System.DirectoryServices - The server is not operational

[George Durzi]

I have an asp.net web application written in c# that uses Forms
Authentication to authenticate against our Active Directory. I based the
authentication code on the How To found on MSDN
(http://support.microsoft.com/default.aspx?scid=kb;en-us;326340)

The applications works just fine on our production servers. However, I'm
installing it at one of our sister companies on a fresh W2K3 server box.
They have just upgraded to Active Directory.

I'm getting an Exception when I try to create a new DirectoryEntry to try
and authenticate against AD.
Exception Message: "The server is not operational"
Source: "System.DirectoryServices"

Before I go back to their admin and ask them to check into their install, I
wanted to check on this board.

Their domain is called: CORP.CompanyName.COM
My LDAP connection string is
LDAP://CORP.CompanyName.COM/DC=CORP,DC=CompanyName,DC=COM

Here's my "IsAuthenticated" function

string DomainUserName = Domain + @"\" + UserName;
try
{
DirectoryEntry oDE = new DirectoryEntry(LDAPConnectString,
DomainUserName, Password, AuthenticationTypes.Secure);
Object oNativeObject = oDE.NativeObject;
DirectorySearcher oDS = new DirectorySearcher(oDE);
oDS.Filter = "(SAMAccountName=" + UserName + ")";
oDS.PropertiesToLoad.Add("cn");
SearchResult oSR = oDS.FindOne();
if (null == oSR) return false;
_path = oSR.Path;
_filterattribute = (string)oSR.Properties["cn"][0];
}
catch (Exception oException)
{
return false;
}
return true;

The exception happens right after the DirectoryEntry constructor. I don't
think it's related to the oDE.NativeObject line, because if I try to
enumerate the Children in my oDE object, I get the same error.

So, it doesn't seem that the DirectoryEntry object is being created
properly, although no exception is raised at that line.

Thanks!

 

[George Durzi]

I can successfuly bind to Active Directory using the ldp.exe tool.
I can also successfuly locate my entry, this is the result shown in ldp.exe
window

***Searching...
ldap_search_s(ld, "CN=USERS,DC=CORP,DC=CompanyName,DC=COM", 1, "CN=GDURZI",
attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 1 entries:4> objectClass: top; person; organizationalPerson; user;
1> cn: gdurzi;
1> distinguishedName: CN=gdurzi,CN=Users,DC=corp,DC=CompanyName,DC=com;
1> name: gdurzi;
1> canonicalName: corp.CompanyName.com/Users/gdurzi;


Does this yield any clues?

I have an asp.net web application written in c# that uses Forms
Authentication to authenticate against our Active Directory. I based the
authentication code on the How To found on MSDN
(http://support.microsoft.com/default.aspx?scid=kb;en-us;326340)

The applications works just fine on our production servers. However, I'm
installing it at one of our sister companies on a fresh W2K3 server box.
They have just upgraded to Active Directory.

I'm getting an Exception when I try to create a new DirectoryEntry to try
and authenticate against AD.
Exception Message: "The server is not operational"
Source: "System.DirectoryServices"

Before I go back to their admin and ask them to check into their install,
I wanted to check on this board.

Their domain is called: CORP.CompanyName.COM
My LDAP connection string is
LDAP://CORP.CompanyName.COM/DC=CORP,DC=CompanyName,DC=COM

Here's my "IsAuthenticated" function

string DomainUserName = Domain + @"\" + UserName;
try
{
DirectoryEntry oDE = new DirectoryEntry(LDAPConnectString,
DomainUserName, Password, AuthenticationTypes.Secure);
Object oNativeObject = oDE.NativeObject;
DirectorySearcher oDS = new DirectorySearcher(oDE);
oDS.Filter = "(SAMAccountName=" + UserName + ")";
oDS.PropertiesToLoad.Add("cn");
SearchResult oSR = oDS.FindOne();
if (null == oSR) return false;
_path = oSR.Path;
_filterattribute = (string)oSR.Properties["cn"][0];
}
catch (Exception oException)
{
return false;
}
return true;

The exception happens right after the DirectoryEntry constructor. I don't
think it's related to the oDE.NativeObject line, because if I try to
enumerate the Children in my oDE object, I get the same error.

So, it doesn't seem that the DirectoryEntry object is being created
properly, although no exception is raised at that line.

Thanks!

 

[Joe Kaplan \(MVP - ADSI\)]

Actually, the NativeObject call is probably causing the error because the
DirectoryEntry class doesn't bind to AD until you call a property or method
that forces binding. NativeObject will do that, but the constructor does
not.

Generally, you get this error if S.DS really can't contact the server. If
you can get it working with ldp.exe (mentioned in your other post), then I'd
look for DNS or firewall issues. Does ldp.exe work when run from the actual
web server? Can you take a sniff of the network traffic and compare the
results?

I'd start there and see if you can see something missing.

Joe K.

 

[George Durzi]

Joe,
Could it have something to do with how my LDAP Connection String is
formatted?
LDAP://corp.CompanyName.com/DC=corp,DC=CompanyName,DC=com
I'm not sure if this is how it should be formatted, I copied what was
working for the same app on another domain.
And the domain is called corp.CompanyName.corp

I can't compare it to what works in ldp.exe because when I bind to the
domain there, I'm providing my id, password, and domain
corp.CompanyName.corp. Then the DN I use for my search is
CN=USERS,DC=CORP,DC=CompanyName,DC=COM

Thanks, and I'll check out your other suggestion too.

Actually, the NativeObject call is probably causing the error because the
DirectoryEntry class doesn't bind to AD until you call a property or
method that forces binding. NativeObject will do that, but the
constructor does not.

Generally, you get this error if S.DS really can't contact the server. If
you can get it working with ldp.exe (mentioned in your other post), then
I'd look for DNS or firewall issues. Does ldp.exe work when run from the
actual web server? Can you take a sniff of the network traffic and
compare the results?

I'd start there and see if you can see something missing.

Joe K.

I have an asp.net web application written in c# that uses Forms
Authentication to authenticate against our Active Directory. I based the
authentication code on the How To found on MSDN
(http://support.microsoft.com/default.aspx?scid=kb;en-us;326340)

The applications works just fine on our production servers. However, I'm
installing it at one of our sister companies on a fresh W2K3 server box.
They have just upgraded to Active Directory.

I'm getting an Exception when I try to create a new DirectoryEntry to try
and authenticate against AD.
Exception Message: "The server is not operational"
Source: "System.DirectoryServices"

Before I go back to their admin and ask them to check into their install,
I wanted to check on this board.

Their domain is called: CORP.CompanyName.COM
My LDAP connection string is
LDAP://CORP.CompanyName.COM/DC=CORP,DC=CompanyName,DC=COM

Here's my "IsAuthenticated" function

string DomainUserName = Domain + @"\" + UserName;
try
{
DirectoryEntry oDE = new DirectoryEntry(LDAPConnectString,
DomainUserName, Password, AuthenticationTypes.Secure);
Object oNativeObject = oDE.NativeObject;
DirectorySearcher oDS = new DirectorySearcher(oDE);
oDS.Filter = "(SAMAccountName=" + UserName + ")";
oDS.PropertiesToLoad.Add("cn");
SearchResult oSR = oDS.FindOne();
if (null == oSR) return false;
_path = oSR.Path;
_filterattribute = (string)oSR.Properties["cn"][0];
}
catch (Exception oException)
{
return false;
}
return true;

The exception happens right after the DirectoryEntry constructor. I don't
think it's related to the oDE.NativeObject line, because if I try to
enumerate the Children in my oDE object, I get the same error.

So, it doesn't seem that the DirectoryEntry object is being created
properly, although no exception is raised at that line.

Thanks!

 

[Joe Kaplan \(MVP - ADSI\)]

The host name is the thing to be worried about. When you do your Connect...
in ldp, you need to put in the DNS name of the domain from your LDAP path
below: corp.companyname.com

If that works from the IIS server, then you should be fine. If not, I'd
check that first. You can also check DNS to find the host name for the DC
you want. You also need to make sure that TCP port 389 is open to the DC in
question, as your traffic might be getting blocked by the firewall.

Joe K.

 

[George Durzi]

I ran ldp.exe on the web server itself, and did a "Bind" operation to the
domain corp.isacorp.com. Here's what I got:

ld = ldap_open("10.0.10.16", 389);
Established connection to 10.0.10.16.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:1> currentTime: 12/15/2004 14:35:24 US Mountain Standard Time US Mountain
Standard Time;
1> subschemaSubentry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=corp,DC=isacorp,DC=com;
1> dsServiceName: CN=NTDS
Settings,CN=VN-SRV-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=isacorp,DC=com;
3> namingContexts: DC=corp,DC=isacorp,DC=com;
CN=Configuration,DC=corp,DC=isacorp,DC=com;
CN=Schema,CN=Configuration,DC=corp,DC=isacorp,DC=com;
1> defaultNamingContext: DC=corp,DC=isacorp,DC=com;
1> schemaNamingContext:
CN=Schema,CN=Configuration,DC=corp,DC=isacorp,DC=com;
1> configurationNamingContext: CN=Configuration,DC=corp,DC=isacorp,DC=com;
1> rootDomainNamingContext: DC=corp,DC=isacorp,DC=com;
21> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801;
1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417;
1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 1.2.840.113556.1.4.529;
1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521; 1.2.840.113556.1.4.970;
1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.840.113556.1.4.1339;
1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413; 2.16.840.1.113730.3.4.9;
2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504; 1.2.840.113556.1.4.1852;
1.2.840.113556.1.4.802;
2> supportedLDAPVersion: 3; 2;
12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv;
MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime;
MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize;
MaxNotificationPerConn; MaxValRange;
1> highestCommittedUSN: 337599;
4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
1> dnsHostName: VN-SRV-DC01.corp.isacorp.com;
1> ldapServiceName: corp.isacorp.com:[email protected];
1> serverName:
CN=VN-SRV-DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=isacorp,DC=com;
3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670;
1.2.840.113556.1.4.1791;
1> isSynchronized: TRUE;
1> isGlobalCatalogReady: FALSE;
1> domainFunctionality: 1;
1> forestFunctionality: 1;
1> domainControllerFunctionality: 2;
-----------
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='gdurzi'; Pwd= <unavailable>; domain =
'VN-SRV-DC01.corp.isacorp.com'.}
Authenticated as dn:'gdurzi'.


VN-SRV-DC01 is the name of the DC, and it's IP is 10.0.10.16. Both of those
appear in the text above.

And from this:

ld = ldap_open("10.0.10.16", 389);

Established connection to 10.0.10.16

We can tell that port 389 is open, and that we're not having any problems
accessing AD

So I guess this might come down to the formatting of my LDAP connectstring?

My DirectoryEntry constructor is as follows:

DirectoryEntry oDE = new DirectoryEntry(
"LDAP://corp.isacorp.com/DC=corp,DC=isacorp,DC=com",
"corp.isacorp.com\gdurzi",
mypassword, AuthenticationTypes.Secure);



Thanks a lot for all the help you've provided thus far!

 

[George Durzi]

I'm asking their network admins to check their firewall settings ...
I think everything is clean on the code side of things ...

The LDAP port is open ... I wonder what other types of traffic might be
blocked

 

[Joe Kaplan \(MVP - ADSI\)]

Ok, you are binding by the domain DNS name, not the DC DNS name. That
should work in ADSI too.

Other things to try in your LDAP path would be the IP address or the actual
DNS name of the DC, VN-SRV-DC01.corp.isacorp.com. One of those should work.

Also, you might consider trying different name formats for the username.
You can use NT format (domain\user), user principal name ([email protected]),
the DN (if you turn off Secure authentication; not a good idea), or the
plain user name as long as Secure is enabled. For domain\user, domain can
be the NETBIOS or DNS style.

However, if username was the issue, you wouldn't be getting "server not
operational".

Joe K.

 

[Joe Kaplan \(MVP - ADSI\)]

I think that should be all you need. If ldp worked and you had the domain
box checked when you did your bind, then the underlying network usage should
be the same between it and ADSI/S.DS.

Joe K.

 

[George Durzi]

Joe,
Some success finally!
I'm using VN-SRV-DC01.isacorp.corp.com as the domain name and I can finally
authenticate.

Now I'm getting an error when I try to get the groups the user belongs to.
Another problem for another day

 

[Patrick Olurotimi Ige]

George good u finally authenticated!!
Joe's explaination did the TRICK..
As u are using forms Auth its been difficult getting the GROUPS(Are u
making use of the code in MSDN?)I tried it also and till today had no
LUCK in retrieving the GROUPS..
But i have been successful with Windows Authentication.
Hope this helps
Patrick