If you use ADSI to get a DirectoryEntry object from Active Directory you'll find that the "accountExpires" property is stored as a DateTime variable in a large integer format called the IADsLargeInteger format (http://msdn.microsoft.com/en-us/library/windows/desktop/aa706037%28v=vs.85%29.aspx). The format represents a date as an 8 byte variable indicating the number of 100-nanosecond intervals since January 1, 1601 (look up the Wikipedia article for this date if you're curious as to why it's used).
Converting this format into a standard C# DateTime value requires a 2-step process of converting the IADsLargeInteger into a standard C# long value, then converting this long value into a C# date time.
I found several (incorrect) versions of functions to accomplish this on the Internet but the best functioning version (derived from MSDN's articles on accountExpires, IADsLargeInteger, and DateTime conversions) comes from Tobi's 'tips' 4 and 5 in his notes on Active Directory (http://www.fsmpi.uni-bayreuth.de/~dun3/archives/category/it/programming/active-directory):
First, convert the IADsLargeInteger into a long:
private static long ConvertLargeIntegerToLong(object largeInteger)
{
Type type = largeInteger.GetType();
int highPart = (int)type.InvokeMember("HighPart", BindingFlags.GetProperty, null, largeInteger, null);
int lowPart = (int)type.InvokeMember("LowPart", BindingFlags.GetProperty | BindingFlags.Public, null, largeInteger, null);
return (long)highPart <<32 lowpart="lowpart" p="p" uint="uint">}
Then use this to convert the long into a DateTime. Note that the DateTime is stored in UTC format -- luckily .NET has the "FromFileTimeUTC()" method ready-made to handle this for us:
object accountExpires = DirectoryEntryHelper.GetAdObjectProperty(directoryEntry, "accountExpires");
var asLong = ConvertLargeIntegerToLong(accountExpires);
if (asLong == long.MaxValue || asLong <= 0 ||
DateTime.MaxValue.ToFileTime() <= asLong)
{
return DateTime.MaxValue;
}
else
{
return DateTime.FromFileTimeUtc(asLong);
}
Note 1: "Magic values" in the accountExpires attribute
Two values in the accountExpires attribute indicate that the account is set to "Never Expires." These are zero (0) and 9223372036854775807 (0x7FFFFFFFFFFFFFFF).
See http://msdn.microsoft.com/en-us/library/windows/desktop/ms675098%28v=vs.85%29.aspx
Note 2: Getting the accountExpires attribute from an ADSI "DirectorySearcher" search result
This is very important (and delayed me quite a while when I didn't take it into account).
If you pull an account's DirectoryEntry using ADSI the 'accountExpires' property is returned as an IADsLargeInteger, but if you get it as a search result using "DirectorySearcher" the property will be presented as a standard long. No translation from IADsLongInteger are required, you'll just need to do the translation from long to DateTime ("step 2" above).
See http://forums.asp.net/t/999913.aspx and comments by MVP "Dunry" for a useful discussion of this.
Sunday, November 4, 2012
Wednesday, October 31, 2012
How to lock an Active Directory account with C#
There are a lot of answers out there to how to lock an account using ADSI -- some just wrong, others dangerously wrong.
This one works cleanly, transparently, and well:
private void LockAccount()
{
string _userAccountWithoutDomain = “test”;
string _domainName = “IND”;
string _userBadPassword = “yyyyy”; // password should be incorrect
int _passwordExpiryPolicy = 3;
string _connectionPrefix = “LDAP://” + _domainName;
for (int i = 0; i < _passwordExpiryPolicy; i++)
{
try {
new DirectoryEntry(_connectionPrefix, _userAccountWithoutDomain, _userBadPassword).RefreshCache(); }
catch (Exception)
{ }
}
}
Thanks to Sanjiv at http://sanjivblog.wordpress.com/2011/05/13/how-to-lock-the-ad-active-directory-account-programmatically-in-c/
This one works cleanly, transparently, and well:
private void LockAccount()
{
string _userAccountWithoutDomain = “test”;
string _domainName = “IND”;
string _userBadPassword = “yyyyy”; // password should be incorrect
int _passwordExpiryPolicy = 3;
string _connectionPrefix = “LDAP://” + _domainName;
for (int i = 0; i < _passwordExpiryPolicy; i++)
{
try {
new DirectoryEntry(_connectionPrefix, _userAccountWithoutDomain, _userBadPassword).RefreshCache(); }
catch (Exception)
{ }
}
}
Thanks to Sanjiv at http://sanjivblog.wordpress.com/2011/05/13/how-to-lock-the-ad-active-directory-account-programmatically-in-c/
Friday, October 26, 2012
Error message "Element 'link' cannot be nested within element "
I keep getting this wrong -- when the error message indicated in the title appears it's because I've stuck the link directive (used for bringing CSS files into an HTML document) in the wrong place.
Short answer: The "link" directive can only be used inside the "head" tag of an HTML document.
Short answer: The "link" directive can only be used inside the "head" tag of an HTML document.
jQuery error: "$ is undefined"
When using Visual Studio 2010 and coding in ASP.NET where I'm using one of the various jQuery plug-ins (a datepicker, the BlockUI page blocker utility, or the jQuery validation tools) I'll occasionally get the JavaScript error featured in the title -- it simply means that the page fired up and it couldn't resolve the "$" synonym for "jQuery."
Invariably I'll check and make sure that I've got the jQuery code "included" in the web page (which I do) but if I look at the page using Firefox "Firebug" I'll see that something will have hosed up the syntax of the include statement (based on the browser, whether I'm using master pages, nested master pages, etc.).
Being lazy I like to include files by dragging them from the "Solution Explorer" pane of Visual Studio right into the ASP.NET/HTML code. I always hope that VS2010 will just "figure out" the right syntax for me, and so long as I'm not using master- or nested-master pages I'm generally right.
Once masterpages are introduced, though, things get screwed up.
Here's a syntax solution I've found that seems to work pretty well:
Rather than:
<script src='~/scripts/jquery-1.8.2.js' type="text/javascript"></script>
I use:
<script src='<%= ResolveUrl("~/scripts/jquery-1.8.2.js") %>' type="text/javascript"></script>
It seems to circumvent the path-naming-weirdness introduced by ASP.NET-masterpage-wrapping.
Invariably I'll check and make sure that I've got the jQuery code "included" in the web page (which I do) but if I look at the page using Firefox "Firebug" I'll see that something will have hosed up the syntax of the include statement (based on the browser, whether I'm using master pages, nested master pages, etc.).
Being lazy I like to include files by dragging them from the "Solution Explorer" pane of Visual Studio right into the ASP.NET/HTML code. I always hope that VS2010 will just "figure out" the right syntax for me, and so long as I'm not using master- or nested-master pages I'm generally right.
Once masterpages are introduced, though, things get screwed up.
Here's a syntax solution I've found that seems to work pretty well:
Rather than:
<script src='~/scripts/jquery-1.8.2.js' type="text/javascript"></script>
I use:
<script src='<%= ResolveUrl("~/scripts/jquery-1.8.2.js") %>' type="text/javascript"></script>
It seems to circumvent the path-naming-weirdness introduced by ASP.NET-masterpage-wrapping.
Saturday, October 13, 2012
My persistent 500.24 error
Because of my client's NT trust relationships my websites need to use NT credentials impersonation quite frequently and I keep falling into the same trap when setting up impersonation in IIS7 (rather than IIS6, which I was kind-of used to).
I build and push out the website and then try to access a diagnostic page (which shows the current website's users credentials as understood by the web server) and get the error:
"HTTP Error 500.24 - Internal Server Error An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode"
A couple things will float up in my mind right then -- I know that in IIS6 and older versions of IIS I always put "impersonate=true" into the web.config file and this causes problems with the new pipeline mode of IIS7. I'll knock this line out of the web.config file and it won't help -- the 500.24 error will disappear but impersonation is gone.
Then something will happen to throw me into a blind panic (usually a required demo in ten minutes or some other "show and tell" nonsense that means I've got to get this resolved fast) and I'll start flailing around trying to fix it. I always do, but I want much less stress in my life -- so here are the basic steps again as a reminder so the experience can be shorter next time:
- Go into IIS7 manager and reset the website's application pool to use the "Classic" pipeline
- Modify the web.config file to include:
(The latter has a nice section that explains this error very well.)
I build and push out the website and then try to access a diagnostic page (which shows the current website's users credentials as understood by the web server) and get the error:
"HTTP Error 500.24 - Internal Server Error An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode"
A couple things will float up in my mind right then -- I know that in IIS6 and older versions of IIS I always put "impersonate=true" into the web.config file and this causes problems with the new pipeline mode of IIS7. I'll knock this line out of the web.config file and it won't help -- the 500.24 error will disappear but impersonation is gone.
Then something will happen to throw me into a blind panic (usually a required demo in ten minutes or some other "show and tell" nonsense that means I've got to get this resolved fast) and I'll start flailing around trying to fix it. I always do, but I want much less stress in my life -- so here are the basic steps again as a reminder so the experience can be shorter next time:
- Go into IIS7 manager and reset the website's application pool to use the "Classic" pipeline
- Modify the web.config file to include:
<system.webServer> <validation validateIntegratedModeConfiguration="false"/></system.webServer> See these links for more (and better) information:(The latter has a nice section that explains this error very well.)
My persistent website 401 error
This is a reminder to myself.
I work in an NT environment with multiple domains (e.g. domainA, domainB, and domainC) where one domain ("domainC") trusts the other two domains.
I keep my IIS7 website in domainC and want users in any of the domains to be able to access it using their domain's credentials.
I make sure to disable anonymous access on my website and enable integrated windows authentication so that users will come into the website using their current credentials.
The roadblock I experience each time is that I'll set up the website and test it using an account in domainC and all will be well. During final testing I go over to domainB or domainA, log in, and try to get into the website and run into a "401" error.
I always do this: I'll go back to the website and try and reset permissions to the website's directory to allow "domainA\Everyone" and "domainB\Everyone" to have access, but for some reason I won't be able to. I'll remark again that this works in my personal devlab but not in the client's environment. I'll remember hearing that there's some sort of firewall blockage on LDAP calls between domains in this environment.
I'll try to create a domain local group in domainC and add the domainA\Everyone and domainB\Everyone groups into a local group I can give website rights to, but that won't work either.
I'll get frustrated here and start Googling and 4-5 hours will disappear as I learn how little I really know about security (and pursue several blind-alley solutions proposed by some other clueless bloggers).
I'll then spend another hour dicking around with every setting conceivable on my website, and then create a small sample "WhoAmI" website that just returns the current user's credentials. Setting security on this test website, I'll turn off anonymous access, turn on nt authentication, and then give the local group WEBSERVERNAME\Users all rights to the website and discover that I can now access it from all the trusted domains.
The lesson here is to start by giving the WEBSERVERNAME\Users local group basic rights to the website just to get started.
This has cost me several hours to recreate twice -- Note to self: don't do this again.
I work in an NT environment with multiple domains (e.g. domainA, domainB, and domainC) where one domain ("domainC") trusts the other two domains.
I keep my IIS7 website in domainC and want users in any of the domains to be able to access it using their domain's credentials.
I make sure to disable anonymous access on my website and enable integrated windows authentication so that users will come into the website using their current credentials.
The roadblock I experience each time is that I'll set up the website and test it using an account in domainC and all will be well. During final testing I go over to domainB or domainA, log in, and try to get into the website and run into a "401" error.
I always do this: I'll go back to the website and try and reset permissions to the website's directory to allow "domainA\Everyone" and "domainB\Everyone" to have access, but for some reason I won't be able to. I'll remark again that this works in my personal devlab but not in the client's environment. I'll remember hearing that there's some sort of firewall blockage on LDAP calls between domains in this environment.
I'll try to create a domain local group in domainC and add the domainA\Everyone and domainB\Everyone groups into a local group I can give website rights to, but that won't work either.
I'll get frustrated here and start Googling and 4-5 hours will disappear as I learn how little I really know about security (and pursue several blind-alley solutions proposed by some other clueless bloggers).
I'll then spend another hour dicking around with every setting conceivable on my website, and then create a small sample "WhoAmI" website that just returns the current user's credentials. Setting security on this test website, I'll turn off anonymous access, turn on nt authentication, and then give the local group WEBSERVERNAME\Users all rights to the website and discover that I can now access it from all the trusted domains.
The lesson here is to start by giving the WEBSERVERNAME\Users local group basic rights to the website just to get started.
This has cost me several hours to recreate twice -- Note to self: don't do this again.
Friday, August 3, 2012
Searching a list<string> with case insensitivity
A lot of my web methods generate a list of strings from different sources that I want to quickly scan using the ".contains()" method.
Unfortunately the default method is case sensitive and, since I get information from different sources with differing casing-methods, my code will miss matches with slightly different casing.
Console.WriteLine someStrings.contains(findMe); ==== Console === (false) ================
The bad solution is to go thru the list using .tolower() to lowercase all the members and compare each one against the comparator -- with the advent of LINQ there's a new overload for the method which allows comparisons without regard to case:
string findMe = "String2Find"; List someStrings = new List{"one", "Two", "string2FIND", "Three"}; Console.WriteLine someStrings.contains(findMe, StringComparer.OrdinalIgnoreCase);
==== Console === (true) ================
I couldn't find this in the standard MSDN locations but it popped out at https://nickstips.wordpress.com/2010/08/24/c-ignore-case-on-list-contains-method/#comment-801
Unfortunately the default method is case sensitive and, since I get information from different sources with differing casing-methods, my code will miss matches with slightly different casing.
string findMe = "String2Find";
List someStrings = new List{"one", "Two", "string2FIND", "Three"};
Friday, July 27, 2012
Learning WCF - Port contention issues during debugging
When working through exercises from the MSPress book on WCF for .NET
3.5 and from Bustamente's "Learning WCF" I ran into an issue when
"self-hosting" WCF services in a console application.
One self-hosting example featured a solution with two projects: 1) a WCF service ("library") project and 2) a console app used to host the WCF service in the library project. Each had an "app.config" file in it indicating that it wanted to use port 8080 under the local host URL:
The solution built fine but when trying to run it presented this error message:
If I changed the port number in either of the app.config files the code would run fine.
The problem turns out to be with a Visual Studio 2010 feature I was unaware of. When you start a solution which has a WCF service in it Visual Studio will quietly start the WCF hosting service for the WCF service before running the code in the solution -- this causes the library project and the WCF hosting service to grab the port first and then prevent the self-hosting console code from running on that port.
The solution is very simple: Right-click the WCF service project (the "library" project) in the solution, bring up its properties, and take a look at the "WCF Options" tab on the properties screen. Uncheck the "Start WCF host when debugging another project in the same solution" checkbox and the project should run correctly.
One self-hosting example featured a solution with two projects: 1) a WCF service ("library") project and 2) a console app used to host the WCF service in the library project. Each had an "app.config" file in it indicating that it wanted to use port 8080 under the local host URL:
... snip ...
<host>
<baseAddresses>
<add baseAddress="http://localhost:8080/NetStarCommandService" />
</baseAddresses>
</host>
... snip ...
The solution built fine but when trying to run it presented this error message:
"HTTP
could not register URL http://+:8080/NetStarCommandService/. Another
application has already registered this URL with HTTP.SYS"
If I changed the port number in either of the app.config files the code would run fine.
The problem turns out to be with a Visual Studio 2010 feature I was unaware of. When you start a solution which has a WCF service in it Visual Studio will quietly start the WCF hosting service for the WCF service before running the code in the solution -- this causes the library project and the WCF hosting service to grab the port first and then prevent the self-hosting console code from running on that port.
The solution is very simple: Right-click the WCF service project (the "library" project) in the solution, bring up its properties, and take a look at the "WCF Options" tab on the properties screen. Uncheck the "Start WCF host when debugging another project in the same solution" checkbox and the project should run correctly.
Monday, June 25, 2012
Getting started with WCF - A Security Issue
Most of the free documentation I've been reading on WCF starts with a first "Hello World" application you try and create with WCF wherein you set up a contract, service, and host and then develop a client to call that host which returns a simple text string (e.g., "Hello WCF").
Most of this free documentation came out when WCF was first introduced, before the introduction of the Vista OS and Windows 7, and implicitly assumes that you're coding under credentials with admin rights on your machine.
The first roadblock I ran into, then, was a security access violation with an error message that read like:
"HTTP could not register URL http://+:800/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkID=70353 for details).
Having run into this sort of issue before my immediate response was to try running the binaries under my machine's sysadmin account, but it still didn't work.
It turns out that listening on an HTTP port is considered a restricted operation in MS post-XP OS's, so if you want to do this using your standard dev account you'll need to explicitly elevate its rights to include listening on specific HTTP ports. The NETSH command to do this for me was:
netsh http add urlacl url=http://+:8000/user=graperpc\dgraper
You can then check the current status of listening rights by entering:
netsh http show urlacl
Most of this free documentation came out when WCF was first introduced, before the introduction of the Vista OS and Windows 7, and implicitly assumes that you're coding under credentials with admin rights on your machine.
The first roadblock I ran into, then, was a security access violation with an error message that read like:
"HTTP could not register URL http://+:800/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkID=70353 for details).
Having run into this sort of issue before my immediate response was to try running the binaries under my machine's sysadmin account, but it still didn't work.
It turns out that listening on an HTTP port is considered a restricted operation in MS post-XP OS's, so if you want to do this using your standard dev account you'll need to explicitly elevate its rights to include listening on specific HTTP ports. The NETSH command to do this for me was:
netsh http add urlacl url=http://+:8000/user=graperpc\dgraper
You can then check the current status of listening rights by entering:
netsh http show urlacl
Friday, April 27, 2012
Extremely slow response with a VS2010 solution
I copied a solution from my dev environment into a production environment and noted an extreme decrease in responsiveness ... e.g., a five second delay between a keypress and its appearing on the screen; 30 seconds plus to go from designer view to code view, etc.
The solution was pretty simple (although it destroys all my breakpoints) -- delete the SUO file for the project so that VS2010 has to build a new one. Once that was done, performance was normal.
The solution was pretty simple (although it destroys all my breakpoints) -- delete the SUO file for the project so that VS2010 has to build a new one. Once that was done, performance was normal.
Tuesday, March 6, 2012
Converting everything in a file to lowercase with GVIM
To do it as a "replace":
:%s/[A-Z]/\L&/g
The obverse (to convert all to uppercase):
:%s/[A-Z]/\U&/g
Or, simply type:
ggVGu
:%s/[A-Z]/\L&/g
The obverse (to convert all to uppercase):
:%s/[A-Z]/\U&/g
Or, simply type:
ggVGu
Subscribe to:
Posts (Atom)