Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » AzMan and ADAM Issues
AzMan and ADAM Issues [message #156581] Fri, 19 June 2009 17:05 Go to next message
Kreshiv  is currently offline Kreshiv
Messages: 47
Registered: July 2009
Member
Hi,

I am trying to create a WCF that interacts ADAM and AzMan. Can you tell me
what is the configuration needed, for a WCF to work successfully.

I am using Windows Authentication for my application. I want to use
anonymous access for WCF. I have already created the WCF, but i am
continuously getting 1 or these errors.

Handle is invalid.
Access Denied.
Insufficient Access Rights.
....

Hence I tried to impersonate my windows ID in WCF to check whether it is
able to connect from Client to Server. Please let me know what are the
configuration needed.

I am a local administrator in my machine. Administrator for ADAM and AzMan.
I have added my UserName along with Domain in ADAM Readers Role. I tried
adding in ADAM administrator Role also. I have also added my username in
AzMan Store under administrator and reader. please help me asap..
RE: AzMan and ADAM Issues [message #156587 is a reply to message #156581] Fri, 19 June 2009 19:41 Go to previous messageGo to next message
Garry Starck-MCITP En  is currently offline Garry Starck-MCITP En
Messages: 69
Registered: July 2009
Member
Hi Kreshiv

I only attempt this once, but I followed this guys help inserted below:

There's not much documentation, particularly around AzMan, and the COM
interfaces for AzMan can be a bit cumbersome.

•Storing users in ADAM and authorizing them using ADAM requires Windows 2003
Server or Vista. There's no decent way to make this work on Windows XP. The
necessary AzMan interface, IAzClientContext2, doesn't exist on XP. It's
required for using a collection of user and group SIDs from ADAM to do access
checks against AzMan. I'll post some code later...
◦IAzClientContext2 is also available on Vista, so Vista is also a viable dev
platform.
•There are some confusing interactions between the AzMan UI and the
programmatic API. If you create a Role in the AzMan UI, but don't create a
RoleAssignment, the programmatic call to IAzApplication2.OpenRole will fail.
If you create the role assignment, but don't actually assign any users or
groups to it, OpenRole succeeds. Conversely, if you call the programmatic
IAzApplication2.CreateRole method and assign operations and users to the role
in code, the RoleAssignment shows up in the UI, but not the Role itself.
•If you assign an ADAM user to be a member of an AzMan group, it won't show
up in the AzMan UI, but if you assign them directly to a Role, the ADAM
user's SID will show up (as "unknown SID") under the RoleAssignment. Either
way, the call to AccessCheck works correctly.
•You must pass the complete list of group SIDs from ADAM, but fetching the
user's "tokenGroups" property. Don't use "memberOf" because it doesn't take
into account groups which belong to other groups.
--
Garry Starck
MCITP Enterprise Administrator, MCTS AD, MCSE 2003 Messaging, MCDBA


"Kreshiv" wrote:

> Hi,
>
> I am trying to create a WCF that interacts ADAM and AzMan. Can you tell me
> what is the configuration needed, for a WCF to work successfully.
>
> I am using Windows Authentication for my application. I want to use
> anonymous access for WCF. I have already created the WCF, but i am
> continuously getting 1 or these errors.
>
> Handle is invalid.
> Access Denied.
> Insufficient Access Rights.
> ...
>
> Hence I tried to impersonate my windows ID in WCF to check whether it is
> able to connect from Client to Server. Please let me know what are the
> configuration needed.
>
> I am a local administrator in my machine. Administrator for ADAM and AzMan.
> I have added my UserName along with Domain in ADAM Readers Role. I tried
> adding in ADAM administrator Role also. I have also added my username in
> AzMan Store under administrator and reader. please help me asap..
RE: AzMan and ADAM Issues [message #156588 is a reply to message #156581] Fri, 19 June 2009 19:46 Go to previous messageGo to next message
Garry Starck-MCITP En  is currently offline Garry Starck-MCITP En
Messages: 69
Registered: July 2009
Member
Hi Again

Also used: http://msdn.microsoft.com/en-us/library/ms998331.aspx
--
Garry Starck
MCITP Enterprise Administrator, MCTS AD, MCSE 2003 Messaging, MCDBA


"Kreshiv" wrote:

> Hi,
>
> I am trying to create a WCF that interacts ADAM and AzMan. Can you tell me
> what is the configuration needed, for a WCF to work successfully.
>
> I am using Windows Authentication for my application. I want to use
> anonymous access for WCF. I have already created the WCF, but i am
> continuously getting 1 or these errors.
>
> Handle is invalid.
> Access Denied.
> Insufficient Access Rights.
> ...
>
> Hence I tried to impersonate my windows ID in WCF to check whether it is
> able to connect from Client to Server. Please let me know what are the
> configuration needed.
>
> I am a local administrator in my machine. Administrator for ADAM and AzMan.
> I have added my UserName along with Domain in ADAM Readers Role. I tried
> adding in ADAM administrator Role also. I have also added my username in
> AzMan Store under administrator and reader. please help me asap..
RE: AzMan and ADAM Issues [message #156592 is a reply to message #156581] Fri, 19 June 2009 19:40 Go to previous messageGo to next message
Garry Starck-MCITP En  is currently offline Garry Starck-MCITP En
Messages: 69
Registered: July 2009
Member
--
Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA


"Kreshiv" wrote:

> Hi,
>
> I am trying to create a WCF that interacts ADAM and AzMan. Can you tell me
> what is the configuration needed, for a WCF to work successfully.
>
> I am using Windows Authentication for my application. I want to use
> anonymous access for WCF. I have already created the WCF, but i am
> continuously getting 1 or these errors.
>
> Handle is invalid.
> Access Denied.
> Insufficient Access Rights.
> ...
>
> Hence I tried to impersonate my windows ID in WCF to check whether it is
> able to connect from Client to Server. Please let me know what are the
> configuration needed.
>
> I am a local administrator in my machine. Administrator for ADAM and AzMan.
> I have added my UserName along with Domain in ADAM Readers Role. I tried
> adding in ADAM administrator Role also. I have also added my username in
> AzMan Store under administrator and reader. please help me asap..
RE: AzMan and ADAM Issues [message #156643 is a reply to message #156588] Mon, 22 June 2009 19:44 Go to previous messageGo to next message
Kreshiv  is currently offline Kreshiv
Messages: 47
Registered: July 2009
Member
I tried this Microsoft link example and it was working. But when trying to
access AzMan from WCF, I am not able to get it.

"Garry Starck-MCITP Enterprise Admin" wrote:

> Hi Again
>
> Also used: http://msdn.microsoft.com/en-us/library/ms998331.aspx
> --
> Garry Starck
> MCITP Enterprise Administrator, MCTS AD, MCSE 2003 Messaging, MCDBA
>
>
> "Kreshiv" wrote:
>
> > Hi,
> >
> > I am trying to create a WCF that interacts ADAM and AzMan. Can you tell me
> > what is the configuration needed, for a WCF to work successfully.
> >
> > I am using Windows Authentication for my application. I want to use
> > anonymous access for WCF. I have already created the WCF, but i am
> > continuously getting 1 or these errors.
> >
> > Handle is invalid.
> > Access Denied.
> > Insufficient Access Rights.
> > ...
> >
> > Hence I tried to impersonate my windows ID in WCF to check whether it is
> > able to connect from Client to Server. Please let me know what are the
> > configuration needed.
> >
> > I am a local administrator in my machine. Administrator for ADAM and AzMan.
> > I have added my UserName along with Domain in ADAM Readers Role. I tried
> > adding in ADAM administrator Role also. I have also added my username in
> > AzMan Store under administrator and reader. please help me asap..
RE: AzMan and ADAM Issues [message #156644 is a reply to message #156587] Mon, 22 June 2009 19:48 Go to previous messageGo to next message
Kreshiv  is currently offline Kreshiv
Messages: 47
Registered: July 2009
Member
Thanks for the reply Gary. I am not worried about the resultset obtained from
AzMan. Not about Roles and Tasks List. I am not able to bind to AzMan from
WCF, using credentials. What are the requirements, an AzMan Store looks for..

AzAuthorizationStore store = new AzAuthorizationStoreClass();
store.Initialize(0,
@" msldap://localhost:389/CN=AzManSample,OU=AzManADAMStore,O=Kr eshiv,C=US",
null);
IAzApplication app =
store.OpenApplication(Roles.ApplicationName, null);

// Get the current user context
IAzClientContext ctx =
app.InitializeClientContextFromToken((ulong)userToken, null);


Here is the error which i am getting stuck with. I can get only access
rights error.

Please help me!!!
"Garry Starck - MCITP" wrote:

> Hi Kreshiv
>
> I only attempt this once, but I followed this guys help inserted below:
>
> There's not much documentation, particularly around AzMan, and the COM
> interfaces for AzMan can be a bit cumbersome.
>
> •Storing users in ADAM and authorizing them using ADAM requires Windows 2003
> Server or Vista. There's no decent way to make this work on Windows XP. The
> necessary AzMan interface, IAzClientContext2, doesn't exist on XP. It's
> required for using a collection of user and group SIDs from ADAM to do access
> checks against AzMan. I'll post some code later...
> ◦IAzClientContext2 is also available on Vista, so Vista is also a viable dev
> platform.
> •There are some confusing interactions between the AzMan UI and the
> programmatic API. If you create a Role in the AzMan UI, but don't create a
> RoleAssignment, the programmatic call to IAzApplication2.OpenRole will fail.
> If you create the role assignment, but don't actually assign any users or
> groups to it, OpenRole succeeds. Conversely, if you call the programmatic
> IAzApplication2.CreateRole method and assign operations and users to the role
> in code, the RoleAssignment shows up in the UI, but not the Role itself.
> •If you assign an ADAM user to be a member of an AzMan group, it won't show
> up in the AzMan UI, but if you assign them directly to a Role, the ADAM
> user's SID will show up (as "unknown SID") under the RoleAssignment. Either
> way, the call to AccessCheck works correctly.
> •You must pass the complete list of group SIDs from ADAM, but fetching the
> user's "tokenGroups" property. Don't use "memberOf" because it doesn't take
> into account groups which belong to other groups.
> --
> Garry Starck
> MCITP Enterprise Administrator, MCTS AD, MCSE 2003 Messaging, MCDBA
>
>
> "Kreshiv" wrote:
>
> > Hi,
> >
> > I am trying to create a WCF that interacts ADAM and AzMan. Can you tell me
> > what is the configuration needed, for a WCF to work successfully.
> >
> > I am using Windows Authentication for my application. I want to use
> > anonymous access for WCF. I have already created the WCF, but i am
> > continuously getting 1 or these errors.
> >
> > Handle is invalid.
> > Access Denied.
> > Insufficient Access Rights.
> > ...
> >
> > Hence I tried to impersonate my windows ID in WCF to check whether it is
> > able to connect from Client to Server. Please let me know what are the
> > configuration needed.
> >
> > I am a local administrator in my machine. Administrator for ADAM and AzMan.
> > I have added my UserName along with Domain in ADAM Readers Role. I tried
> > adding in ADAM administrator Role also. I have also added my username in
> > AzMan Store under administrator and reader. please help me asap..
RE: AzMan and ADAM Issues [message #156702 is a reply to message #156643] Tue, 23 June 2009 16:13 Go to previous message
Kreshiv  is currently offline Kreshiv
Messages: 47
Registered: July 2009
Member
Hi,

I tried adding the loggedinuser in Admin, Reader and Delegated User of
AzMan. and also added as Admin, Reader and User in ADAM. Now the application
is running successfully.

But I cant give administrator rights to all 600 employees in this
organization right? What could be the solution for it?
Previous Topic:windows 2008
Next Topic:Restore W2k3 DC terminal license server to a Win2008 DC
Goto Forum:
  


Current Time: Sat Oct 21 19:10:30 EDT 2017

Total time taken to generate the page: 0.09584 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software