Re: Azman: AzAuthorizationStoreClass.Initialize

The ADAM is running on a WinServer2003 SP1 box running under
the Network Service Account.
The web application is running on an XP box SP2 (our dev box) and accesses the
ADAM on the WinServer 2003 box.

I had a service account created and we are doing an impersonation.
in our web application to make the api calls to
Microsoft.Interop.Security.AzRoles.dll.
We get an access denied message in the call to "Initialize" method of
AzAuthorizationStoreClass.

Note that if the service account is added to the Administrators group of the
XP box then the call to the Initiialize method succeeds.

I added the service account to the readers role and the administrator role
in ADAM and thru azman.

Mike



"Dmitri Gavrilov [MSFT]" wrote:

> What is the account that is used to run azman? Does ADAM live on the same
> machine or different machine?
>
> --
> Dmitri Gavrilov
> SDE, DS Admin eXperience
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:11A07BF7-2D74-4171-AC17-2A2EBE10697B@xxxxxxxxxxxxxxxx
> > the impersonation is working without problems
> > the. The service account we are using to do impersonation
> > is in the Admintrator role. in ADAM
> >
> > I add to the serice account to the reader role in ADAM.
> > Made no difference same error. Access Denied on Initialize
> >
> > Running XP2 SP2 and Server 2003 SP1.
> > Posted this in the DotNetSecurity newsgroup
> >
> > "Dustin" wrote:
> >
> >> mwr,
> >> Make sure of a couple things..
> >>
> >> make sure to have <identity impersonate='true' />
> >> and MOST IMPORTANTLY !!!
> >>
> >> <deny users="?" />
> >>
> >> Since your Using AzMan. Its Recommended that you also use a Network
> >> Service
> >> account that your application impersonates as.
> >>
> >> Another thing you can try,
> >>
> >> Make sure in your Roles under AzMan. The account your impersonating as is
> >> in
> >> the Readers Role. And Administrators Role.
> >>
> >>
> >> "mwr" wrote:
> >>
> >> > I thought you might say that, but wasnt sure what newsgroup to try.
> >> > Its basically the permissions that the
> >> > Microsoft.Interop.security.AzRoles.dll
> >> > needs to Intialize the application store in ADAM
> >> >
> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >
> >> > > You might want to try one of the programming oriented newsgroups like
> >> > > ms.public.dotnet.security,ms.pub.dotnet.framework.aspnet.security or
> >> > > ms.pub.platformsdk.security.
> >> > >
> >> > > Joe K.
> >> > >
> >> > > "mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> > > news:447FAFBF-BFC5-439C-BE82-7AF94259846B@xxxxxxxxxxxxxxxx
> >> > > >I am calling AzAuthorizationStoreClass.Initialize
> >> > > > and i am getting an access denied. My app is an
> >> > > > asp.net and i am doing impersonation. The 'Initialize'
> >> > > > method works if i add the user acount doing the impersonation
> >> > > > to the admininistrator group on the local machine
> >> > > > but fails otherwise.
> >> > > >
> >> > > > I dont want to have to make the account doing the
> >> > > > impersonation and admin of the box. What permissions
> >> > > > do i need to set in order for the method call to succeed
> >> > > > without being an admin of the box.
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> > >
>
>
>
.

Relevant Pages

  • Re: Access Rights to See DACLs in ADAM
    ... as they have control over the service account, can take ownership, ... Also best practice is to keep ADAM ... accounts have the administrator access rights. ... local administrators group, which we do not want to do, and which I have ...
    (microsoft.public.windows.server.active_directory)
  • Re: Issue while setting user password in ADAM using JAVA
    ... Secondly I followed few more links and tried to configure ADAM for ... If ADAM is running under a local service account, ... has sufficient rights to update the serviceConnectionPoint object. ... ServiceConnectionPoint object publication can be disabled for this ...
    (microsoft.public.windows.server.active_directory)
  • Re: Azman: AzAuthorizationStoreClass.Initialize
    ... The service account we are using to do impersonation ... I add to the serice account to the reader role in ADAM. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Azman: AzAuthorizationStoreClass.Initialize
    ... you might try enabling Audit Privilege Use in the security policy on the ... > ADAM on the WinServer 2003 box. ... > I had a service account created and we are doing an impersonation. ... > I added the service account to the readers role and the administrator role ...
    (microsoft.public.windows.server.active_directory)
  • Re: Access Rights to See DACLs in ADAM
    ... I understand we cannot totally sandbox ADAM from the local system ... but we want to make it necessary for a local administrator to ... Administrators group in the configuration partition, ... the same problem with that account as the service account. ...
    (microsoft.public.windows.server.active_directory)