Re: Azman: AzAuthorizationStoreClass.Initialize

Hi

you might try enabling Audit Privilege Use in the security policy on the
box and see what is used on a successful call or what fails on an
unsucessful. That might help you spot if it is a rights issue; I offer this
as a straw in the wind as I know AzMan can tie in to the windows
audit system which is a privileged activity but I may be way off-beam
here.

Lee Flight

"mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0E4D0598-5BE3-4BC7-AF91-DA474320B6C5@xxxxxxxxxxxxxxxx
> The ADAM is running on a WinServer2003 SP1 box running under
> the Network Service Account.
> The web application is running on an XP box SP2 (our dev box) and accesses
> the
> ADAM on the WinServer 2003 box.
>
> I had a service account created and we are doing an impersonation.
> in our web application to make the api calls to
> Microsoft.Interop.Security.AzRoles.dll.
> We get an access denied message in the call to "Initialize" method of
> AzAuthorizationStoreClass.
>
> Note that if the service account is added to the Administrators group of
> the
> XP box then the call to the Initiialize method succeeds.
>
> I added the service account to the readers role and the administrator role
> in ADAM and thru azman.
>
> Mike
>
>
>
> "Dmitri Gavrilov [MSFT]" wrote:
>
>> What is the account that is used to run azman? Does ADAM live on the same
>> machine or different machine?
>>
>> --
>> Dmitri Gavrilov
>> SDE, DS Admin eXperience
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Use of included script samples are subject to the terms specified at
>> http://www.microsoft.com/info/cpyright.htm
>>
>> "mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:11A07BF7-2D74-4171-AC17-2A2EBE10697B@xxxxxxxxxxxxxxxx
>> > the impersonation is working without problems
>> > the. The service account we are using to do impersonation
>> > is in the Admintrator role. in ADAM
>> >
>> > I add to the serice account to the reader role in ADAM.
>> > Made no difference same error. Access Denied on Initialize
>> >
>> > Running XP2 SP2 and Server 2003 SP1.
>> > Posted this in the DotNetSecurity newsgroup
>> >
>> > "Dustin" wrote:
>> >
>> >> mwr,
>> >> Make sure of a couple things..
>> >>
>> >> make sure to have <identity impersonate='true' />
>> >> and MOST IMPORTANTLY !!!
>> >>
>> >> <deny users="?" />
>> >>
>> >> Since your Using AzMan. Its Recommended that you also use a Network
>> >> Service
>> >> account that your application impersonates as.
>> >>
>> >> Another thing you can try,
>> >>
>> >> Make sure in your Roles under AzMan. The account your impersonating as
>> >> is
>> >> in
>> >> the Readers Role. And Administrators Role.
>> >>
>> >>
>> >> "mwr" wrote:
>> >>
>> >> > I thought you might say that, but wasnt sure what newsgroup to try.
>> >> > Its basically the permissions that the
>> >> > Microsoft.Interop.security.AzRoles.dll
>> >> > needs to Intialize the application store in ADAM
>> >> >
>> >> > "Joe Kaplan (MVP - ADSI)" wrote:
>> >> >
>> >> > > You might want to try one of the programming oriented newsgroups
>> >> > > like
>> >> > > ms.public.dotnet.security,ms.pub.dotnet.framework.aspnet.security
>> >> > > or
>> >> > > ms.pub.platformsdk.security.
>> >> > >
>> >> > > Joe K.
>> >> > >
>> >> > > "mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> > > news:447FAFBF-BFC5-439C-BE82-7AF94259846B@xxxxxxxxxxxxxxxx
>> >> > > >I am calling AzAuthorizationStoreClass.Initialize
>> >> > > > and i am getting an access denied. My app is an
>> >> > > > asp.net and i am doing impersonation. The 'Initialize'
>> >> > > > method works if i add the user acount doing the impersonation
>> >> > > > to the admininistrator group on the local machine
>> >> > > > but fails otherwise.
>> >> > > >
>> >> > > > I dont want to have to make the account doing the
>> >> > > > impersonation and admin of the box. What permissions
>> >> > > > do i need to set in order for the method call to succeed
>> >> > > > without being an admin of the box.
>> >> > > >
>> >> > > >
>> >> > >
>> >> > >
>> >> > >
>>
>>
>>


.

Relevant Pages

  • Re: Azman: AzAuthorizationStoreClass.Initialize
    ... >>> the Network Service Account. ... >>> ADAM on the WinServer 2003 box. ... >>> Note that if the service account is added to the Administrators group ... >>> I added the service account to the readers role and the administrator ...
    (microsoft.public.windows.server.active_directory)
  • Re: Azman: AzAuthorizationStoreClass.Initialize
    ... >> the Network Service Account. ... >> ADAM on the WinServer 2003 box. ... >> I added the service account to the readers role and the administrator role ... >> in ADAM and thru azman. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Access Rights to See DACLs in ADAM
    ... as they have control over the service account, can take ownership, ... Also best practice is to keep ADAM ... accounts have the administrator access rights. ... local administrators group, which we do not want to do, and which I have ...
    (microsoft.public.windows.server.active_directory)
  • Re: Issue while setting user password in ADAM using JAVA
    ... Secondly I followed few more links and tried to configure ADAM for ... If ADAM is running under a local service account, ... has sufficient rights to update the serviceConnectionPoint object. ... ServiceConnectionPoint object publication can be disabled for this ...
    (microsoft.public.windows.server.active_directory)
  • Re: Access Rights to See DACLs in ADAM
    ... I understand we cannot totally sandbox ADAM from the local system ... but we want to make it necessary for a local administrator to ... Administrators group in the configuration partition, ... the same problem with that account as the service account. ...
    (microsoft.public.windows.server.active_directory)
Loading