Re: Azman: AzAuthorizationStoreClass.Initialize

mwr,
Make sure of a couple things..

make sure to have <identity impersonate='true' />
and MOST IMPORTANTLY !!!

<deny users="?" />

Since your Using AzMan. Its Recommended that you also use a Network Service
account that your application impersonates as.

Another thing you can try,

Make sure in your Roles under AzMan. The account your impersonating as is in
the Readers Role. And Administrators Role.


"mwr" wrote:

> I thought you might say that, but wasnt sure what newsgroup to try.
> Its basically the permissions that the Microsoft.Interop.security.AzRoles.dll
> needs to Intialize the application store in ADAM
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
> > You might want to try one of the programming oriented newsgroups like
> > ms.public.dotnet.security,ms.pub.dotnet.framework.aspnet.security or
> > ms.pub.platformsdk.security.
> >
> > Joe K.
> >
> > "mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:447FAFBF-BFC5-439C-BE82-7AF94259846B@xxxxxxxxxxxxxxxx
> > >I am calling AzAuthorizationStoreClass.Initialize
> > > and i am getting an access denied. My app is an
> > > asp.net and i am doing impersonation. The 'Initialize'
> > > method works if i add the user acount doing the impersonation
> > > to the admininistrator group on the local machine
> > > but fails otherwise.
> > >
> > > I dont want to have to make the account doing the
> > > impersonation and admin of the box. What permissions
> > > do i need to set in order for the method call to succeed
> > > without being an admin of the box.
> > >
> > >
> >
> >
> >
.

Relevant Pages

  • Re: Azman: AzAuthorizationStoreClass.Initialize
    ... What is the account that is used to run azman? ... Does ADAM live on the same ... The service account we are using to do impersonation ...
    (microsoft.public.windows.server.active_directory)
  • Re: SetPassword access denied
    ... safely invoke SetPassword etc..... ... impersonation or using the process token without impersonation) is NOT ... account that is used for performing remote activities in the directory. ... Co-author of "The .NET Developer's Guide to Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
    ... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
    (microsoft.public.dotnet.framework.aspnet)
  • [Full-disclosure] Maybe nothing so shady; depends on the motive.
    ... There may be no impersonation going on. ... attempted use of a disabled account would produce messages about "account foo login fail" ... SecureWorks was still reading email addressed to David Maynor. ...
    (Full-Disclosure)
  • Re: SetPassword access denied
    ... That said, I think one thing worth pointing out is that in both cases here, your code is supplying credentials to the DirectoryEntry constructor. ... the identity of the current thread (established either via impersonation or using the process token without impersonation) is NOT the account that is used for performing remote activities in the directory. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
Loading