"Sudden" Active Directory error on ASP.NET

I have an ASP.NET page that searches for someone in the corporate Active
Directory.

It had been working fine until recently when I changed from Basic
Authentication on IIS6 back to Integrated Windows authentication. The error
occurs on the FindAll method. The exceptions are as follows. anyway of
getting the code working with Integrated Windows authentication (too annoying
for user to enter user-name/password). Note I do need to use impersonation
(to figure out the username of the logged on user)

Exception:
System.Runtime.InteropServices.COMException (0x80072020): An operations
error occurred
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindAll()
at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
EventArgs e)

Web.config:



Code snippet below:

DirectoryEntry dirEntry = new
DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
System.DirectoryServices.PropertyCollection objectPropperties;
foreach (SearchResult resultEntry in dirSearcher.FindAll())
{
//display results
}

RE: "Sudden" Active Directory error on ASP.NET

I have read some articles which suggest that I need to turn on "Kerberos"
authentication (in order for token to be passed to Active Directory for
authentication).

How could I turn on Kerberos authentication? It is not an option in IIS6 on
Windows server 2003. Note I am using Integrated Windows authentication at
present.



"Patrick" wrote:

> I have an ASP.NET page that searches for someone in the corporate Active
> Directory.
>
> It had been working fine until recently when I changed from Basic
> Authentication on IIS6 back to Integrated Windows authentication. The error
> occurs on the FindAll method. The exceptions are as follows. anyway of
> getting the code working with Integrated Windows authentication (too annoying
> for user to enter user-name/password). Note I do need to use impersonation
> (to figure out the username of the logged on user)
>
> Exception:
> System.Runtime.InteropServices.COMException (0x80072020): An operations
> error occurred
> at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
> at System.DirectoryServices.DirectoryEntry.Bind()
> at System.DirectoryServices.DirectoryEntry.get_AdsObject()
> at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
> findMoreThanOne)
> at System.DirectoryServices.DirectorySearcher.FindAll()
> at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
> EventArgs e)
>
> Web.config:
>
>
>
> Code snippet below:
>
> DirectoryEntry dirEntry = new
> DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
> DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
> dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
> FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
> System.DirectoryServices.PropertyCollection objectPropperties;
> foreach (SearchResult resultEntry in dirSearcher.FindAll())
> {
> //display results
> }

RE: "Sudden" Active Directory error on ASP.NET

Alternatively, is it at all possible to use another (hard-wired) user's
credentials to authenticate into Active Directory. When I say, hard-wired
user, I mean a fixed user that is different from the logged on user (note, I
need to use impersonation to figure out from Environment.Username the
username of the logged on user).

"Patrick" wrote:

> I have read some articles which suggest that I need to turn on "Kerberos"
> authentication (in order for token to be passed to Active Directory for
> authentication).
>
> How could I turn on Kerberos authentication? It is not an option in IIS6 on
> Windows server 2003. Note I am using Integrated Windows authentication at
> present.
>
>
>
> "Patrick" wrote:
>
> > I have an ASP.NET page that searches for someone in the corporate Active
> > Directory.
> >
> > It had been working fine until recently when I changed from Basic
> > Authentication on IIS6 back to Integrated Windows authentication. The error
> > occurs on the FindAll method. The exceptions are as follows. anyway of
> > getting the code working with Integrated Windows authentication (too annoying
> > for user to enter user-name/password). Note I do need to use impersonation
> > (to figure out the username of the logged on user)
> >
> > Exception:
> > System.Runtime.InteropServices.COMException (0x80072020): An operations
> > error occurred
> > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
> > at System.DirectoryServices.DirectoryEntry.Bind()
> > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
> > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
> > findMoreThanOne)
> > at System.DirectoryServices.DirectorySearcher.FindAll()
> > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
> > EventArgs e)
> >
> > Web.config:
> >
> >
> >
> > Code snippet below:
> >
> > DirectoryEntry dirEntry = new
> > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
> > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
> > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
> > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
> > System.DirectoryServices.PropertyCollection objectPropperties;
> > foreach (SearchResult resultEntry in dirSearcher.FindAll())
> > {
> > //display results
> > }

RE: "Sudden" Active Directory error on ASP.NET

Hi Patrick:

Because the Active Directory is setup on a server other than the IIS server,
try explicitly specifying the former when constructing the DirectoryEntry,
e.g.
DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc =com");

(I know this works because I ran into the same problem last week and I
solved it this way)
--
HTH,
Phillip Williams
http://www.societopia.net/Samples/
http://www.societopia.net
http://www.webswapp.com


"Patrick" wrote:

> I have read some articles which suggest that I need to turn on "Kerberos"
> authentication (in order for token to be passed to Active Directory for
> authentication).
>
> How could I turn on Kerberos authentication? It is not an option in IIS6 on
> Windows server 2003. Note I am using Integrated Windows authentication at
> present.
>
>
>
> "Patrick" wrote:
>
> > I have an ASP.NET page that searches for someone in the corporate Active
> > Directory.
> >
> > It had been working fine until recently when I changed from Basic
> > Authentication on IIS6 back to Integrated Windows authentication. The error
> > occurs on the FindAll method. The exceptions are as follows. anyway of
> > getting the code working with Integrated Windows authentication (too annoying
> > for user to enter user-name/password). Note I do need to use impersonation
> > (to figure out the username of the logged on user)
> >
> > Exception:
> > System.Runtime.InteropServices.COMException (0x80072020): An operations
> > error occurred
> > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
> > at System.DirectoryServices.DirectoryEntry.Bind()
> > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
> > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
> > findMoreThanOne)
> > at System.DirectoryServices.DirectorySearcher.FindAll()
> > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
> > EventArgs e)
> >
> > Web.config:
> >
> >
> >
> > Code snippet below:
> >
> > DirectoryEntry dirEntry = new
> > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
> > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
> > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
> > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
> > System.DirectoryServices.PropertyCollection objectPropperties;
> > foreach (SearchResult resultEntry in dirSearcher.FindAll())
> > {
> > //display results
> > }

RE: "Sudden" Active Directory error on ASP.NET

Hi Patrick,

For the problem you encountered, seems somewhat related to the security
context of the asp.net application. As you mentioned that the AD query code
works well when you're using basic authentication but failed when change to
Integrated windows, because when using basic authentication ,the client
user provide full credential so that the serverside logon session has the
network credential(which means it can be forwarded to remote machine for
authentication), however, under integrated windows, the clientside didn't
provide full credential, so the serverside logon session can't be forwarded
to remote machine for authentication. So the problerm you met is possibly
caused by this. Also, in asp.net we can use web.config 's
element or programmatically to impersonatea fixed account, since in such
means , we provide clear text username/password, the established security
session can be forwarded to remote machine for authentication, here is the
kb article discussing on this:

#How to implement impersonation in an ASP.NET application
http://support.microsoft.com/?id=306158

In addition, you can have a try on Phillip's suggestion.

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



--------------------
| Thread-Topic: "Sudden" Active Directory error on ASP.NET
| thread-index: AcWyQPxwckuHz8KxSL6p/atjSnYCEw==
| X-WBNR-Posting-Host: 198.240.128.75
| From: "=?Utf-8?B?UGF0cmljaw==?="
| References: <42DF70BF-2263-4FF7-9890-069732BFA847@microsoft.com>
<4C564F96-482B-4685-8D9F-CBB025E63021@microsoft.com>
| Subject: RE: "Sudden" Active Directory error on ASP.NET
| Date: Mon, 5 Sep 2005 10:41:03 -0700
| Lines: 58
| Message-ID:
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups:
microsoft.public.adsi.general,microsoft.public.dotnet.framew ork.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:122483
microsoft.public.adsi.general:8890
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Alternatively, is it at all possible to use another (hard-wired) user's
| credentials to authenticate into Active Directory. When I say,
hard-wired
| user, I mean a fixed user that is different from the logged on user
(note, I
| need to use impersonation to figure out from Environment.Username the
| username of the logged on user).
|
| "Patrick" wrote:
|
| > I have read some articles which suggest that I need to turn on
"Kerberos"
| > authentication (in order for token to be passed to Active Directory for
| > authentication).
| >
| > How could I turn on Kerberos authentication? It is not an option in
IIS6 on
| > Windows server 2003. Note I am using Integrated Windows authentication
at
| > present.
| >
| >
| >
| > "Patrick" wrote:
| >
| > > I have an ASP.NET page that searches for someone in the corporate
Active
| > > Directory.
| > >
| > > It had been working fine until recently when I changed from Basic
| > > Authentication on IIS6 back to Integrated Windows authentication.
The error
| > > occurs on the FindAll method. The exceptions are as follows. anyway
of
| > > getting the code working with Integrated Windows authentication (too
annoying
| > > for user to enter user-name/password). Note I do need to use
impersonation
| > > (to figure out the username of the logged on user)
| > >
| > > Exception:
| > > System.Runtime.InteropServices.COMException (0x80072020): An
operations
| > > error occurred
| > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean
throwIfFail)
| > > at System.DirectoryServices.DirectoryEntry.Bind()
| > > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
| > > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
| > > findMoreThanOne)
| > > at System.DirectoryServices.DirectorySearcher.FindAll()
| > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object
sender,
| > > EventArgs e)
| > >
| > > Web.config:
| > >
| > >
| > >
| > > Code snippet below:
| > >
| > > DirectoryEntry dirEntry = new
| > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
| > > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry
);
| > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text +
"*)(givenName="+
| > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
| > > System.DirectoryServices.PropertyCollection objectPropperties;
| > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
| > > {
| > > //display results
| > > }
|

RE: "Sudden" Active Directory error on ASP.NET

Whilst this new LDAP string works on my developer workstation, porting to the
development IIS6.0 web server, dirSearcher.FindAll().Count returns 0 (when
matches are expected), presumably because no credentials were passed from IIS
to the Active Directory?

"Phillip Williams" wrote:

> Hi Patrick:
>
> Because the Active Directory is setup on a server other than the IIS server,
> try explicitly specifying the former when constructing the DirectoryEntry,
> e.g.
> DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc =com");
>
> (I know this works because I ran into the same problem last week and I
> solved it this way)
> --
> HTH,
> Phillip Williams
> http://www.societopia.net/Samples/
> http://www.societopia.net
> http://www.webswapp.com
>
>
> "Patrick" wrote:
>
> > I have read some articles which suggest that I need to turn on "Kerberos"
> > authentication (in order for token to be passed to Active Directory for
> > authentication).
> >
> > How could I turn on Kerberos authentication? It is not an option in IIS6 on
> > Windows server 2003. Note I am using Integrated Windows authentication at
> > present.
> >
> >
> >
> > "Patrick" wrote:
> >
> > > I have an ASP.NET page that searches for someone in the corporate Active
> > > Directory.
> > >
> > > It had been working fine until recently when I changed from Basic
> > > Authentication on IIS6 back to Integrated Windows authentication. The error
> > > occurs on the FindAll method. The exceptions are as follows. anyway of
> > > getting the code working with Integrated Windows authentication (too annoying
> > > for user to enter user-name/password). Note I do need to use impersonation
> > > (to figure out the username of the logged on user)
> > >
> > > Exception:
> > > System.Runtime.InteropServices.COMException (0x80072020): An operations
> > > error occurred
> > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
> > > at System.DirectoryServices.DirectoryEntry.Bind()
> > > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
> > > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
> > > findMoreThanOne)
> > > at System.DirectoryServices.DirectorySearcher.FindAll()
> > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
> > > EventArgs e)
> > >
> > > Web.config:
> > >
> > >
> > >
> > > Code snippet below:
> > >
> > > DirectoryEntry dirEntry = new
> > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
> > > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
> > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
> > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
> > > System.DirectoryServices.PropertyCollection objectPropperties;
> > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
> > > {
> > > //display results
> > > }

Re: "Sudden" Active Directory error on ASP.NET

On Mon, 5 Sep 2005 10:36:03 -0700, "Patrick" wrote:

¤ I have read some articles which suggest that I need to turn on "Kerberos"
¤ authentication (in order for token to be passed to Active Directory for
¤ authentication).
¤
¤ How could I turn on Kerberos authentication? It is not an option in IIS6 on
¤ Windows server 2003. Note I am using Integrated Windows authentication at
¤ present.

http://www.microsoft.com/windowsserver2003/technologies/secu rity/kerberos/default.mspx


Paul
~~~~
Microsoft MVP (Visual Basic)

RE: "Sudden" Active Directory error on ASP.NET

Hi Patrick,

I think though that getting a dirSearcher.FindAll().Count==0 is not a
security access issue. If the responses of Steven and Paul have not helped
you yet to find a solution, you might try a few more tests:

1- log on to the IIS machine and run the application from there,

2- add a Trace.WriteLine statement that displays the
Context.User.Identity.Name to verify that impersonation works.

3- try without a filter condition at all; if you get any result then the
problem is not security related rather it might be the way you specified the
filter condition that caused dirSearcher.FindAll().Count to return 0.

--
HTH,
Phillip Williams
http://www.societopia.net
http://www.webswapp.com


"Patrick" wrote:

> Whilst this new LDAP string works on my developer workstation, porting to the
> development IIS6.0 web server, dirSearcher.FindAll().Count returns 0 (when
> matches are expected), presumably because no credentials were passed from IIS
> to the Active Directory?
>
> "Phillip Williams" wrote:
>
> > Hi Patrick:
> >
> > Because the Active Directory is setup on a server other than the IIS server,
> > try explicitly specifying the former when constructing the DirectoryEntry,
> > e.g.
> > DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc =com");
> >
> > (I know this works because I ran into the same problem last week and I
> > solved it this way)
> > --
> > HTH,
> > Phillip Williams
> > http://www.societopia.net/Samples/
> > http://www.societopia.net
> > http://www.webswapp.com
> >
> >
> > "Patrick" wrote:
> >
> > > I have read some articles which suggest that I need to turn on "Kerberos"
> > > authentication (in order for token to be passed to Active Directory for
> > > authentication).
> > >
> > > How could I turn on Kerberos authentication? It is not an option in IIS6 on
> > > Windows server 2003. Note I am using Integrated Windows authentication at
> > > present.
> > >
> > >
> > >
> > > "Patrick" wrote:
> > >
> > > > I have an ASP.NET page that searches for someone in the corporate Active
> > > > Directory.
> > > >
> > > > It had been working fine until recently when I changed from Basic
> > > > Authentication on IIS6 back to Integrated Windows authentication. The error
> > > > occurs on the FindAll method. The exceptions are as follows. anyway of
> > > > getting the code working with Integrated Windows authentication (too annoying
> > > > for user to enter user-name/password). Note I do need to use impersonation
> > > > (to figure out the username of the logged on user)
> > > >
> > > > Exception:
> > > > System.Runtime.InteropServices.COMException (0x80072020): An operations
> > > > error occurred
> > > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
> > > > at System.DirectoryServices.DirectoryEntry.Bind()
> > > > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
> > > > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
> > > > findMoreThanOne)
> > > > at System.DirectoryServices.DirectorySearcher.FindAll()
> > > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
> > > > EventArgs e)
> > > >
> > > > Web.config:
> > > >
> > > >
> > > >
> > > > Code snippet below:
> > > >
> > > > DirectoryEntry dirEntry = new
> > > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
> > > > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
> > > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
> > > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
> > > > System.DirectoryServices.PropertyCollection objectPropperties;
> > > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
> > > > {
> > > > //display results
> > > > }

RE: "Sudden" Active Directory error on ASP.NET

Actually I have a correction to what I wrote below. It was not the NTLM
authenticated userID that I used in creating the DirectoryEntry. Upon
careful examination of the code that I left on the IIS server (as opposed to
the version I have on my development desktop) I found that I actually left a
hard-coded userID and password in the DirectoryEntry constructor. So you
were right. It works on the development desktop but not on the IIS server;
the latter required supplying the userID and password.

This is my working solution:
Dim entry As New DirectoryServices.DirectoryEntry(AppSettings("LDAP_PATH"),
strUserID, strPassword)

Sorry if I have caused any confusion.

"Phillip Williams" wrote:

> Hi Patrick,
>
> I think though that getting a dirSearcher.FindAll().Count==0 is not a
> security access issue. If the responses of Steven and Paul have not helped
> you yet to find a solution, you might try a few more tests:
>
> 1- log on to the IIS machine and run the application from there,
>
> 2- add a Trace.WriteLine statement that displays the
> Context.User.Identity.Name to verify that impersonation works.
>
> 3- try without a filter condition at all; if you get any result then the
> problem is not security related rather it might be the way you specified the
> filter condition that caused dirSearcher.FindAll().Count to return 0.
>
> --
> HTH,
> Phillip Williams
> http://www.societopia.net
> http://www.webswapp.com
>
>
> "Patrick" wrote:
>
> > Whilst this new LDAP string works on my developer workstation, porting to the
> > development IIS6.0 web server, dirSearcher.FindAll().Count returns 0 (when
> > matches are expected), presumably because no credentials were passed from IIS
> > to the Active Directory?
> >
> > "Phillip Williams" wrote:
> >
> > > Hi Patrick:
> > >
> > > Because the Active Directory is setup on a server other than the IIS server,
> > > try explicitly specifying the former when constructing the DirectoryEntry,
> > > e.g.
> > > DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc =com");
> > >
> > > (I know this works because I ran into the same problem last week and I
> > > solved it this way)
> > > --
> > > HTH,
> > > Phillip Williams
> > > http://www.societopia.net/Samples/
> > > http://www.societopia.net
> > > http://www.webswapp.com
> > >
> > >
> > > "Patrick" wrote:
> > >
> > > > I have read some articles which suggest that I need to turn on "Kerberos"
> > > > authentication (in order for token to be passed to Active Directory for
> > > > authentication).
> > > >
> > > > How could I turn on Kerberos authentication? It is not an option in IIS6 on
> > > > Windows server 2003. Note I am using Integrated Windows authentication at
> > > > present.
> > > >
> > > >
> > > >
> > > > "Patrick" wrote:
> > > >
> > > > > I have an ASP.NET page that searches for someone in the corporate Active
> > > > > Directory.
> > > > >
> > > > > It had been working fine until recently when I changed from Basic
> > > > > Authentication on IIS6 back to Integrated Windows authentication. The error
> > > > > occurs on the FindAll method. The exceptions are as follows. anyway of
> > > > > getting the code working with Integrated Windows authentication (too annoying
> > > > > for user to enter user-name/password). Note I do need to use impersonation
> > > > > (to figure out the username of the logged on user)
> > > > >
> > > > > Exception:
> > > > > System.Runtime.InteropServices.COMException (0x80072020): An operations
> > > > > error occurred
> > > > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
> > > > > at System.DirectoryServices.DirectoryEntry.Bind()
> > > > > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
> > > > > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
> > > > > findMoreThanOne)
> > > > > at System.DirectoryServices.DirectorySearcher.FindAll()
> > > > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
> > > > > EventArgs e)
> > > > >
> > > > > Web.config:
> > > > >
> > > > >
> > > > >
> > > > > Code snippet below:
> > > > >
> > > > > DirectoryEntry dirEntry = new
> > > > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
> > > > > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
> > > > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
> > > > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
> > > > > System.DirectoryServices.PropertyCollection objectPropperties;
> > > > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
> > > > > {
> > > > > //display results
> > > > > }

RE: "Sudden" Active Directory error on ASP.NET

Thanks for your detailed followup Phillip,

Hi Patrick,

Have you had a try on the suggestions in my last reply? I'm still thinking
the problem is concerned with your asp.net web application's security
context. And impersonation is a potential cause, if there're any further
finding or anything we can help, please feel free to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| Thread-Topic: "Sudden" Active Directory error on ASP.NET
| thread-index: AcWzQSB7RPR3OtazRFqlDQHhtLAcGw==
| X-WBNR-Posting-Host: 207.230.226.92
| From: "=?Utf-8?B?UGhpbGxpcCBXaWxsaWFtcw==?="

| References: <42DF70BF-2263-4FF7-9890-069732BFA847@microsoft.com>
<4C564F96-482B-4685-8D9F-CBB025E63021@microsoft.com>

<0FD423DE-CD42-4E62-8A80-371AD30B3041@microsoft.com>
<0E9E5F63-D8E5-4181-B2A5-D8EE31BF1706@microsoft.com>
| Subject: RE: "Sudden" Active Directory error on ASP.NET
| Date: Tue, 6 Sep 2005 17:14:34 -0700
| Lines: 116
| Message-ID:
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups:
microsoft.public.adsi.general,microsoft.public.dotnet.framew ork.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx .gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:122743
microsoft.public.adsi.general:8911
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Actually I have a correction to what I wrote below. It was not the NTLM
| authenticated userID that I used in creating the DirectoryEntry. Upon
| careful examination of the code that I left on the IIS server (as opposed
to
| the version I have on my development desktop) I found that I actually
left a
| hard-coded userID and password in the DirectoryEntry constructor. So you
| were right. It works on the development desktop but not on the IIS
server;
| the latter required supplying the userID and password.
|
| This is my working solution:
| Dim entry As New
DirectoryServices.DirectoryEntry(AppSettings("LDAP_PATH"),
| strUserID, strPassword)
|
| Sorry if I have caused any confusion.
|
| "Phillip Williams" wrote:
|
| > Hi Patrick,
| >
| > I think though that getting a dirSearcher.FindAll().Count==0 is not a
| > security access issue. If the responses of Steven and Paul have not
helped
| > you yet to find a solution, you might try a few more tests:
| >
| > 1- log on to the IIS machine and run the application from there,
| >
| > 2- add a Trace.WriteLine statement that displays the
| > Context.User.Identity.Name to verify that impersonation works.
| >
| > 3- try without a filter condition at all; if you get any result then
the
| > problem is not security related rather it might be the way you
specified the
| > filter condition that caused dirSearcher.FindAll().Count to return 0.
| >
| > --
| > HTH,
| > Phillip Williams
| > http://www.societopia.net
| > http://www.webswapp.com
| >
| >
| > "Patrick" wrote:
| >
| > > Whilst this new LDAP string works on my developer workstation,
porting to the
| > > development IIS6.0 web server, dirSearcher.FindAll().Count returns 0
(when
| > > matches are expected), presumably because no credentials were passed
from IIS
| > > to the Active Directory?
| > >
| > > "Phillip Williams" wrote:
| > >
| > > > Hi Patrick:
| > > >
| > > > Because the Active Directory is setup on a server other than the
IIS server,
| > > > try explicitly specifying the former when constructing the
DirectoryEntry,
| > > > e.g.
| > > > DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc =com");
| > > >
| > > > (I know this works because I ran into the same problem last week
and I
| > > > solved it this way)
| > > > --
| > > > HTH,
| > > > Phillip Williams
| > > > http://www.societopia.net/Samples/
| > > > http://www.societopia.net
| > > > http://www.webswapp.com
| > > >
| > > >
| > > > "Patrick" wrote:
| > > >
| > > > > I have read some articles which suggest that I need to turn on
"Kerberos"
| > > > > authentication (in order for token to be passed to Active
Directory for
| > > > > authentication).
| > > > >
| > > > > How could I turn on Kerberos authentication? It is not an option
in IIS6 on
| > > > > Windows server 2003. Note I am using Integrated Windows
authentication at
| > > > > present.
| > > > >
| > > > >
| > > > >
| > > > > "Patrick" wrote:
| > > > >
| > > > > > I have an ASP.NET page that searches for someone in the
corporate Active
| > > > > > Directory.
| > > > > >
| > > > > > It had been working fine until recently when I changed from
Basic
| > > > > > Authentication on IIS6 back to Integrated Windows
authentication. The error
| > > > > > occurs on the FindAll method. The exceptions are as follows.
anyway of
| > > > > > getting the code working with Integrated Windows authentication
(too annoying
| > > > > > for user to enter user-name/password). Note I do need to use
impersonation
| > > > > > (to figure out the username of the logged on user)
| > > > > >
| > > > > > Exception:
| > > > > > System.Runtime.InteropServices.COMException (0x80072020): An
operations
| > > > > > error occurred
| > > > > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean
throwIfFail)
| > > > > > at System.DirectoryServices.DirectoryEntry.Bind()
| > > > > > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
| > > > > > at
System.DirectoryServices.DirectorySearcher.FindAll(Boolean
| > > > > > findMoreThanOne)
| > > > > > at System.DirectoryServices.DirectorySearcher.FindAll()
| > > > > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object
sender,
| > > > > > EventArgs e)
| > > > > >
| > > > > > Web.config:
| > > > > >
| > > > > >
| > > > > >
| > > > > > Code snippet below:
| > > > > >
| > > > > > DirectoryEntry dirEntry = new
| > > > > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
| > > > > > DirectorySearcher dirSearcher = new DirectorySearcher(
dirEntry );
| > > > > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text +
"*)(givenName="+
| > > > > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
| > > > > > System.DirectoryServices.PropertyCollection
objectPropperties;
| > > > > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
| > > > > > {
| > > > > > //display results
| > > > > > }
|