Tuesday, September 27, 2005 #

Indexing service CreateRecordset error "Access is denied" can be caused by disabled Delegation.

I am using  IXSSO from ASP.NET  to access remote Indexing Services Catalog (See also my posts COM CleanUp when using IXSSO in .Net  and  Fill Dataset with rows in a specified range  http://thespoke.net/blogs/mnf/archive/2005/05/09/92495.aspx) .

When testing it from workstation I started to receive "Access is denied" exception in CreateRecordset call.

According to Hilary Cotter http://groups.google.com.au/group/microsoft.public.inetserver.indexserver/browse_frm/thread/55dbf5119cc898ce/0b992b7127b27062?hl=en#0b992b7127b27062 it is usually can be  fixed by "giving rights to logon interactively on the remote machine"

It didn't help me, but finally I found (thanks to http://www.highdots.com/forums/asp-net-security/impersonate-delegate-problem-699124.html ) that

to fix the error is required to set the web server computer to be trusted for delegation as described in  http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b207ee9c-a055-43f7-b9be-20599b694a31.mspx.

 

 

posted @ Tuesday, September 27, 2005 1:48 PM | Feedback (0)

To run WebDav queries against Exchange Folders from ASP.NET -use Kerberos .

I am using WebDav query to search e-mails and public folders from Exchange Server 2003. The code is based on the Visual Basic .NET sample  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/e2k3/e2k3/_exch2k_searching_folders_http.asp

However when I started to test the code with impersonation, I ve got a problem.The scenario was the following

I am using client on workstation running IE6 that login to ASP.NET web server using Windows Authentication with impersonation. The server ASP.NET page uses WebDav to access Exchange Server 2003.

The WebDav request failed with "The remote server returned an error: (401) Unauthorized".

If the client is running IE browser on the Web Server , WebDav queries are succeded.
I've changed Web Server to "trust this computer to delegate", but the error was the same.

The solution is to use "Negotiate" (or "Kerberos") instead of NTLM when calling MyCredentialCache.Add

CredentialCache cache =new CredentialCache();

NetworkCredential credential1 = (NetworkCredential) CredentialCache.DefaultCredentials;

// from http://blogs.msdn.com/buckh/archive/2004/07/28/199706.aspx

// Depending upon the IIS configuration, that may be negotiate, NTLM, Kerberos, basic, or digest authentication

//Negotiates with the client to determine the authentication scheme. If both client and server support Kerberos, it is used; otherwise NTLM is used.

string authType ="Negotiate";//The authentication scheme used by the resource named in uriPrefix.

// if Kerberos is unavailable, it can be 15sec delay (from http://blogs.msdn.com/buckh/archive/2004/07/28/199706.aspx#217098)

cache.Add(new Uri(strRootURI), authType, credential1);

It also important to ensure that both Web Server and impersonated user account are "Trusted for deilegation" (see ASP.NET and Exchange tips and samples and How To: Implement Kerberos Delegation for Windows 2000)

Related post: Configure Exchange Server 2003 for WebDav queries.

posted @ Tuesday, September 27, 2005 11:49 AM | Feedback (10)
«September»
SunMonTueWedThuFriSat
28293031123
45678910
11121314151617
18192021222324
2526272829301
2345678

About
Article Categories
Archives
Post Categories
Links
Syndication:

RSS ATOM