There are a lot of answers out there to how to lock an account using ADSI -- some just wrong, others dangerously wrong.
This one works cleanly, transparently, and well:
private void LockAccount()
{
string _userAccountWithoutDomain = “test”;
string _domainName = “IND”;
string _userBadPassword = “yyyyy”; // password should be incorrect
int _passwordExpiryPolicy = 3;
string _connectionPrefix = “LDAP://” + _domainName;
for (int i = 0; i < _passwordExpiryPolicy; i++)
{
try {
new DirectoryEntry(_connectionPrefix, _userAccountWithoutDomain, _userBadPassword).RefreshCache(); }
catch (Exception)
{ }
}
}
Thanks to Sanjiv at http://sanjivblog.wordpress.com/2011/05/13/how-to-lock-the-ad-active-directory-account-programmatically-in-c/
Wednesday, October 31, 2012
Friday, October 26, 2012
Error message "Element 'link' cannot be nested within element "
I keep getting this wrong -- when the error message indicated in the title appears it's because I've stuck the link directive (used for bringing CSS files into an HTML document) in the wrong place.
Short answer: The "link" directive can only be used inside the "head" tag of an HTML document.
Short answer: The "link" directive can only be used inside the "head" tag of an HTML document.
jQuery error: "$ is undefined"
When using Visual Studio 2010 and coding in ASP.NET where I'm using one of the various jQuery plug-ins (a datepicker, the BlockUI page blocker utility, or the jQuery validation tools) I'll occasionally get the JavaScript error featured in the title -- it simply means that the page fired up and it couldn't resolve the "$" synonym for "jQuery."
Invariably I'll check and make sure that I've got the jQuery code "included" in the web page (which I do) but if I look at the page using Firefox "Firebug" I'll see that something will have hosed up the syntax of the include statement (based on the browser, whether I'm using master pages, nested master pages, etc.).
Being lazy I like to include files by dragging them from the "Solution Explorer" pane of Visual Studio right into the ASP.NET/HTML code. I always hope that VS2010 will just "figure out" the right syntax for me, and so long as I'm not using master- or nested-master pages I'm generally right.
Once masterpages are introduced, though, things get screwed up.
Here's a syntax solution I've found that seems to work pretty well:
Rather than:
<script src='~/scripts/jquery-1.8.2.js' type="text/javascript"></script>
I use:
<script src='<%= ResolveUrl("~/scripts/jquery-1.8.2.js") %>' type="text/javascript"></script>
It seems to circumvent the path-naming-weirdness introduced by ASP.NET-masterpage-wrapping.
Invariably I'll check and make sure that I've got the jQuery code "included" in the web page (which I do) but if I look at the page using Firefox "Firebug" I'll see that something will have hosed up the syntax of the include statement (based on the browser, whether I'm using master pages, nested master pages, etc.).
Being lazy I like to include files by dragging them from the "Solution Explorer" pane of Visual Studio right into the ASP.NET/HTML code. I always hope that VS2010 will just "figure out" the right syntax for me, and so long as I'm not using master- or nested-master pages I'm generally right.
Once masterpages are introduced, though, things get screwed up.
Here's a syntax solution I've found that seems to work pretty well:
Rather than:
<script src='~/scripts/jquery-1.8.2.js' type="text/javascript"></script>
I use:
<script src='<%= ResolveUrl("~/scripts/jquery-1.8.2.js") %>' type="text/javascript"></script>
It seems to circumvent the path-naming-weirdness introduced by ASP.NET-masterpage-wrapping.
Saturday, October 13, 2012
My persistent 500.24 error
Because of my client's NT trust relationships my websites need to use NT credentials impersonation quite frequently and I keep falling into the same trap when setting up impersonation in IIS7 (rather than IIS6, which I was kind-of used to).
I build and push out the website and then try to access a diagnostic page (which shows the current website's users credentials as understood by the web server) and get the error:
"HTTP Error 500.24 - Internal Server Error An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode"
A couple things will float up in my mind right then -- I know that in IIS6 and older versions of IIS I always put "impersonate=true" into the web.config file and this causes problems with the new pipeline mode of IIS7. I'll knock this line out of the web.config file and it won't help -- the 500.24 error will disappear but impersonation is gone.
Then something will happen to throw me into a blind panic (usually a required demo in ten minutes or some other "show and tell" nonsense that means I've got to get this resolved fast) and I'll start flailing around trying to fix it. I always do, but I want much less stress in my life -- so here are the basic steps again as a reminder so the experience can be shorter next time:
- Go into IIS7 manager and reset the website's application pool to use the "Classic" pipeline
- Modify the web.config file to include:
(The latter has a nice section that explains this error very well.)
I build and push out the website and then try to access a diagnostic page (which shows the current website's users credentials as understood by the web server) and get the error:
"HTTP Error 500.24 - Internal Server Error An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode"
A couple things will float up in my mind right then -- I know that in IIS6 and older versions of IIS I always put "impersonate=true" into the web.config file and this causes problems with the new pipeline mode of IIS7. I'll knock this line out of the web.config file and it won't help -- the 500.24 error will disappear but impersonation is gone.
Then something will happen to throw me into a blind panic (usually a required demo in ten minutes or some other "show and tell" nonsense that means I've got to get this resolved fast) and I'll start flailing around trying to fix it. I always do, but I want much less stress in my life -- so here are the basic steps again as a reminder so the experience can be shorter next time:
- Go into IIS7 manager and reset the website's application pool to use the "Classic" pipeline
- Modify the web.config file to include:
<system.webServer> <validation validateIntegratedModeConfiguration="false"/></system.webServer> See these links for more (and better) information:(The latter has a nice section that explains this error very well.)
My persistent website 401 error
This is a reminder to myself.
I work in an NT environment with multiple domains (e.g. domainA, domainB, and domainC) where one domain ("domainC") trusts the other two domains.
I keep my IIS7 website in domainC and want users in any of the domains to be able to access it using their domain's credentials.
I make sure to disable anonymous access on my website and enable integrated windows authentication so that users will come into the website using their current credentials.
The roadblock I experience each time is that I'll set up the website and test it using an account in domainC and all will be well. During final testing I go over to domainB or domainA, log in, and try to get into the website and run into a "401" error.
I always do this: I'll go back to the website and try and reset permissions to the website's directory to allow "domainA\Everyone" and "domainB\Everyone" to have access, but for some reason I won't be able to. I'll remark again that this works in my personal devlab but not in the client's environment. I'll remember hearing that there's some sort of firewall blockage on LDAP calls between domains in this environment.
I'll try to create a domain local group in domainC and add the domainA\Everyone and domainB\Everyone groups into a local group I can give website rights to, but that won't work either.
I'll get frustrated here and start Googling and 4-5 hours will disappear as I learn how little I really know about security (and pursue several blind-alley solutions proposed by some other clueless bloggers).
I'll then spend another hour dicking around with every setting conceivable on my website, and then create a small sample "WhoAmI" website that just returns the current user's credentials. Setting security on this test website, I'll turn off anonymous access, turn on nt authentication, and then give the local group WEBSERVERNAME\Users all rights to the website and discover that I can now access it from all the trusted domains.
The lesson here is to start by giving the WEBSERVERNAME\Users local group basic rights to the website just to get started.
This has cost me several hours to recreate twice -- Note to self: don't do this again.
I work in an NT environment with multiple domains (e.g. domainA, domainB, and domainC) where one domain ("domainC") trusts the other two domains.
I keep my IIS7 website in domainC and want users in any of the domains to be able to access it using their domain's credentials.
I make sure to disable anonymous access on my website and enable integrated windows authentication so that users will come into the website using their current credentials.
The roadblock I experience each time is that I'll set up the website and test it using an account in domainC and all will be well. During final testing I go over to domainB or domainA, log in, and try to get into the website and run into a "401" error.
I always do this: I'll go back to the website and try and reset permissions to the website's directory to allow "domainA\Everyone" and "domainB\Everyone" to have access, but for some reason I won't be able to. I'll remark again that this works in my personal devlab but not in the client's environment. I'll remember hearing that there's some sort of firewall blockage on LDAP calls between domains in this environment.
I'll try to create a domain local group in domainC and add the domainA\Everyone and domainB\Everyone groups into a local group I can give website rights to, but that won't work either.
I'll get frustrated here and start Googling and 4-5 hours will disappear as I learn how little I really know about security (and pursue several blind-alley solutions proposed by some other clueless bloggers).
I'll then spend another hour dicking around with every setting conceivable on my website, and then create a small sample "WhoAmI" website that just returns the current user's credentials. Setting security on this test website, I'll turn off anonymous access, turn on nt authentication, and then give the local group WEBSERVERNAME\Users all rights to the website and discover that I can now access it from all the trusted domains.
The lesson here is to start by giving the WEBSERVERNAME\Users local group basic rights to the website just to get started.
This has cost me several hours to recreate twice -- Note to self: don't do this again.
Subscribe to:
Posts (Atom)