Sorry, there isn't anything else I can offer.Looking at the event
logs, I was looking for an executable or function it was trying to
access. One of my customers had a similar problem when the app was
trying to create a doc file, but it turned out to be an issue with
Office interop where it doesn't allow multi-sessions. Using Aspose was
the solution. BUT, it was not on a DC. We were able to determine
through the event logs that it was in this area where it was failing.
I can't seem to see that in your event logs other than the
"HttpContext.Current.User.Identity.Name" name. Even though you may
have tried an admin account, the app accessing resources through IIS
does it differently, then a direct interactive logon, if you know what
I mean.
Maybe there are other logs? Did you look in the Security logs? I would
possibly suggest to setup Auditing of Logon events to see if that
helps.
Maybe someone else with a better knowledge on how an ASP.net app
accesses resources on a server can better help.That was why I was
saying it is more of an ASP issue.
However, for what it's worth, and it's just my humble opinion, that we
we simply don't run web services or web apps on a DC, but like I said,
that is MHO.
Ace
On Mon, 19 Apr 2010 23:52:01 -0700, Rob van Belkum
<> wrote:
>Thanks for your reply.
>
>However, I do not think this is a ASP.NET specific issue. Eventually,
>System.Security.Principal.SecurityIdentifier.Tran slate will call the
>LsaLookupSids Windows API which I suspect cannot resolve the (phantom) SID
>into a name when running on a Domain Controller. I have also tried to give
>the AppPool account all sorts of privileges (including Domain Admin) but to
>no avail. Furthermore, I would expect an "access denied" error if the account
>does not have the appropriate access rights.
>
>Any help would be much appreciated.
>
>
>"Ace Fekay [MVP - Directory Services]" wrote:
>
>> On Mon, 19 Apr 2010 06:36:01 -0700, Rob van Belkum <Rob van
>> > wrote:
>>
>> >We are working on deploying ADFS to provide single sign-on functionality for
>> >externally hosted applications. This works fine for multi-tiered environments
>> >in which the IIS web server is not a domain controller. However, we have one
>> >(test) environment in which the IIS web server is also a domain controller.
>> >In that scenario, our .NET application generates the following error when
>> >using "HttpContext.Current.User.Identity.Name":
>> >
>> >Event Type: Error
>> >Event Source: ASP.NET 2.0.50727.0
>> >Event Category: Web Event
>> >Event ID: 1301
>> >Date: 4/19/2010
>> >Time: 2:48:54 PM
>> >User: N/A
>> >Computer: TESTSSO
>> >Description:
>> >The following exception was thrown by the web event provider
>> >'EventLogProvider' in the application '/TestSSO' (in an application lifetime
>> >a maximum of one exception will be logged per provider instance):
>> >
>> >System.Security.Principal.IdentityNotMappedExcept ion: Some or all identity
>> >references could not be translated.
>> > at
>> >System.Security.Principal.SecurityIdentifier.Tran slate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)
>> > at System.Security.Principal.SecurityIdentifier.Trans late(Type targetType)
>> > at System.Security.Principal.WindowsIdentity.GetName( )
>> > at System.Security.Principal.WindowsIdentity.get_Name ()
>> > at
>> >System.Web.Management.EventLogWebEventProvider.Ad dWebRequestInformationDataFields(ArrayList dataFields, WebRequestInformation reqInfo)
>> > at
>> >System.Web.Management.EventLogWebEventProvider.Pr ocessEvent(WebBaseEvent
>> >eventRaised)
>> > at System.Web.Management.WebBaseEvent.RaiseInternal(W ebBaseEvent
>> >eventRaised, ArrayList firingRuleInfos, Int32 index0, Int32 index1)
>> >
>> >
>> >Is there something we can do / configure to make the ADFS web agent work on
>> >a domain controller?
>> >
>> >PS: The problem has been isolated to the domain controller. If we promote a
>> >fully functional ADFS enabled web server to a domain controller, we get the
>> >above error message. After demoting the server, the problem is gone.
>>
>>
>> Not being a developer, the only thing I can offer is the following
>> link:
>> http://eventid.net/display.asp?event...source=ASP.NET
>> 2.0.50727.0&phase=1
>>
>> Otherwise, my feelings are the account being used in the app to run
>> whataver it is trying to do, does not have the appropriate access to a
>> DC. DCs by default do not allow anyone else other than Domain Admins
>> or delegated accounts to logon.
>>
>> I think this would be bettersuited for posting in the ASP.net
>> newsgroups/forums.
>>
>>
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>>
>> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
>> Microsoft Certified Trainer
>> Microsoft MVP - Directory Services
>>
>> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
>> .
>>
Similar Threads
Linear Mode
