"Sudden" Active Directory error on ASP.NET

Discussion in 'ASP .Net' started by =?Utf-8?B?UGF0cmljaw==?=, Sep 5, 2005.

  1. I have an ASP.NET page that searches for someone in the corporate Active
    Directory.

    It had been working fine until recently when I changed from Basic
    Authentication on IIS6 back to Integrated Windows authentication. The error
    occurs on the FindAll method. The exceptions are as follows. anyway of
    getting the code working with Integrated Windows authentication (too annoying
    for user to enter user-name/password). Note I do need to use impersonation
    (to figure out the username of the logged on user)

    Exception:
    System.Runtime.InteropServices.COMException (0x80072020): An operations
    error occurred
    at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
    at System.DirectoryServices.DirectoryEntry.Bind()
    at System.DirectoryServices.DirectoryEntry.get_AdsObject()
    at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
    findMoreThanOne)
    at System.DirectoryServices.DirectorySearcher.FindAll()
    at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
    EventArgs e)

    Web.config:
    <authentication mode="Windows" />
    <identity impersonate="true" />

    Code snippet below:

    DirectoryEntry dirEntry = new
    DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
    DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
    dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
    FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
    System.DirectoryServices.PropertyCollection objectPropperties;
    foreach (SearchResult resultEntry in dirSearcher.FindAll())
    {
    //display results
    }
    =?Utf-8?B?UGF0cmljaw==?=, Sep 5, 2005
    #1
    1. Advertising

  2. I have read some articles which suggest that I need to turn on "Kerberos"
    authentication (in order for token to be passed to Active Directory for
    authentication).

    How could I turn on Kerberos authentication? It is not an option in IIS6 on
    Windows server 2003. Note I am using Integrated Windows authentication at
    present.



    "Patrick" wrote:

    > I have an ASP.NET page that searches for someone in the corporate Active
    > Directory.
    >
    > It had been working fine until recently when I changed from Basic
    > Authentication on IIS6 back to Integrated Windows authentication. The error
    > occurs on the FindAll method. The exceptions are as follows. anyway of
    > getting the code working with Integrated Windows authentication (too annoying
    > for user to enter user-name/password). Note I do need to use impersonation
    > (to figure out the username of the logged on user)
    >
    > Exception:
    > System.Runtime.InteropServices.COMException (0x80072020): An operations
    > error occurred
    > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
    > at System.DirectoryServices.DirectoryEntry.Bind()
    > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
    > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
    > findMoreThanOne)
    > at System.DirectoryServices.DirectorySearcher.FindAll()
    > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
    > EventArgs e)
    >
    > Web.config:
    > <authentication mode="Windows" />
    > <identity impersonate="true" />
    >
    > Code snippet below:
    >
    > DirectoryEntry dirEntry = new
    > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
    > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
    > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
    > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
    > System.DirectoryServices.PropertyCollection objectPropperties;
    > foreach (SearchResult resultEntry in dirSearcher.FindAll())
    > {
    > //display results
    > }
    =?Utf-8?B?UGF0cmljaw==?=, Sep 5, 2005
    #2
    1. Advertising

  3. Alternatively, is it at all possible to use another (hard-wired) user's
    credentials to authenticate into Active Directory. When I say, hard-wired
    user, I mean a fixed user that is different from the logged on user (note, I
    need to use impersonation to figure out from Environment.Username the
    username of the logged on user).

    "Patrick" wrote:

    > I have read some articles which suggest that I need to turn on "Kerberos"
    > authentication (in order for token to be passed to Active Directory for
    > authentication).
    >
    > How could I turn on Kerberos authentication? It is not an option in IIS6 on
    > Windows server 2003. Note I am using Integrated Windows authentication at
    > present.
    >
    >
    >
    > "Patrick" wrote:
    >
    > > I have an ASP.NET page that searches for someone in the corporate Active
    > > Directory.
    > >
    > > It had been working fine until recently when I changed from Basic
    > > Authentication on IIS6 back to Integrated Windows authentication. The error
    > > occurs on the FindAll method. The exceptions are as follows. anyway of
    > > getting the code working with Integrated Windows authentication (too annoying
    > > for user to enter user-name/password). Note I do need to use impersonation
    > > (to figure out the username of the logged on user)
    > >
    > > Exception:
    > > System.Runtime.InteropServices.COMException (0x80072020): An operations
    > > error occurred
    > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
    > > at System.DirectoryServices.DirectoryEntry.Bind()
    > > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
    > > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
    > > findMoreThanOne)
    > > at System.DirectoryServices.DirectorySearcher.FindAll()
    > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
    > > EventArgs e)
    > >
    > > Web.config:
    > > <authentication mode="Windows" />
    > > <identity impersonate="true" />
    > >
    > > Code snippet below:
    > >
    > > DirectoryEntry dirEntry = new
    > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
    > > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
    > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
    > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
    > > System.DirectoryServices.PropertyCollection objectPropperties;
    > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
    > > {
    > > //display results
    > > }
    =?Utf-8?B?UGF0cmljaw==?=, Sep 5, 2005
    #3
  4. Hi Patrick:

    Because the Active Directory is setup on a server other than the IIS server,
    try explicitly specifying the former when constructing the DirectoryEntry,
    e.g.
    DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc=com");

    (I know this works because I ran into the same problem last week and I
    solved it this way)
    --
    HTH,
    Phillip Williams
    http://www.societopia.net/Samples/
    http://www.societopia.net
    http://www.webswapp.com


    "Patrick" wrote:

    > I have read some articles which suggest that I need to turn on "Kerberos"
    > authentication (in order for token to be passed to Active Directory for
    > authentication).
    >
    > How could I turn on Kerberos authentication? It is not an option in IIS6 on
    > Windows server 2003. Note I am using Integrated Windows authentication at
    > present.
    >
    >
    >
    > "Patrick" wrote:
    >
    > > I have an ASP.NET page that searches for someone in the corporate Active
    > > Directory.
    > >
    > > It had been working fine until recently when I changed from Basic
    > > Authentication on IIS6 back to Integrated Windows authentication. The error
    > > occurs on the FindAll method. The exceptions are as follows. anyway of
    > > getting the code working with Integrated Windows authentication (too annoying
    > > for user to enter user-name/password). Note I do need to use impersonation
    > > (to figure out the username of the logged on user)
    > >
    > > Exception:
    > > System.Runtime.InteropServices.COMException (0x80072020): An operations
    > > error occurred
    > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
    > > at System.DirectoryServices.DirectoryEntry.Bind()
    > > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
    > > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
    > > findMoreThanOne)
    > > at System.DirectoryServices.DirectorySearcher.FindAll()
    > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
    > > EventArgs e)
    > >
    > > Web.config:
    > > <authentication mode="Windows" />
    > > <identity impersonate="true" />
    > >
    > > Code snippet below:
    > >
    > > DirectoryEntry dirEntry = new
    > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
    > > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
    > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
    > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
    > > System.DirectoryServices.PropertyCollection objectPropperties;
    > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
    > > {
    > > //display results
    > > }
    =?Utf-8?B?UGhpbGxpcCBXaWxsaWFtcw==?=, Sep 6, 2005
    #4
  5. Hi Patrick,

    For the problem you encountered, seems somewhat related to the security
    context of the asp.net application. As you mentioned that the AD query code
    works well when you're using basic authentication but failed when change to
    Integrated windows, because when using basic authentication ,the client
    user provide full credential so that the serverside logon session has the
    network credential(which means it can be forwarded to remote machine for
    authentication), however, under integrated windows, the clientside didn't
    provide full credential, so the serverside logon session can't be forwarded
    to remote machine for authentication. So the problerm you met is possibly
    caused by this. Also, in asp.net we can use web.config 's <identity>
    element or programmatically to impersonatea fixed account, since in such
    means , we provide clear text username/password, the established security
    session can be forwarded to remote machine for authentication, here is the
    kb article discussing on this:

    #How to implement impersonation in an ASP.NET application
    http://support.microsoft.com/?id=306158

    In addition, you can have a try on Phillip's suggestion.

    Hope helps. Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)



    --------------------
    | Thread-Topic: "Sudden" Active Directory error on ASP.NET
    | thread-index: AcWyQPxwckuHz8KxSL6p/atjSnYCEw==
    | X-WBNR-Posting-Host: 198.240.128.75
    | From: "=?Utf-8?B?UGF0cmljaw==?=" <>
    | References: <>
    <>
    | Subject: RE: "Sudden" Active Directory error on ASP.NET
    | Date: Mon, 5 Sep 2005 10:41:03 -0700
    | Lines: 58
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups:
    microsoft.public.adsi.general,microsoft.public.dotnet.framework.aspnet
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.dotnet.framework.aspnet:122483
    microsoft.public.adsi.general:8890
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    | Alternatively, is it at all possible to use another (hard-wired) user's
    | credentials to authenticate into Active Directory. When I say,
    hard-wired
    | user, I mean a fixed user that is different from the logged on user
    (note, I
    | need to use impersonation to figure out from Environment.Username the
    | username of the logged on user).
    |
    | "Patrick" wrote:
    |
    | > I have read some articles which suggest that I need to turn on
    "Kerberos"
    | > authentication (in order for token to be passed to Active Directory for
    | > authentication).
    | >
    | > How could I turn on Kerberos authentication? It is not an option in
    IIS6 on
    | > Windows server 2003. Note I am using Integrated Windows authentication
    at
    | > present.
    | >
    | >
    | >
    | > "Patrick" wrote:
    | >
    | > > I have an ASP.NET page that searches for someone in the corporate
    Active
    | > > Directory.
    | > >
    | > > It had been working fine until recently when I changed from Basic
    | > > Authentication on IIS6 back to Integrated Windows authentication.
    The error
    | > > occurs on the FindAll method. The exceptions are as follows. anyway
    of
    | > > getting the code working with Integrated Windows authentication (too
    annoying
    | > > for user to enter user-name/password). Note I do need to use
    impersonation
    | > > (to figure out the username of the logged on user)
    | > >
    | > > Exception:
    | > > System.Runtime.InteropServices.COMException (0x80072020): An
    operations
    | > > error occurred
    | > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean
    throwIfFail)
    | > > at System.DirectoryServices.DirectoryEntry.Bind()
    | > > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
    | > > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
    | > > findMoreThanOne)
    | > > at System.DirectoryServices.DirectorySearcher.FindAll()
    | > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object
    sender,
    | > > EventArgs e)
    | > >
    | > > Web.config:
    | > > <authentication mode="Windows" />
    | > > <identity impersonate="true" />
    | > >
    | > > Code snippet below:
    | > >
    | > > DirectoryEntry dirEntry = new
    | > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
    | > > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry
    );
    | > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text +
    "*)(givenName="+
    | > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
    | > > System.DirectoryServices.PropertyCollection objectPropperties;
    | > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
    | > > {
    | > > //display results
    | > > }
    |
    Steven Cheng[MSFT], Sep 6, 2005
    #5
  6. Whilst this new LDAP string works on my developer workstation, porting to the
    development IIS6.0 web server, dirSearcher.FindAll().Count returns 0 (when
    matches are expected), presumably because no credentials were passed from IIS
    to the Active Directory?

    "Phillip Williams" wrote:

    > Hi Patrick:
    >
    > Because the Active Directory is setup on a server other than the IIS server,
    > try explicitly specifying the former when constructing the DirectoryEntry,
    > e.g.
    > DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc=com");
    >
    > (I know this works because I ran into the same problem last week and I
    > solved it this way)
    > --
    > HTH,
    > Phillip Williams
    > http://www.societopia.net/Samples/
    > http://www.societopia.net
    > http://www.webswapp.com
    >
    >
    > "Patrick" wrote:
    >
    > > I have read some articles which suggest that I need to turn on "Kerberos"
    > > authentication (in order for token to be passed to Active Directory for
    > > authentication).
    > >
    > > How could I turn on Kerberos authentication? It is not an option in IIS6 on
    > > Windows server 2003. Note I am using Integrated Windows authentication at
    > > present.
    > >
    > >
    > >
    > > "Patrick" wrote:
    > >
    > > > I have an ASP.NET page that searches for someone in the corporate Active
    > > > Directory.
    > > >
    > > > It had been working fine until recently when I changed from Basic
    > > > Authentication on IIS6 back to Integrated Windows authentication. The error
    > > > occurs on the FindAll method. The exceptions are as follows. anyway of
    > > > getting the code working with Integrated Windows authentication (too annoying
    > > > for user to enter user-name/password). Note I do need to use impersonation
    > > > (to figure out the username of the logged on user)
    > > >
    > > > Exception:
    > > > System.Runtime.InteropServices.COMException (0x80072020): An operations
    > > > error occurred
    > > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
    > > > at System.DirectoryServices.DirectoryEntry.Bind()
    > > > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
    > > > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
    > > > findMoreThanOne)
    > > > at System.DirectoryServices.DirectorySearcher.FindAll()
    > > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
    > > > EventArgs e)
    > > >
    > > > Web.config:
    > > > <authentication mode="Windows" />
    > > > <identity impersonate="true" />
    > > >
    > > > Code snippet below:
    > > >
    > > > DirectoryEntry dirEntry = new
    > > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
    > > > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
    > > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
    > > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
    > > > System.DirectoryServices.PropertyCollection objectPropperties;
    > > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
    > > > {
    > > > //display results
    > > > }
    =?Utf-8?B?UGF0cmljaw==?=, Sep 6, 2005
    #6
  7. =?Utf-8?B?UGF0cmljaw==?=

    Paul Clement Guest

    On Mon, 5 Sep 2005 10:36:03 -0700, "Patrick" <> wrote:

    ¤ I have read some articles which suggest that I need to turn on "Kerberos"
    ¤ authentication (in order for token to be passed to Active Directory for
    ¤ authentication).
    ¤
    ¤ How could I turn on Kerberos authentication? It is not an option in IIS6 on
    ¤ Windows server 2003. Note I am using Integrated Windows authentication at
    ¤ present.

    http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
    Paul Clement, Sep 6, 2005
    #7
  8. Hi Patrick,

    I think though that getting a dirSearcher.FindAll().Count==0 is not a
    security access issue. If the responses of Steven and Paul have not helped
    you yet to find a solution, you might try a few more tests:

    1- log on to the IIS machine and run the application from there,

    2- add a Trace.WriteLine statement that displays the
    Context.User.Identity.Name to verify that impersonation works.

    3- try without a filter condition at all; if you get any result then the
    problem is not security related rather it might be the way you specified the
    filter condition that caused dirSearcher.FindAll().Count to return 0.

    --
    HTH,
    Phillip Williams
    http://www.societopia.net
    http://www.webswapp.com


    "Patrick" wrote:

    > Whilst this new LDAP string works on my developer workstation, porting to the
    > development IIS6.0 web server, dirSearcher.FindAll().Count returns 0 (when
    > matches are expected), presumably because no credentials were passed from IIS
    > to the Active Directory?
    >
    > "Phillip Williams" wrote:
    >
    > > Hi Patrick:
    > >
    > > Because the Active Directory is setup on a server other than the IIS server,
    > > try explicitly specifying the former when constructing the DirectoryEntry,
    > > e.g.
    > > DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc=com");
    > >
    > > (I know this works because I ran into the same problem last week and I
    > > solved it this way)
    > > --
    > > HTH,
    > > Phillip Williams
    > > http://www.societopia.net/Samples/
    > > http://www.societopia.net
    > > http://www.webswapp.com
    > >
    > >
    > > "Patrick" wrote:
    > >
    > > > I have read some articles which suggest that I need to turn on "Kerberos"
    > > > authentication (in order for token to be passed to Active Directory for
    > > > authentication).
    > > >
    > > > How could I turn on Kerberos authentication? It is not an option in IIS6 on
    > > > Windows server 2003. Note I am using Integrated Windows authentication at
    > > > present.
    > > >
    > > >
    > > >
    > > > "Patrick" wrote:
    > > >
    > > > > I have an ASP.NET page that searches for someone in the corporate Active
    > > > > Directory.
    > > > >
    > > > > It had been working fine until recently when I changed from Basic
    > > > > Authentication on IIS6 back to Integrated Windows authentication. The error
    > > > > occurs on the FindAll method. The exceptions are as follows. anyway of
    > > > > getting the code working with Integrated Windows authentication (too annoying
    > > > > for user to enter user-name/password). Note I do need to use impersonation
    > > > > (to figure out the username of the logged on user)
    > > > >
    > > > > Exception:
    > > > > System.Runtime.InteropServices.COMException (0x80072020): An operations
    > > > > error occurred
    > > > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
    > > > > at System.DirectoryServices.DirectoryEntry.Bind()
    > > > > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
    > > > > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
    > > > > findMoreThanOne)
    > > > > at System.DirectoryServices.DirectorySearcher.FindAll()
    > > > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
    > > > > EventArgs e)
    > > > >
    > > > > Web.config:
    > > > > <authentication mode="Windows" />
    > > > > <identity impersonate="true" />
    > > > >
    > > > > Code snippet below:
    > > > >
    > > > > DirectoryEntry dirEntry = new
    > > > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
    > > > > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
    > > > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
    > > > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
    > > > > System.DirectoryServices.PropertyCollection objectPropperties;
    > > > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
    > > > > {
    > > > > //display results
    > > > > }
    =?Utf-8?B?UGhpbGxpcCBXaWxsaWFtcw==?=, Sep 6, 2005
    #8
  9. Actually I have a correction to what I wrote below. It was not the NTLM
    authenticated userID that I used in creating the DirectoryEntry. Upon
    careful examination of the code that I left on the IIS server (as opposed to
    the version I have on my development desktop) I found that I actually left a
    hard-coded userID and password in the DirectoryEntry constructor. So you
    were right. It works on the development desktop but not on the IIS server;
    the latter required supplying the userID and password.

    This is my working solution:
    Dim entry As New DirectoryServices.DirectoryEntry(AppSettings("LDAP_PATH"),
    strUserID, strPassword)

    Sorry if I have caused any confusion.

    "Phillip Williams" wrote:

    > Hi Patrick,
    >
    > I think though that getting a dirSearcher.FindAll().Count==0 is not a
    > security access issue. If the responses of Steven and Paul have not helped
    > you yet to find a solution, you might try a few more tests:
    >
    > 1- log on to the IIS machine and run the application from there,
    >
    > 2- add a Trace.WriteLine statement that displays the
    > Context.User.Identity.Name to verify that impersonation works.
    >
    > 3- try without a filter condition at all; if you get any result then the
    > problem is not security related rather it might be the way you specified the
    > filter condition that caused dirSearcher.FindAll().Count to return 0.
    >
    > --
    > HTH,
    > Phillip Williams
    > http://www.societopia.net
    > http://www.webswapp.com
    >
    >
    > "Patrick" wrote:
    >
    > > Whilst this new LDAP string works on my developer workstation, porting to the
    > > development IIS6.0 web server, dirSearcher.FindAll().Count returns 0 (when
    > > matches are expected), presumably because no credentials were passed from IIS
    > > to the Active Directory?
    > >
    > > "Phillip Williams" wrote:
    > >
    > > > Hi Patrick:
    > > >
    > > > Because the Active Directory is setup on a server other than the IIS server,
    > > > try explicitly specifying the former when constructing the DirectoryEntry,
    > > > e.g.
    > > > DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc=com");
    > > >
    > > > (I know this works because I ran into the same problem last week and I
    > > > solved it this way)
    > > > --
    > > > HTH,
    > > > Phillip Williams
    > > > http://www.societopia.net/Samples/
    > > > http://www.societopia.net
    > > > http://www.webswapp.com
    > > >
    > > >
    > > > "Patrick" wrote:
    > > >
    > > > > I have read some articles which suggest that I need to turn on "Kerberos"
    > > > > authentication (in order for token to be passed to Active Directory for
    > > > > authentication).
    > > > >
    > > > > How could I turn on Kerberos authentication? It is not an option in IIS6 on
    > > > > Windows server 2003. Note I am using Integrated Windows authentication at
    > > > > present.
    > > > >
    > > > >
    > > > >
    > > > > "Patrick" wrote:
    > > > >
    > > > > > I have an ASP.NET page that searches for someone in the corporate Active
    > > > > > Directory.
    > > > > >
    > > > > > It had been working fine until recently when I changed from Basic
    > > > > > Authentication on IIS6 back to Integrated Windows authentication. The error
    > > > > > occurs on the FindAll method. The exceptions are as follows. anyway of
    > > > > > getting the code working with Integrated Windows authentication (too annoying
    > > > > > for user to enter user-name/password). Note I do need to use impersonation
    > > > > > (to figure out the username of the logged on user)
    > > > > >
    > > > > > Exception:
    > > > > > System.Runtime.InteropServices.COMException (0x80072020): An operations
    > > > > > error occurred
    > > > > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
    > > > > > at System.DirectoryServices.DirectoryEntry.Bind()
    > > > > > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
    > > > > > at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
    > > > > > findMoreThanOne)
    > > > > > at System.DirectoryServices.DirectorySearcher.FindAll()
    > > > > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object sender,
    > > > > > EventArgs e)
    > > > > >
    > > > > > Web.config:
    > > > > > <authentication mode="Windows" />
    > > > > > <identity impersonate="true" />
    > > > > >
    > > > > > Code snippet below:
    > > > > >
    > > > > > DirectoryEntry dirEntry = new
    > > > > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
    > > > > > DirectorySearcher dirSearcher = new DirectorySearcher( dirEntry );
    > > > > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text + "*)(givenName="+
    > > > > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
    > > > > > System.DirectoryServices.PropertyCollection objectPropperties;
    > > > > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
    > > > > > {
    > > > > > //display results
    > > > > > }
    =?Utf-8?B?UGhpbGxpcCBXaWxsaWFtcw==?=, Sep 7, 2005
    #9
  10. Thanks for your detailed followup Phillip,

    Hi Patrick,

    Have you had a try on the suggestions in my last reply? I'm still thinking
    the problem is concerned with your asp.net web application's security
    context. And impersonation is a potential cause, if there're any further
    finding or anything we can help, please feel free to post here.

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    --------------------
    | Thread-Topic: "Sudden" Active Directory error on ASP.NET
    | thread-index: AcWzQSB7RPR3OtazRFqlDQHhtLAcGw==
    | X-WBNR-Posting-Host: 207.230.226.92
    | From: "=?Utf-8?B?UGhpbGxpcCBXaWxsaWFtcw==?="
    <>
    | References: <>
    <>
    <>
    <>
    <>
    | Subject: RE: "Sudden" Active Directory error on ASP.NET
    | Date: Tue, 6 Sep 2005 17:14:34 -0700
    | Lines: 116
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups:
    microsoft.public.adsi.general,microsoft.public.dotnet.framework.aspnet
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.dotnet.framework.aspnet:122743
    microsoft.public.adsi.general:8911
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    | Actually I have a correction to what I wrote below. It was not the NTLM
    | authenticated userID that I used in creating the DirectoryEntry. Upon
    | careful examination of the code that I left on the IIS server (as opposed
    to
    | the version I have on my development desktop) I found that I actually
    left a
    | hard-coded userID and password in the DirectoryEntry constructor. So you
    | were right. It works on the development desktop but not on the IIS
    server;
    | the latter required supplying the userID and password.
    |
    | This is my working solution:
    | Dim entry As New
    DirectoryServices.DirectoryEntry(AppSettings("LDAP_PATH"),
    | strUserID, strPassword)
    |
    | Sorry if I have caused any confusion.
    |
    | "Phillip Williams" wrote:
    |
    | > Hi Patrick,
    | >
    | > I think though that getting a dirSearcher.FindAll().Count==0 is not a
    | > security access issue. If the responses of Steven and Paul have not
    helped
    | > you yet to find a solution, you might try a few more tests:
    | >
    | > 1- log on to the IIS machine and run the application from there,
    | >
    | > 2- add a Trace.WriteLine statement that displays the
    | > Context.User.Identity.Name to verify that impersonation works.
    | >
    | > 3- try without a filter condition at all; if you get any result then
    the
    | > problem is not security related rather it might be the way you
    specified the
    | > filter condition that caused dirSearcher.FindAll().Count to return 0.
    | >
    | > --
    | > HTH,
    | > Phillip Williams
    | > http://www.societopia.net
    | > http://www.webswapp.com
    | >
    | >
    | > "Patrick" wrote:
    | >
    | > > Whilst this new LDAP string works on my developer workstation,
    porting to the
    | > > development IIS6.0 web server, dirSearcher.FindAll().Count returns 0
    (when
    | > > matches are expected), presumably because no credentials were passed
    from IIS
    | > > to the Active Directory?
    | > >
    | > > "Phillip Williams" wrote:
    | > >
    | > > > Hi Patrick:
    | > > >
    | > > > Because the Active Directory is setup on a server other than the
    IIS server,
    | > > > try explicitly specifying the former when constructing the
    DirectoryEntry,
    | > > > e.g.
    | > > > DirectoryEntry("LDAP://mydomain.ca/dc=myDept,dc=myCompany,dc=com");
    | > > >
    | > > > (I know this works because I ran into the same problem last week
    and I
    | > > > solved it this way)
    | > > > --
    | > > > HTH,
    | > > > Phillip Williams
    | > > > http://www.societopia.net/Samples/
    | > > > http://www.societopia.net
    | > > > http://www.webswapp.com
    | > > >
    | > > >
    | > > > "Patrick" wrote:
    | > > >
    | > > > > I have read some articles which suggest that I need to turn on
    "Kerberos"
    | > > > > authentication (in order for token to be passed to Active
    Directory for
    | > > > > authentication).
    | > > > >
    | > > > > How could I turn on Kerberos authentication? It is not an option
    in IIS6 on
    | > > > > Windows server 2003. Note I am using Integrated Windows
    authentication at
    | > > > > present.
    | > > > >
    | > > > >
    | > > > >
    | > > > > "Patrick" wrote:
    | > > > >
    | > > > > > I have an ASP.NET page that searches for someone in the
    corporate Active
    | > > > > > Directory.
    | > > > > >
    | > > > > > It had been working fine until recently when I changed from
    Basic
    | > > > > > Authentication on IIS6 back to Integrated Windows
    authentication. The error
    | > > > > > occurs on the FindAll method. The exceptions are as follows.
    anyway of
    | > > > > > getting the code working with Integrated Windows authentication
    (too annoying
    | > > > > > for user to enter user-name/password). Note I do need to use
    impersonation
    | > > > > > (to figure out the username of the logged on user)
    | > > > > >
    | > > > > > Exception:
    | > > > > > System.Runtime.InteropServices.COMException (0x80072020): An
    operations
    | > > > > > error occurred
    | > > > > > at System.DirectoryServices.DirectoryEntry.Bind(Boolean
    throwIfFail)
    | > > > > > at System.DirectoryServices.DirectoryEntry.Bind()
    | > > > > > at System.DirectoryServices.DirectoryEntry.get_AdsObject()
    | > > > > > at
    System.DirectoryServices.DirectorySearcher.FindAll(Boolean
    | > > > > > findMoreThanOne)
    | > > > > > at System.DirectoryServices.DirectorySearcher.FindAll()
    | > > > > > at MyCompany.it.myApp.BUMaintenance.FindMgrBtn_Click(Object
    sender,
    | > > > > > EventArgs e)
    | > > > > >
    | > > > > > Web.config:
    | > > > > > <authentication mode="Windows" />
    | > > > > > <identity impersonate="true" />
    | > > > > >
    | > > > > > Code snippet below:
    | > > > > >
    | > > > > > DirectoryEntry dirEntry = new
    | > > > > > DirectoryEntry("LDAP://dc=myDept,dc=myCompany,dc=com");
    | > > > > > DirectorySearcher dirSearcher = new DirectorySearcher(
    dirEntry );
    | > > > > > dirSearcher.Filter = "(&(SN="+ LastnameTxt.Text +
    "*)(givenName="+
    | > > > > > FirstnameTxt.Text +"*)(l="+ LocationTxt.Text +"*))";
    | > > > > > System.DirectoryServices.PropertyCollection
    objectPropperties;
    | > > > > > foreach (SearchResult resultEntry in dirSearcher.FindAll())
    | > > > > > {
    | > > > > > //display results
    | > > > > > }
    |
    Steven Cheng[MSFT], Sep 7, 2005
    #10
  11. =?Utf-8?B?UGF0cmljaw==?=

    vaidyanet

    Joined:
    Oct 10, 2006
    Messages:
    1
    Hi,

    EVen I am facing the same problem mentioned by Patric.

    Any solutions identified for the same?

    Thanks in advance.

    -sandeep


    vaidyanet, Oct 10, 2006
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jamie
    Replies:
    2
    Views:
    1,063
  2. Q. John Chen

    Sudden CS0016 Error

    Q. John Chen, Aug 10, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    421
    Q. John Chen
    Aug 10, 2004
  3. JV

    Sudden VS2003 Error

    JV, May 4, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    373
  4. Jamie

    active directory and asp.net error

    Jamie, Nov 7, 2003, in forum: ASP .Net Security
    Replies:
    1
    Views:
    120
  5. carlos seramos
    Replies:
    2
    Views:
    478
    carlos seramos
    Aug 1, 2003
Loading...

Share This Page