Active Directory « Web Active Directory Blog

Archive for the 'Active Directory' Category

Exchange 2007 PowerShell Errors with New-Mailbox Cmdlet and IIS with ASP.NET

I recently was working on a customer implementation of our PeopleProvision solution and I needed to create a new Exchange mailbox for new user accounts in Active Directory. Our customer uses Exchange 2007 and, after installing the Exchange Management Shell that includes PowerShell cmdlets used to create mailboxes, the system seemed ready to go. I kept running into the following error, though, when trying to create the Exchange mailbox using the PeopleProvision web application and the New-Mailbox cmdlet.

Database "my-exchange-server\First Storage Group\Mailbox Database" was not found. Please make sure you have typed it correctly.

PeopleProvision runs on the ASP.NET 4 framework on IIS, in this case IIS 7.5 on Windows Server 2008 R2. Considering the fact that I could run the exact same mailbox command via a PowerShell command shell and successfully create a new mailbox, I knew this was a permissions issue with the process identity executing PowerShell on behalf of PeopleProvision. Figuring out the exact permissions required to allow the ASP.NET web application to work, though, took some time to figure out. My solution and approach follows.

Our Solution

Note: Be aware that this approach exposes significant security vulnerabilities in the case where the application pool identity is compromised. For this particular instance, our customer is running a completely internal web application that has no public internet exposure outside the DMZ firewall. The only real security risk is from internal users who might be savvy enough to compromise an IIS 7.5 process but the security vulnerability is very low in this case. The discussion at http://forums.asp.net/t/1272317.aspx/1/10 has some very good insight into this issue and actually proposes a slick approach using Microsoft WCF or WF to minimize the exposure of a privileged account.

The first thing to understand is which account is actually executing the Exchange Management Shell’s New-Mailbox cmdlet. In our case, we were using the built-in Network Service account (I prefer the application pool identity normally but we had some other issues that required Network Service) to run the application pool. After futzing around with lots of privilege elevation for the web server’s machine account (the way Windows identifies the Network Service account between two different machines), the Exchange commands still weren’t working.

Since impersonation is impossible with the Exchange 2007 cmdlets (you *can* impersonate in Exchange 2010 using remote PowerShell), the only way to change the execution context is to change the account running the PowerShell process. With an ASP.NET application on IIS 7.5, the execution context is the application pool identity. I created a dedicated service account to use to run the application pool for the web application, then added the service account to the local web server’s IIS_IUSRS group to allow it to properly run ASP.NET apps. I then added the service account to the AD domain’s Exchange Recipient Administrators group. This allows the account to create new mailbox recipients in Exchange 2007.

After a quick IIS restart, the solution allowed for creation of a new mailbox in Exchange using PowerShell running under an IIS application pool identity. In summary, be aware of your security context when working with web applications and work from the bottom up to determine how to apply the proper permissions for your application. Also make sure you restart IIS after changing app pool accounts or adding an app pool account to an AD group. Otherwise, the changes you made may not apply because of IIS and PowerShell caching.

Active Directory Management Gateway Service (ADMGS) Errors and McAfee Anti-Virus Software

Published January 20, 2012 Active Directory , Active Directory Management Gateway Service , Microsoft Active Directory , PeopleProvision , Powershell , Windows 7 , Windows Server 2008 , Windows Server 2008 R2 Leave a Comment
Tags: Active Directory, Active Directory Management Gateway Service, AD, ADMGS, Powershell, windows 7, windows server 2008, windows server 2008 R2

I posted last month about an issue with the Active Directory Management Gateway Service (ADMGS) on Windows Server 2008. The ADMGS (which runs as the Active Directory Web Services, ADWS, service) allows you to use the Active Directory module for Windows PowerShell to manage AD remotely in domains where there are no Server 2008 R2 domain controllers running.

I saw the following error messages when running the “import-module activedirectory” command in PowerShell.

The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.

I was able to diagnose the ultimate cause based on my previous post but still was receiving errors even after mucking with NTFS directory permissions for temporary .NET files. I finally had the idea to check on anti-virus software to see if that was blocking the communication. Wallah! The domain controller had anti-virus software installed (in this case it was McAfee) and as soon as I adjusted the AV software configuration the AD connection was allowed. The log entries below help pinpoint the cause.

1/19/2012 5:22:05 PM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe C:\Windows\TEMP\t0sggpq5.dll Common Maximum Protection:Prevent creation of new executable files in the Windows folder Action blocked : Create

1/19/2012 5:22:07 PM Would be blocked by Access Protection rule (rule is currently not enforced) NT_DOMAIN\SRS-RMRES2-02$ System:Remote C:\Windows\SYSVOL\domain\Policies\{1C9122E4-78CD-4001-A2E7-8BBCA348C893}\GPT.INI Anti-virus Outbreak Control:Block read and write access to all shares Action blocked : Read

So make sure to check your AV software if you have this kind of problem…it just might be the key to a solution!

Web Active Directory Releases Replacement for Microsoft IISADMPWD for Windows IIS7

Published January 6, 2012 Active Directory , Active Directory Password , IIS , IISADMPWD Replacement , Product Releases , Tools Leave a Comment
Tags: IIS, iis 7, iis 7.5, iisadmpwd, password change, Windows 2008, windows 2008 r2, windows password

We officially launched our Microsoft^® IISADMPWD Replacement Tool today. Our simple solution addresses several issues with previous versions of IISADMPWD and allows you to delegate Windows password changes for web applications running on IIS 7 and later. At $599 USD, the new solution provides lots of value to allow users to self manage passwords for a small price. You can get more info about the solution at http://www.webactivedirectory.com/products/iisadmpwd/.

More Information

I have blogged about the need for an IISADMPWD replacement in the past and check out the articles below to learn more about why we built this solution for IIS 7.

Diagnose Active Directory Management Gateway Service (ADMGS) Errors

Published December 15, 2011 Active Directory , Active Directory Management Gateway Service , Microsoft Active Directory , PeopleProvision , Powershell , Windows 7 , Windows Server 2008 , Windows Server 2008 R2 Leave a Comment
Tags: Active Directory, Active Directory Management Gateway Service, AD, ADMGS, Powershell, windows 7, windows server 2008, windows server 2008 R2

I recently worked on a Windows Server 2008 system with the Active Directory Management Gateway Service (ADMGS) installed. The ADMGS allows you to use the Active Directory module for Windows PowerShell to manage AD remotely in domains where there are no Server 2008 R2 domain controllers running.

The ADMGS service (which runs as the Active Directory Web Services, ADWS, service) worked fine for several months but decided to begin having problems recently. We saw the following error message when running the “import-module activedirectory” command in PowerShell

The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.

Needing to troubleshoot the source of the issue, I messed with the IncludeExceptionDetailInFaults attribute in the C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config file. However, this proved to be a daunting task for a number of reasons so I moved on to another solution. (View an example of setting the IncludeExceptionDetailInFaults attribute.)

Finally, I located a post that helped break this open. Adding a couple of debug keys in the <AppSettings> section of the config file allowed me to log the ADMGS error on the server and diagnose the real source of the error.

<add key="DebugLevel" value="Info" />
<add key="DebugLogFile" value="C:\Windows\Debug\adws.log" />

Use the following valid string values (not numeric values) for the DebugLevel value.This will add diagnostic info into the debug log at the DebugLogFile path you specify.

0 – No logging
1 – Error (this logs critical errors only)
2 – Warn (this logs warning events as well as error events) – Recommended value to use unless you need full tracing
3 – Info (verbose)

Once I set up debugging and restarted the ADMGS service, I got to the bottom of the problem with the error below and I can now address the permissions issue that is causing connection problems with the “import-module activedirectory” PowerShell command.

ActiveDirectoryWebServices: [xx/xx/2011 6:14:15 PM] [3] Get: Unhandled Exception System.UnauthorizedAccessException: Access to the temp directory is denied. Identity 'YOUR_DOMAIN\YourAccount' under which XmlSerializer is running does not have sufficient permission to access the temp directory. CodeDom will use the user account the process is using to do the compilation, so if the user doesnt have access to system temp directory, you will not be able to compile. Use Path.GetTempPath() API to find out the temp directory location.

PowerShell Errors Connecting to Active Directory Domains and Forests

Published October 13, 2011 Active Directory , Microsoft Active Directory , Powershell Leave a Comment
Tags: get-addomain, new-psdrive, Powershell, server 2003, server 2008, windows server, windows server 2008, windows server 2008 R2

I needed to work with data from a child domain in our test environment so I tried to access the child domain using the Get-ADDomain cmdlet from the Active Directory module for PowerShell. When that operation failed, I attempted to map a PS drive to the child domain instead, but this operation failed as well. However, both the Get-ADDomain and New-PSDrive cmdlets work fine in the root domain of the forest.

I noted the following errors messages with each cmdlet and the New-PSDrive error message holds the key to solving the problem.

Get-ADDomain : Cannot find an object with identity: ‘child.root.local’ under: ‘DC=root,DC=local’.

New-PSDrive : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.

Resolution

The New-PSDrive error message best exposes the source of the problem. I know the server and domain exist so that’s not the problem. Instead, the Active Directory module cmdlets cannot contact the domain because it does not have at least one Windows Server 2008 R2 domain controller in the domain or at least one instance in an AD LDS configuration set that is running on a Windows Server 2008 R2 server.

Aha! My child domain does not have any Server 2008 R2 DCs or LDS instances. So how can I address this? There are a few options.

Install the Active Directory Management Gateway Service on at least one non-2008 R2 domain controller, including Server 2003 and 2008. This provides a Web service interface to Active Directory domains and instances of Active Directory Lightweight Directory Services (AD LDS) or Active Directory Application Mode (ADAM) that are running on the same server as the Active Directory Management Gateway Service.
Promote an existing Server 2008 R2 member server in the domain to a domain controller.
Upgrade at least one DC in the domain to Server 2008 R2.

Active Directory Attributes for Remote Desktop Services

Published October 5, 2011 .NET , Active Directory , Microsoft Active Directory , Remote Desktop Services , Windows Server 2008 , Windows Server 2008 R2 Leave a Comment
Tags: Active Directory, Active Directory Attributes, rds, rds profile, Remote Desktop Services, update active directory, userParameters

We are working with a customer who needs to set some values for the Remote Desktop Services (RDS) Profile (formerly Terminal Services) attributes in Active Directory. Even after working with AD and programming for it for more than 10 years, I’ve never had the need to access these attributes until now. Easy enough, right? We’ll just look up the attributes in the AD schema and be off and running.

Alas, it’s not that easy to set the Remote Desktop Services Profile attribute values in AD. All RDS parameters are stored in a BLOB (binary large object) in the Active Directory userParameters attribute. If you want to interact with this value directly through LDAP, you must decode and encode the attribute value to access the individual BLOB members that represent the values for the RDS Profile attributes. The encoding algorithm is a bit strange, though, and poorly documented. I found a fairly clear and precise reference for the BLOB encoding algorithm (ironically, for use by a Linux admin) and you can give it a try but there is a better option to interact with RDS profile attribute values if you have access to the COM API.

An article by Alejandro Campos Magencio does a nice job of spelling out the technical details needed to properly implement reading and writing RDS Profile attributes in AD. Microsoft added AD schema extensions in Server 2008 to support this need with the msTSProfilePath, msTSHomeDrive and msTSHomeDirectory attributes. At this point, though, these attributes aren’t being used and you still must rely upon the userParameters BLOB. The Tsuserex.dll library provides an ADSI (Active Directory Service Interfaces) extension that allows you to work with RDS profile values through the IADsTSUserEx interface. The interface implements properties including TerminalServicesHomeDirectory, TerminalServicesHomeDrive and TerminalServicesProfilePath that allow you to read and modify RSD profile values in the userParameters BLOB.

This should help you get started with an implementation. I will explore this subject more in a later post and provide some PowerShell and C# code to help illustrate how to read and write RDS profile attributes in AD.

Active Directory management built for MSPs

Published October 3, 2011 Active Directory , Microsoft Active Directory , PeoplePassword , PeopleProvision , PeopleSearch & PeopleUpdate Leave a Comment
Tags: Active Directory, managed service providers, map, peoplepassword, PeopleSearch, PeopleUpdate

We have been getting a ton of traffic lately from MSPs that are becoming more and more frustrated with managing data and accounts in Active Directory and the operational costs associated with this menial task. Most of the administrators have been toying with the idea of actually creating their own web applications to delegate out to their customers, but cannot find the time.

The MSPs that do eventually break down and start looking for existing tools find them to be very complicated for their needs and are priced to meet enterprise needs and not theirs (a per-user model).

We have been hit over the head too many times to not make an attempt to satisfy MSP’s needs, so WebAD is now providing tools specific to the MSP market and priced at a low fixed monthly rate.

Call us to learn more about this offering for MSPs and let us show how we can meet the needs of Active Directory account and data management and meet your pricing expectations. You may also ask us how some MSPs are actually turning our tools into a revenue source as well!

Call me at +1 (800)747-3565 or email me at Steve.denney@webactivedirectory.com for more information.

A Replacement for IISADMPWD in IIS 7

Published September 29, 2011 Active Directory , IIS , Tools , Windows Server 2008 , Windows Server 2008 R2 2 Comments
Tags: authentication, IIS, iis 7, iis 7.5, iisadmpwd, user must change password at next logon, windows server, windows server 2008, windows server 2008 R2

Many organizations have employed Microsoft’s IISADMPWD tool to allow password changes in Active Directory for web applications. Originally intended as the way to change passwords for access in Outlook Web Access (OWA), IISADMPWD became quite a useful solution for any organization that wanted to delegate access to AD password changes via a web application.

With the release of IIS 7 and its architectural and security changes from previous versions of IIS, there are certain situations where the old IISADMPWD will not work. In fact, Microsoft doesn’t even support IISADMPWD on IIS 7 and later although some organizations have been able to deploy it in an unsupported fashion.

The main situation where IIS 7 behaves differently from previous versions of IIS is when a user needs to change her password and the “User must change password at next logon” flag is set in Active Directory. In this situation, we’ve not found a way to authenticate a user with either Windows or Basic authentication in IIS and the old IISADMPWD tool cannot meet the requirements to allow the password change for users with this flag set. This is problematic since the scenario where a user needs to change her password after an administrative reset is very common.

Web Active Directory has developed a replacement for IISADMPWD that uses anonymous authentication to work around the IIS 7 authentication issue when the ”User must change password at next logon” flag is set for a user. Tomorrow we will take a closer look at the architectural approach and a new tool that WebAD developed to help in this scenario.

Contact Web Active Directory for more information about the IISADMPWD replacement tool for IIS 7.

Binding to Active Directory: AD Connections De-mystified, Part 5

Published September 16, 2011 .NET , .NET , Active Directory , Microsoft Active Directory Leave a Comment
Tags: Active Directory, AD, ADSI, adspath, bind, bind path, connection string, LDAP, object name, provider, server

Note: This series covers Active Directory connection strings, often referred to as bind paths, with the goal of simplifying the process of creating an AD bind path. A significant amount of the information for this series comes from the wonderful AD programming book, The .NET Developer’s Guide to Directory Services Programming, by Ryan Dunn and Joe Kaplan. The LDAP ADsPath article on MSDN also provides good insight into creating valid bind paths for Active Directory.

Overview of Part 5

In Part 1 of this series, we examined the basics of Active Directory bind paths. In Part 2, we looked more deeply into the components of a bind path. In Part 3, we took apart the server name syntax and checked out serverless binding. In Part 4, we examined using distinguished names to connect to objects in Active Directory. In this final post of the series, we look at binding to Active Directory objects using GUIDs and SIDs.

Using GUIDs in Object Names

You can specify object names in Active Directory using a special GUID syntax in the following form. One very nice feature of binding using GUIDs is that the GUID stays the same for an object even when the object is renamed or moved across domains.

<GUID=guidvalue>

You must keep the angle brackets and GUID keyword to tell AD that you are binding using the GUID object name syntax. This refers to the objectGUID attribute for an object. The key here is to use correct form of the GUID since there are a couple of forms of GUIDs available based on legacy x86 details. If the GUID contains dashes, use the COM string format. Otherwise, use the binary octet string format.

An example of a GUID bind path follows.

LDAP://<GUID=ec2b2b8f-dcd5-41c3-aa9e-2e9d26e46a10>

You can also use GUIDs to access well-known objects in AD like the Users and Computers containers. Use the following form to define a well-known GUID bind path.

<WKGUID=Guid,Domain Partition DN>

In this format, the Guid is the GUID identifier (GUID_USERS_CONTAINER_W or GUID_COMPUTERS_CONTAINER_W, for example) and the Domain Partition DN is the DN of the root domain, for example DC=mydomain,DC=local. You may choose well-known GUIDs from the list below to access different well-known containers in Active Directory.

GUID_USERS_CONTAINER_W: Users container
GUID_COMPUTERS_CONTAINER_W: Computers container
GUID_SYSTEMS_CONTAINER_W: Systems container
GUID_DOMAIN_CONTROLLERS_CONTAINER_W: Domain Controllers container
GUID_INFRASTRUCTURE_CONTAINER_W: Infrastructure container
GUID_DELETED_OBJECTS_CONTAINER_W: Deleted Objects container
GUID_LOST_AND_fOUND_CONTAINER_W: Lost and Foundcontainer

Check out the example of a well-known GUID bind path that connects to the Users container in the mydomain.local domain.

LDAP://<WKGUID=GUID_USERS_CONTAINER_W,DC=mydomain,DC=com>

Using SIDs in Object Names

Finally, AD allows you to bind to an object name by an object’s SID. Not all objects in AD have SIDs so make sure you only try to bind by SID to objects that are security principals, including user accounts, groups and computers. Also be aware that SIDs can change as objects move across domains but you can always look up previous SIDs after changes using the sidHistory attribute.

Use the following syntax to bind to an object by its SID.

<SID=sidvalue>

Here, the sidvalue can support either a hexadecimal octet string or the Security Descriptor Description Language (SDDL) format that looks like S-1-5-xxxx. Be careful to use the SDDL format with Windows Server 2003 AD and later since Windows 2000 only supports the octet string syntax. Also remember that since SIDs can change from domain to domain, you cannot use a global catalog (GC) bind to a global catalog server or you will get an error.

The follow example shows a SID bind using the SDDL format.

LDAP://<SID=S-1-5-21-1720926295-173614409-390823645-1127>

Binding to Active Directory: AD Connections De-mystified, Part 4

Published September 15, 2011 .NET , .NET , Active Directory , Microsoft Active Directory 1 Comment
Tags: Active Directory, AD, ADSI, adspath, bind, bind path, connection string, LDAP, object name, provider, server

Overview of Part 4

In Part 1 of this series, we examined the basics of Active Directory bind paths. In Part 2, we looked more deeply into the components of a bind path. In Part 3, we took apart the server name syntax and checked out serverless binding. In this article, we examine using distinguished names to connect to objects in Active Directory.

What is a Distinguished Name?

Active Directory uses a distinguished names (DN) as a path to uniquely identify an object in the directory. You can use a DN to hook to OU containers, user accounts, groups, schema objects and anything else stored in AD. Since AD is an LDAP directory, it stores objects in a hierarchical tree like a filesystem and you can use DNs as a sort of path syntax to hook into an object.

DN Path Syntax

DNs use a syntax similar to a filesystem path as each piece of the DN is more specific to where the object resides in the directory. Look at the following example of a DN.

CN=Test User,OU=UserContainer,DC=mydomain,DC=local

In this example, we have four components of the path, each separated by a comma. You read the DN from left to right where the leftmost component is the most specific node in the directory tree and specifies the object identified by the DN. In this case, that object is a user account with the common name (CN) of Test User.

Working to the right, we see that the Test User account is in an organizational unit (OU) called UserContainer. This container is a child of the root of the namespace, mydomain.local.

Finally, the namespace root of mydomain.local is specified by the last two components, DC=mydomain,DC=local. Technically, both the domain component (DC) values here are actually part of the same component as the combination of the two specifies the root of the namespace. In general, just remember that when you use the DNS name of a domain or forest in a DN, you need to add a “DC=” for each part of the DNS name when creating the DN.

Special DN Characters

DNs are very powerful for addressing objects in AD but sometimes you have to be careful if a directory has containers or objects that contain special characters. The following characters are reserved in AD and cannot be included in a DN unless they are escaped with the \ character.

<,;+\/">

You also must escape the # character if it is the first character in a DN. When using any special reserved characters in a DN, you must escape them using the \ character. Note that spaces in a name do not need to be escaped.

Web Active Directory Blog