials of the Report Server service account are never used to connect to other computers. Reporting Services provides a special account named Execution Account that is used for unattended report processing and for sending connection requests across the network. To solve the issue, you could special a domain account for Execution Account. If specifying the execution account does not help, could you please use the following steps to debug the Extension, and post the detailed error here: 1. Open the custom extension project. 2. Click the file menu Debug -- > Attach to process, and select the process aspnet_wp.exe. 3. Toggle BreakPoint at the point you want. 4. Open the Report Server by using http://<servername>/reportserver For more information about How to configure the Account, please see Configuring the Unattended Execution Account in SQL Server Books Online. Thanks, Jin Jin Chen - MSFT
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2009 1:54pm

Hi Chiranjiv,Thanks for your reply.Have you debuged the Custom Extension? And what is the error during debug?It works fine in my environment, so could you please describe your environment a bit more?1.Is the server in the same domain of clients? 2.Can the clients search users from the domain? I look forward to your reply. Thanks, JinJin Chen - MSFT
March 30th, 2009 10:24am

Hi Jin, Thanks for your response. My Environment :- 1.) Win2k3 - SQl Server 2005 Server & 2005 Reporting Services(32 Bit) 2.) Win2k3 - SQl Server 2005 Server & 2000 Reporting Services SP2 3.) Win2k3 - SQl Server 2005 Server & 2005 Reporting Services (64 bit) All in the same domain. I try to access it using http://Localhost it works, bu when I use FQDN or IP Address, it screws up Regards ChiranjivPeace
Free Windows Admin Tool Kit Click here and download it now
March 30th, 2009 3:28pm

On Win2k3 - SQl Server 2005 Server & 2005 Reporting Services (64 bit) it is still causing problem..:( Peace
April 3rd, 2009 7:20am

Hi Chiranjiv,Could you please give me the RDL to do further research.Thanks,JinJin Chen - MSFT
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2009 7:29am

Hi Jin, The reporting call is stuck with the root directory. It does not reach RDl. Before RDL I call this function GetSID(...) from the function in Custom Security Extension class.Peace
April 3rd, 2009 7:31am

Hi Chiranjiv,Form your previous post, it seems like the Custome Extension works fine if assess it using http://localhost, but screw up when using FQDN or IP address. Is it?What about using http://<servername> (It means using NetBIOS)?Thanks,JinJin Chen - MSFT
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2009 7:36am

Hi Jin, On a SQL Server 2005 + reporting services(both on 64 bit), it only works if http://localhost/reports is used. If I use http://MachineName or http://FQDn or http://ipaddress they all fail :( Iwas checkin gsome things:- 1.) I checked if the Network Service account is allowed to query the AD.It did no ti said it requires permission ion the netman DCOM utility to allow Local activation & invocation permission. I did it, but no results :( 2.) I added Network Service user to DCOM Config users, but to no avail. Please help.Peace
April 7th, 2009 11:36am

Hi Chiranjiv,Have you changed the 'Execution Account' to be a domain user in Reporting Service Configration Manager? This is important.Could you please try use the other method to get the SID?Please change the LDAP to match your company's structure. public static string GetSid2(string loginUser) { string userSID = ""; try { // Parse the string to check if domain name is present. int idx = loginUser.IndexOf('\\'); if (idx == -1) { idx = loginUser.IndexOf('@'); } string userDomain; string userName; if (idx != -1) { userDomain = loginUser.Substring(0, idx); userName = loginUser.Substring(idx + 1); } else { return userSID; } string Path = "LDAP://DC=<contoso>,DC=com"; System.DirectoryServices.DirectoryServicesPermission permission = new System.DirectoryServices.DirectoryServicesPermission(System.Security.Permissions.PermissionState.Unrestricted); permission.Assert(); System.DirectoryServices.DirectoryEntry directory = new System.DirectoryServices.DirectoryEntry(Path); string filter = String.Format("(&(objectClass=user)(samaccountname=" + userName + "))"); System.DirectoryServices.DirectorySearcher findUser = new System.DirectoryServices.DirectorySearcher(directory, filter); System.DirectoryServices.SearchResult result = findUser.FindOne(); DirectoryEntry obDirEntry = result.GetDirectoryEntry(); System.DirectoryServices.PropertyCollection coll = obDirEntry.Properties; object obVal = coll["objectSid"].Value; if (null != obVal) { userSID = ConvertByteToStringSid((Byte[])obVal); } } catch { userSID = ""; } return userSID; } Thanks,JinJin Chen - MSFT
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2009 12:18pm

Hi Jin, I have given the Execution account a domain user , it did not work.SorryI used the afore mentioned code does not work either I had tried it earlier. Regards Chiranjiv Peace
April 7th, 2009 1:03pm

I had a similar issue. My account is an Admin on both my dev server and a test server where I re-deploy my code to test it in the same environment, domain, etc. Both are simple member servers, not DCs or anything. Only Visual Studio and SharePoint are running on them. On my dev server it works fine using Visual Studio's virtual server during debug. I can run it under http://localhost and it runs. I publish it over to my test server, it runs under localhost fine, too. I can even get to it and run it locally under http://<servername> and http://FQDN. The problem lies in that I could not get it to run if I logged into the Test server's website from my original Dev box, even though it should be using my credentials to run the AD query since I was logged into the site, or so you'd think, right? I think it was due to the double-hop issue - I was on another server than the one doing the querying. Luckily this was a SharePoint app, so I just put SPSecurity.RunWithElevatedPrivileges around the code block and it worked from my Dev server, logging into my Test server's site, just fine. Otherwise, I would've needed to build in impersonation around that code, specify an account's credentials to use, return a security token to a WindowsImpersonationContext, all that mess. I know MS had security in mind, but man... But anyone know why you'd need elevated privileges to do a READ in AD, when everyone should have read to AD (they have to, in order to log in!)? Does it try to use a different account, like the NTAUTHORITY\NETWORK SERVICE account or something that doesn't have AD access?
Free Windows Admin Tool Kit Click here and download it now
November 4th, 2011 11:46pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics