DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 14 of 14

Thread: Error:"server is unwilling to process the request"

  1. #1
    Join Date
    Mar 2005
    Posts
    52

    Error:"server is unwilling to process the request"

    Hi everyone,

    i have a problem on using the CommitChanges() method in System.DirectoryServices.DirectoryEntry namespace. The problem lies in the line highlighted in red.

    This code can work in windows server 2003 but not in windows xp.

    Can anyone know where i have done wrong?
    Thanks

    The code is as follows:

    DirectoryEntry usr = new DirectoryEntry("LDAP://captests2.captestd.com:50002/O=SES,C=SG","captestd\\user","pasword",AuthenticationTypes.Secure);
    AccessControlEntry newAce = new AccessControlEntryClass();
    SecurityDescriptor usrSD = (SecurityDescriptor)usr.Properties["ntSecurityDescriptor"].Value;

    AccessControlList usrAcl= (AccessControlList) usrSD.DiscretionaryAcl;
    newAce.Trustee = "S-1-491339992-4003172615-244129365-1146980006-2683420054-1000164791";
    newAce.AccessMask = unchecked((int)0x80000000);
    newAce.AceFlags=0x2;
    newAce.AceType = 0;
    usrAcl.AddAce(newAce);
    usrSD.DiscretionaryAcl = usrAcl;
    usr.Properties["ntSecurityDescriptor"].Value = usrSD;
    usr.CommitChanges();

  2. #2
    Join Date
    Aug 2004
    Location
    Dublin, Ireland
    Posts
    63
    Can you post the actual exception?
    VBForums.com & DevX.com Super Moderator
    Microsoft MVP : Visual Developer - Visual Basic
    My Website

  3. #3
    Join Date
    Mar 2005
    Posts
    52

    actual exception

    Hi Jamie,
    the actual exception is:

    Unhandled Exception: System.Runtime.InteropServices.COMException (0x80072035):
    The server is unwilling to process the request.
    at System.DirectoryServices.Interop.IAds.SetInfo()
    at System.DirectoryServices.DirectoryEntry.CommitChanges()
    at ConsoleApplication1.Class1.Main(String[] args) in c:\test\consoleapplicati
    on1\consoleapplication1\class1.cs:line 394

    Thanks for your help

  4. #4
    Join Date
    Mar 2005
    Posts
    52

    problem found

    I have found the source of the problem at the following url:
    http://www.ldaps.com/forums/article....P14.phx.gbl%3E

    Does anyone has any suggestion on how to tackle the problem in a proper way?

    Thanks a lot

  5. #5
    Join Date
    Dec 2003
    Posts
    2,750
    I don't see an article at the link you posted.

    The code is a bit cryptic, which doesn't surprise me since it's AD related. Is this a permissions related operation?
    Paul
    ~~~~
    Microsoft MVP (Visual Basic)

  6. #6
    Join Date
    Mar 2005
    Posts
    52

    Error:"server is unwilling to process the request"

    To make things simple,
    i decided to extract the entire post titled "URGENT: ADSI corrupt ADAM SID in ACE and fail to update ADAM ACLs" by Denis Gervalle as follows:


    Hi all,

    Sorry to be so in hurry now, but I am investigating this problem since several days now and I really need a workaround or fix as soon as possible. I have finally manage to reduce the code to its minimal form to demonstrate the problem and related symptoms.
    I am currently using a WinXP Pro SP2 box with VS2003 and ADSI trought COM interop in .NET.

    For your convenience highlighted code, source download and snapshot of its runs are available here:
    http://www.softec.st/~dge/post/sdtest.html
    The sample contains additionnal code enabled by defines to further show my research on that problem, up to a working but not acceptable workaround.

    The problem relate to the update of an ACLs on an directory entry in an ADAM. A new ACE is created for an ADAM user and added to the ACL of an existing entry. The user SID as been retrieved from the objectSID attribute of the user entry:
    01 05 00 00 11 C0 7D D7 C3 CD ....
    and converted to string using Win32 API:
    S-1-297827799-211...
    It is hardcoded in the sample code for limiting complexity.

    When committing the change of ACLs to the ADAM instance the server reply with a:
    System.Runtime.InteropServices.COMException (0x80072035): The server is unwilling to process the request.

    After many hours of research, I have added some code (#define MakeBinaryRoundTrip in the sample) to convert the SecurityDescriptor into an SDDL string, which require first to convert the IID SD into a RAW structure self-relative descriptor using an IADsSecurityUtility object.
    As the sample shows, when making the conversion of the IID SD into a RAW SD and back into a IID SD, the SID of the newly created ACL change ! It became:
    S-1-297827591-211...
    notice the 591 in place of 799. Note that the corruption is already present in the RAW form as shown by the convertion of the RAW SD to SDDL string:
    01 05 00 00 11 C0 7D 07 C3 CD ....
    notice the 4 most significant bit of the 8th byte has been cleared (07 in place of D7). Which means that either the SD converted is wrong or that the conversion from IID to RAW does
    not perform correctly.

    Moreover, if I corrupt these 4bits in the user SID (#define CorruptSid to have E7 (...815...) in place of D7 (...799...)), the SID received back from the IID => RAW => IID convertion is the same again. This confirm that these bits are effectively ignored and dropped during the conversion. More tests has shown that this only happen when the SID has been created or change using put_Trustee from the IADsAccessControlEntry interface. If I keep the same SID in an ACE created with the dsacl tool, and just change the AccessMask for example, the ADAM update the ACE correctly.

    My final test was to patch the SID in its RAW form (#define PatchSid and undefine #CorruptSid no more needed). So before converting back the RAW SD into IID, I replace the
    8th byte of the SID in the ACE by D7, fixing the wrong 07. The converted back IID SD now correctly report the SID 799, and is the same than the original SD. Using this patched SD, ADAM accept the change and update the ACL correctly.

    My conclusion is that during the transfert of the SD to the ADAM directory, a convertion to RAW form is made and that conversion fails the same way mine fail. The ADAM server obviously refuse to update its ACLs with an unknown SID and is therefore unwilling to process.

    Does anybody experience or reproduce the same problem ? Have I missed something ?
    Is this a know bug and is there a appropriate fix ?
    Waiting for your answers, I am installing a Windows2003 server to see if the same problem appears.

    Thank in advance,

    Denis

  7. #7
    Join Date
    Apr 2005
    Posts
    1
    Have you found a solution to this issue? I am having a similar issue where if I try to create a new Acitive Direcory user from my local machine(XP), I get "The server is unwilling to process request", However the code works fine on Windows Server 2003.

  8. #8
    Join Date
    Mar 2005
    Posts
    52
    Not yet but i believe the wrong SID entry was produced in the ACL when a new ACE object was created even though it had not been added to the ACL. This will not occur in Windows server 2003. In Windows server 2003, the ACE entry was added after calling the AddAce method. There seems to be a mismatch in the sequence........

  9. #9
    Join Date
    May 2005
    Posts
    4
    I think i have the same problem as you. When you solve it please e-mail me.

    BIG thanks.

  10. #10
    Join Date
    May 2005
    Posts
    4

    Whos da best ??

    Like this... works

    string domainAndUsername = string.Empty;
    string userName = string.Empty;
    string passWord = string.Empty;
    AuthenticationTypes at = AuthenticationTypes.Secure;
    DirectoryEntry entry = new DirectoryEntry();

    try
    {
    domainAndUsername = "LDAP://localhost:50000/CN=Pracownik1,CN=Workers,O=Test,C=PL";
    userName= WindowsIdentity.GetCurrent().Name.ToString();
    passWord= "haslo";

    entry = new DirectoryEntry(domainAndUsername, userName, passWord, at);

    entry.RefreshCache();
    }
    catch
    {
    }

    const string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";
    const int ADS_UF_ACCOUNTDISABLE=2;
    const int ADS_UF_PASSWORD_EXPIRED=0x800000;
    const int ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION=0x1000000;

    //ZARZADZANIE UPRAWNIENIAMI
    string[] trustees = new string[]{"S-1-5-10"}; // there you may change trustees

    ActiveDs.IADsSecurityDescriptor sd = (ActiveDs.IADsSecurityDescriptor)
    entry.Properties["ntSecurityDescriptor"].Value;
    ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList) sd.DiscretionaryAcl;
    ActiveDs.IADsAccessControlEntry ace = new ActiveDs.AccessControlEntry();

    foreach(string trustee in trustees)
    {
    ace.Trustee = trustee;
    ace.AceFlags = 0;
    ace.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED;
    ace.Flags = (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
    ace.ObjectType = PASSWORD_GUID;
    ace.AccessMask =
    (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_CREATE_CHILD |
    (int) ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_READ_CONTROL |
    (int) ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_ACTRL_DS_LIST;
    acl.AddAce(ace);
    }
    sd.DiscretionaryAcl = acl;
    entry.Properties["ntSecurityDescriptor"].Value = sd;
    entry.CommitChanges();

  11. #11
    Join Date
    Mar 2005
    Posts
    52
    ur code does not seem to work......try my code below and you will find that the security descriptor is wrongly converted even in its raw form........

    DirectoryEntry usr = new DirectoryEntry("LDAP://capia1.capd.com:389/CN=fresh,O=KKK,C=SG","capd\\uu","aa",AuthenticationTypes.Secure);
    usr.RefreshCache();

    string[] trustees=new string[]{result};//result is SID of ADAM user

    SecurityDescriptor usrSD = (SecurityDescriptor)usr.Properties["ntSecurityDescriptor"].Value;
    AccessControlList usrAcl= (AccessControlList) usrSD.DiscretionaryAcl;
    AccessControlEntry newAce = new AccessControlEntryClass();

    foreach(string trustee in trustees)
    {
    newAce.Trustee = trustee;
    newAce.AceFlags=0x2;
    newAce.AceType = 0;
    newAce.Flags=0;
    newAce.AccessMask = unchecked((int)0x80000000);

    usrAcl.AddAce(newAce);//add and remove this line, you will see a difference

    }


    IADsSecurityUtility su = new ADsSecurityUtilityClass();
    byte [] bsd = (byte []) su.ConvertSecurityDescriptor(usrSD,
    (int) ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID,
    (int) ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_RAW);

    Console.WriteLine( "Raw SD: {0}",
    ConvertSDToStringSD( bsd, ADS_SECURITY_INFO_ENUM.ADS_SECURITY_INFO_DACL ));


    Console.WriteLine( "Original Trustees:" );
    foreach( IADsAccessControlEntry ceorigin in usrAcl )
    Console.WriteLine( " {0}", ceorigin.Trustee );

    // Convert the raw SD back to IID format
    IADsSecurityDescriptor sdclone = (IADsSecurityDescriptor) su.ConvertSecurityDescriptor(bsd,
    (int) ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_RAW,
    (int) ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
    // Get its ACL
    IADsAccessControlList clclone = (IADsAccessControlList) sdclone.DiscretionaryAcl;
    // Display the cloned SD trustees, if unpatched, it differ from the original one
    Console.WriteLine( "Cloned Trustees:" );
    foreach( IADsAccessControlEntry ceclone in clclone )
    Console.WriteLine( " {0}", ceclone.Trustee );

  12. #12
    Join Date
    May 2005
    Posts
    4
    Yes, u have right, now it's not working but few days ago works. Heh
    Maybe you can help me and know how to write Security Descriptor ??

    franz

    ps: on Win 2003 it's working.. but on XP not.
    Last edited by franzkru; 06-08-2005 at 07:35 AM.

  13. #13
    Join Date
    May 2005
    Posts
    4

    Answer

    If someone have the same problem i have the answer... Ther is a bug into ActiveDs.dll and you need to get hotfix from microsoft to Windows XP to solve this.


    franzkru
    Last edited by franzkru; 06-30-2005 at 09:34 AM.

  14. #14
    Join Date
    Jul 2005
    Posts
    1

    I have same problem

    Dear franzkru

    I am facing the same problem, I have a web application that create new domain users. It works on some clients and doesn't work on others.

    I would be gratefull if you have any idea to solve the problem.

    Blackhole

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center