The server is not operational

Discussion in 'ASP .Net Security' started by CalSun, Jul 20, 2005.

  1. CalSun

    CalSun Guest

    Hi all,

    I really need your help on this problem. (no help for 1 day goolging).

    I use form authentication on my 2 simple aspx pages.
    User is redirected to login.aspx, then see the main content page.
    I use LDAP to verify the user from a domain named Dserver where the AD users locate.

    Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

    Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

    Here is my IsAuthenticated code:

    Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

    Dim domainAndAct As String = domain & "\" & act

    Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

    Try

    Dim obj As Object = entry.NativeObject

    Dim search As DirectorySearcher = New DirectorySearcher(entry)

    search.Filter = "(SAMAccountName=" & act & ")"

    search.PropertiesToLoad.Add("cn")

    Dim result As SearchResult = search.FindOne()

    If (result Is Nothing) Then

    Return False

    End If

    'update the path to the user in the directory

    _path = result.Path

    _filterAttribute = result.Properties("cn").Item(0)

    Catch ex As Exception

    'Throw New Exception("Error authenticating user: " & ex.Message)

    Return False

    End Try

    Return True

    End Function



    Thank you all for help/reading
    --CalSun
     
    CalSun, Jul 20, 2005
    #1
    1. Advertising

  2. CalSun

    Paul Clement Guest

    On Wed, 20 Jul 2005 11:22:20 -0700, "CalSun" <> wrote:

    ¤ Hi all,
    ¤
    ¤ I really need your help on this problem. (no help for 1 day goolging).
    ¤
    ¤ I use form authentication on my 2 simple aspx pages.
    ¤ User is redirected to login.aspx, then see the main content page.
    ¤ I use LDAP to verify the user from a domain named Dserver where the AD users locate.
    ¤
    ¤ Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).
    ¤
    ¤ Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"
    ¤

    Any chance it's a configuration problem?

    You Cannot Start the Active Directory Users and Computers Tool Because the Server Is Not Operational
    http://support.microsoft.com/default.aspx?scid=kb;en-us;323542

    "The Server Is Not Operational" Error Message in Active Directory Tools
    http://support.microsoft.com/default.aspx?scid=kb;en-us;223321


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Jul 20, 2005
    #2
    1. Advertising

  3. The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

    Try a path like:
    LDAP://yourdomain.com/DC=yourdomain,DC=com

    instead of one like:
    LDAP://DC=yourdomain,DC=com

    If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

    Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

    HTH,

    Joe K.

    "CalSun" <> wrote in message news:us3Q$...
    Hi all,

    I really need your help on this problem. (no help for 1 day goolging).

    I use form authentication on my 2 simple aspx pages.
    User is redirected to login.aspx, then see the main content page.
    I use LDAP to verify the user from a domain named Dserver where the AD users locate.

    Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

    Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

    Here is my IsAuthenticated code:

    Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

    Dim domainAndAct As String = domain & "\" & act

    Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

    Try

    Dim obj As Object = entry.NativeObject

    Dim search As DirectorySearcher = New DirectorySearcher(entry)

    search.Filter = "(SAMAccountName=" & act & ")"

    search.PropertiesToLoad.Add("cn")

    Dim result As SearchResult = search.FindOne()

    If (result Is Nothing) Then

    Return False

    End If

    'update the path to the user in the directory

    _path = result.Path

    _filterAttribute = result.Properties("cn").Item(0)

    Catch ex As Exception

    'Throw New Exception("Error authenticating user: " & ex.Message)

    Return False

    End Try

    Return True

    End Function



    Thank you all for help/reading
    --CalSun
     
    Joe Kaplan \(MVP - ADSI\), Jul 20, 2005
    #3
  4. CalSun

    CalSun Guest

    Joe and Paul thanks for helping and the links.

    I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

    I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

    I'll come back to test it out tomorrow and hope it will work.

    I am sure whether the webserver could contact the AD box if it's not in the same domain.

    I will keep y'all updated.

    thanks again for the help.

    --CalSun


    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:%...
    The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

    Try a path like:
    LDAP://yourdomain.com/DC=yourdomain,DC=com

    instead of one like:
    LDAP://DC=yourdomain,DC=com

    If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

    Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

    HTH,

    Joe K.

    "CalSun" <> wrote in message news:us3Q$...
    Hi all,

    I really need your help on this problem. (no help for 1 day goolging).

    I use form authentication on my 2 simple aspx pages.
    User is redirected to login.aspx, then see the main content page.
    I use LDAP to verify the user from a domain named Dserver where the AD users locate.

    Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

    Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

    Here is my IsAuthenticated code:

    Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

    Dim domainAndAct As String = domain & "\" & act

    Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

    Try

    Dim obj As Object = entry.NativeObject

    Dim search As DirectorySearcher = New DirectorySearcher(entry)

    search.Filter = "(SAMAccountName=" & act & ")"

    search.PropertiesToLoad.Add("cn")

    Dim result As SearchResult = search.FindOne()

    If (result Is Nothing) Then

    Return False

    End If

    'update the path to the user in the directory

    _path = result.Path

    _filterAttribute = result.Properties("cn").Item(0)

    Catch ex As Exception

    'Throw New Exception("Error authenticating user: " & ex.Message)

    Return False

    End Try

    Return True

    End Function



    Thank you all for help/reading
    --CalSun
     
    CalSun, Jul 21, 2005
    #4
  5. If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

    Best of luck,

    Joe K.

    "CalSun" <> wrote in message news:%...
    Joe and Paul thanks for helping and the links.

    I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

    I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

    I'll come back to test it out tomorrow and hope it will work.

    I am sure whether the webserver could contact the AD box if it's not in the same domain.

    I will keep y'all updated.

    thanks again for the help.

    --CalSun


    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:%...
    The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

    Try a path like:
    LDAP://yourdomain.com/DC=yourdomain,DC=com

    instead of one like:
    LDAP://DC=yourdomain,DC=com

    If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

    Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

    HTH,

    Joe K.

    "CalSun" <> wrote in message news:us3Q$...
    Hi all,

    I really need your help on this problem. (no help for 1 day goolging).

    I use form authentication on my 2 simple aspx pages.
    User is redirected to login.aspx, then see the main content page.
    I use LDAP to verify the user from a domain named Dserver where the AD users locate.

    Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

    Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

    Here is my IsAuthenticated code:

    Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

    Dim domainAndAct As String = domain & "\" & act

    Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

    Try

    Dim obj As Object = entry.NativeObject

    Dim search As DirectorySearcher = New DirectorySearcher(entry)

    search.Filter = "(SAMAccountName=" & act & ")"

    search.PropertiesToLoad.Add("cn")

    Dim result As SearchResult = search.FindOne()

    If (result Is Nothing) Then

    Return False

    End If

    'update the path to the user in the directory

    _path = result.Path

    _filterAttribute = result.Properties("cn").Item(0)

    Catch ex As Exception

    'Throw New Exception("Error authenticating user: " & ex.Message)

    Return False

    End Try

    Return True

    End Function



    Thank you all for help/reading
    --CalSun
     
    Joe Kaplan \(MVP - ADSI\), Jul 21, 2005
    #5
  6. CalSun

    CalSun Guest

    Thanks again for the advice.

    I didn't solve the problem yet, but I think I make some progress on it.

    I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

    While I'm googling for the ans, I appreciate your input and help.

    thanks
    --CalSun
    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:...
    If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

    Best of luck,

    Joe K.

    "CalSun" <> wrote in message news:%...
    Joe and Paul thanks for helping and the links.

    I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

    I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

    I'll come back to test it out tomorrow and hope it will work.

    I am sure whether the webserver could contact the AD box if it's not in the same domain.

    I will keep y'all updated.

    thanks again for the help.

    --CalSun


    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:%...
    The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

    Try a path like:
    LDAP://yourdomain.com/DC=yourdomain,DC=com

    instead of one like:
    LDAP://DC=yourdomain,DC=com

    If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

    Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

    HTH,

    Joe K.

    "CalSun" <> wrote in message news:us3Q$...
    Hi all,

    I really need your help on this problem. (no help for 1 day goolging).

    I use form authentication on my 2 simple aspx pages.
    User is redirected to login.aspx, then see the main content page.
    I use LDAP to verify the user from a domain named Dserver where the AD users locate.

    Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

    Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

    Here is my IsAuthenticated code:

    Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

    Dim domainAndAct As String = domain & "\" & act

    Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

    Try

    Dim obj As Object = entry.NativeObject

    Dim search As DirectorySearcher = New DirectorySearcher(entry)

    search.Filter = "(SAMAccountName=" & act & ")"

    search.PropertiesToLoad.Add("cn")

    Dim result As SearchResult = search.FindOne()

    If (result Is Nothing) Then

    Return False

    End If

    'update the path to the user in the directory

    _path = result.Path

    _filterAttribute = result.Properties("cn").Item(0)

    Catch ex As Exception

    'Throw New Exception("Error authenticating user: " & ex.Message)

    Return False

    End Try

    Return True

    End Function



    Thank you all for help/reading
    --CalSun
     
    CalSun, Jul 22, 2005
    #6
  7. When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.

    Joe K.
    "CalSun" <> wrote in message news:%...
    Thanks again for the advice.

    I didn't solve the problem yet, but I think I make some progress on it.

    I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

    While I'm googling for the ans, I appreciate your input and help.

    thanks
    --CalSun
    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:...
    If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

    Best of luck,

    Joe K.

    "CalSun" <> wrote in message news:%...
    Joe and Paul thanks for helping and the links.

    I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

    I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

    I'll come back to test it out tomorrow and hope it will work.

    I am sure whether the webserver could contact the AD box if it's not in the same domain.

    I will keep y'all updated.

    thanks again for the help.

    --CalSun


    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:%...
    The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

    Try a path like:
    LDAP://yourdomain.com/DC=yourdomain,DC=com

    instead of one like:
    LDAP://DC=yourdomain,DC=com

    If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

    Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

    HTH,

    Joe K.

    "CalSun" <> wrote in message news:us3Q$...
    Hi all,

    I really need your help on this problem. (no help for 1 day goolging).

    I use form authentication on my 2 simple aspx pages.
    User is redirected to login.aspx, then see the main content page.
    I use LDAP to verify the user from a domain named Dserver where the AD users locate.

    Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

    Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

    Here is my IsAuthenticated code:

    Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

    Dim domainAndAct As String = domain & "\" & act

    Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

    Try

    Dim obj As Object = entry.NativeObject

    Dim search As DirectorySearcher = New DirectorySearcher(entry)

    search.Filter = "(SAMAccountName=" & act & ")"

    search.PropertiesToLoad.Add("cn")

    Dim result As SearchResult = search.FindOne()

    If (result Is Nothing) Then

    Return False

    End If

    'update the path to the user in the directory

    _path = result.Path

    _filterAttribute = result.Properties("cn").Item(0)

    Catch ex As Exception

    'Throw New Exception("Error authenticating user: " & ex.Message)

    Return False

    End Try

    Return True

    End Function



    Thank you all for help/reading
    --CalSun
     
    Joe Kaplan \(MVP - ADSI\), Jul 22, 2005
    #7
  8. CalSun

    CalSun Guest

    Thanks Joe,

    Here is what I got.

    I pulled my laptop out of the domain and modified the code a bit. I use one directorysearcher with 2 properties loaded: one is cn and other is "memberOf". With this code, I got myself (valid user) authenticated from my laptop (not inside domain but in workgroup). However, this code won't do it when I hosted it at the webserver box (in dmz zone). Very strange!

    That's all i got 4 now Joe. Please drop me anything popped of your mind. thanks
    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:%...
    When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.

    Joe K.
    "CalSun" <> wrote in message news:%...
    Thanks again for the advice.

    I didn't solve the problem yet, but I think I make some progress on it.

    I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

    While I'm googling for the ans, I appreciate your input and help.

    thanks
    --CalSun
    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:...
    If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

    Best of luck,

    Joe K.

    "CalSun" <> wrote in message news:%...
    Joe and Paul thanks for helping and the links.

    I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

    I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

    I'll come back to test it out tomorrow and hope it will work.

    I am sure whether the webserver could contact the AD box if it's not in the same domain.

    I will keep y'all updated.

    thanks again for the help.

    --CalSun


    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:%...
    The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

    Try a path like:
    LDAP://yourdomain.com/DC=yourdomain,DC=com

    instead of one like:
    LDAP://DC=yourdomain,DC=com

    If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

    Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

    HTH,

    Joe K.

    "CalSun" <> wrote in message news:us3Q$...
    Hi all,

    I really need your help on this problem. (no help for 1 day goolging).

    I use form authentication on my 2 simple aspx pages.
    User is redirected to login.aspx, then see the main content page.
    I use LDAP to verify the user from a domain named Dserver where the AD users locate.

    Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

    Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

    Here is my IsAuthenticated code:

    Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

    Dim domainAndAct As String = domain & "\" & act

    Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

    Try

    Dim obj As Object = entry.NativeObject

    Dim search As DirectorySearcher = New DirectorySearcher(entry)

    search.Filter = "(SAMAccountName=" & act & ")"

    search.PropertiesToLoad.Add("cn")

    Dim result As SearchResult = search.FindOne()

    If (result Is Nothing) Then

    Return False

    End If

    'update the path to the user in the directory

    _path = result.Path

    _filterAttribute = result.Properties("cn").Item(0)

    Catch ex As Exception

    'Throw New Exception("Error authenticating user: " & ex.Message)

    Return False

    End Try

    Return True

    End Function



    Thank you all for help/reading
    --CalSun
     
    CalSun, Jul 22, 2005
    #8
  9. The error you get comes from the DirectoryEntry that the DirectorySearcher uses as the search root, not from the DirectorySearcher itself.

    The DirectoryEntry determines what server you connect to (the problem here), the security context used to do the search and the root of the search.

    Typically, this error comes from having something invalid in your path parameter or sometimes from specifying an authentication type that is not supported (such as asking for SSL on a DC that doesn't support it or not asking for SSL in a situation where the firewall only allows SSL/LDAP access to the DC).

    Joe K.

    "CalSun" <> wrote in message news:...
    Thanks Joe,

    Here is what I got.

    I pulled my laptop out of the domain and modified the code a bit. I use one directorysearcher with 2 properties loaded: one is cn and other is "memberOf". With this code, I got myself (valid user) authenticated from my laptop (not inside domain but in workgroup). However, this code won't do it when I hosted it at the webserver box (in dmz zone). Very strange!

    That's all i got 4 now Joe. Please drop me anything popped of your mind. thanks
    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:%...
    When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.

    Joe K.
    "CalSun" <> wrote in message news:%...
    Thanks again for the advice.

    I didn't solve the problem yet, but I think I make some progress on it.

    I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

    While I'm googling for the ans, I appreciate your input and help.

    thanks
    --CalSun
    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:...
    If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

    Best of luck,

    Joe K.

    "CalSun" <> wrote in message news:%...
    Joe and Paul thanks for helping and the links.

    I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

    I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

    I'll come back to test it out tomorrow and hope it will work.

    I am sure whether the webserver could contact the AD box if it's not in the same domain.

    I will keep y'all updated.

    thanks again for the help.

    --CalSun


    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:%...
    The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

    Try a path like:
    LDAP://yourdomain.com/DC=yourdomain,DC=com

    instead of one like:
    LDAP://DC=yourdomain,DC=com

    If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

    Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

    HTH,

    Joe K.

    "CalSun" <> wrote in message news:us3Q$...
    Hi all,

    I really need your help on this problem. (no help for 1 day goolging).

    I use form authentication on my 2 simple aspx pages.
    User is redirected to login.aspx, then see the main content page.
    I use LDAP to verify the user from a domain named Dserver where the AD users locate.

    Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

    Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

    Here is my IsAuthenticated code:

    Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

    Dim domainAndAct As String = domain & "\" & act

    Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

    Try

    Dim obj As Object = entry.NativeObject

    Dim search As DirectorySearcher = New DirectorySearcher(entry)

    search.Filter = "(SAMAccountName=" & act & ")"

    search.PropertiesToLoad.Add("cn")

    Dim result As SearchResult = search.FindOne()

    If (result Is Nothing) Then

    Return False

    End If

    'update the path to the user in the directory

    _path = result.Path

    _filterAttribute = result.Properties("cn").Item(0)

    Catch ex As Exception

    'Throw New Exception("Error authenticating user: " & ex.Message)

    Return False

    End Try

    Return True

    End Function



    Thank you all for help/reading
    --CalSun
     
    Joe Kaplan \(MVP - ADSI\), Jul 22, 2005
    #9
  10. CalSun

    CalSun Guest

    Hi Joe,
    thanks again for your frequent help. I meant DirectoryEntry instead of DirectorySearcher.

    I haven't solved the prob yet. I double-checked the configuration and everything. It came to my attention that I have impersonate set to true in the config file, Anonymous Access checked, and the userid (webTest) is local to the webserver. webTest is not a domain user and I think it couldn't communicate with the Active Directory. I tried to browse to an AD user, but I couldn't see the domain user list from this webserver. Is there a way to archive this?

    thanks
    --CalSun
    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:...
    The error you get comes from the DirectoryEntry that the DirectorySearcher uses as the search root, not from the DirectorySearcher itself.

    The DirectoryEntry determines what server you connect to (the problem here), the security context used to do the search and the root of the search.

    Typically, this error comes from having something invalid in your path parameter or sometimes from specifying an authentication type that is not supported (such as asking for SSL on a DC that doesn't support it or not asking for SSL in a situation where the firewall only allows SSL/LDAP access to the DC).

    Joe K.

    "CalSun" <> wrote in message news:...
    Thanks Joe,

    Here is what I got.

    I pulled my laptop out of the domain and modified the code a bit. I use one directorysearcher with 2 properties loaded: one is cn and other is "memberOf". With this code, I got myself (valid user) authenticated from my laptop (not inside domain but in workgroup). However, this code won't do it when I hosted it at the webserver box (in dmz zone). Very strange!

    That's all i got 4 now Joe. Please drop me anything popped of your mind. thanks
    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:%...
    When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.

    Joe K.
    "CalSun" <> wrote in message news:%...
    Thanks again for the advice.

    I didn't solve the problem yet, but I think I make some progress on it.

    I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

    While I'm googling for the ans, I appreciate your input and help.

    thanks
    --CalSun
    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:...
    If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

    Best of luck,

    Joe K.

    "CalSun" <> wrote in message news:%...
    Joe and Paul thanks for helping and the links.

    I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

    I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

    I'll come back to test it out tomorrow and hope it will work.

    I am sure whether the webserver could contact the AD box if it's not in the same domain.

    I will keep y'all updated.

    thanks again for the help.

    --CalSun


    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:%...
    The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

    Try a path like:
    LDAP://yourdomain.com/DC=yourdomain,DC=com

    instead of one like:
    LDAP://DC=yourdomain,DC=com

    If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

    Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

    HTH,

    Joe K.

    "CalSun" <> wrote in message news:us3Q$...
    Hi all,

    I really need your help on this problem. (no help for 1 day goolging).

    I use form authentication on my 2 simple aspx pages.
    User is redirected to login.aspx, then see the main content page.
    I use LDAP to verify the user from a domain named Dserver where the AD users locate.

    Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

    Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

    Here is my IsAuthenticated code:

    Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

    Dim domainAndAct As String = domain & "\" & act

    Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

    Try

    Dim obj As Object = entry.NativeObject

    Dim search As DirectorySearcher = New DirectorySearcher(entry)

    search.Filter = "(SAMAccountName=" & act & ")"

    search.PropertiesToLoad.Add("cn")

    Dim result As SearchResult = search.FindOne()

    If (result Is Nothing) Then

    Return False

    End If

    'update the path to the user in the directory

    _path = result.Path

    _filterAttribute = result.Properties("cn").Item(0)

    Catch ex As Exception

    'Throw New Exception("Error authenticating user: " & ex.Message)

    Return False

    End Try

    Return True

    End Function



    Thank you all for help/reading
    --CalSun
     
    CalSun, Jul 24, 2005
    #10
  11. (Lost your reply message, so replying to mine instead :))

    In your path, are you specifying the DNS name of a specific domain controller? I would start with that. Additionally, it would be wise to put ldp.exe on your web server machine and make sure you can connect to that DC with it. Ldp.exe can be very useful for troubleshooting LDAP issues.

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Jul 24, 2005
    #11
  12. CalSun

    CalSun Guest

    Thanks again.

    I have used the ldp.exe tool from the webserver box, and I could not make a connection to the domain controler. On my laptop (inside the domain), I could make a connection to that domain controler.
    Any idea or solution is highly appreciated.

    thanks, CalSun
    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:%23C7GII$...
    (Lost your reply message, so replying to mine instead :))

    In your path, are you specifying the DNS name of a specific domain controller? I would start with that. Additionally, it would be wise to put ldp.exe on your web server machine and make sure you can connect to that DC with it. Ldp.exe can be very useful for troubleshooting LDAP issues.

    Joe K.
     
    CalSun, Jul 25, 2005
    #12
  13. If you can't make a connection to the DC using ldp.exe from the server in question, then that tends to indicate that there may be network issues here. Are you sure you have TCP port 389 open to all of the DCs you need to contact? You may also need port 88 for Kerberos if you are using secure binding (which is a good idea).

    If it is a network/firewall issue, you'll need to resolve that with your own network guys.

    If it is not a network issue, then you just need to keep using ldp.exe until you find out the right server info to use from the web server. If it works in ldp.exe, then it should work in S.DS.

    Joe K.
    "CalSun" <> wrote in message news:%...
    Thanks again.

    I have used the ldp.exe tool from the webserver box, and I could not make a connection to the domain controler. On my laptop (inside the domain), I could make a connection to that domain controler.
    Any idea or solution is highly appreciated.

    thanks, CalSun
    "Joe Kaplan (MVP - ADSI)" <> wrote in message news:%23C7GII$...
    (Lost your reply message, so replying to mine instead :))

    In your path, are you specifying the DNS name of a specific domain controller? I would start with that. Additionally, it would be wise to put ldp.exe on your web server machine and make sure you can connect to that DC with it. Ldp.exe can be very useful for troubleshooting LDAP issues.

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Jul 25, 2005
    #13
  14. CalSun

    Rinks Singh Guest

    Thanks Joe and Cal for the information on this thread. I am also getting
    the same error while trying connect to the AD.

    Can I use LDP.EXE from the workstation to make sure about the
    connection.? From where I can downlaod LDP.EXE tool?

    I am able to connect to Directory using command prompt by giving like:
    Run LDAP//:DomainName

    After that search box appears and I can search based on Object Type.But
    when I try from program I get an error "The server is not Operational"

    Need some help to solve this


    *** Sent via Developersdex http://www.developersdex.com ***
     
    Rinks Singh, Jul 26, 2005
    #14
  15. Ldp.exe ships with the Windows Server Admin Pack which comes on the CD and
    also ships with ADAM. The most recent released version is with ADAM or the
    Windows Server R2 beta if you can get that. I'm pretty sure there is no
    separate download for it, but I can also send you a copy if you email me
    offline.

    LDP can be used for testing the connection to various directories using
    different values for the server name.

    The other important thing to know is that the ADSI binding string consists
    of three parts:
    <scheme>://<server>/<objectname>

    The scheme is obviously "LDAP" (case-senstive; watch out!). The server part
    is OPTIONAL though. If you don't supply a server name, then the LDAP API
    tries to discover a server for you based on the security context of the
    current thread. This is the thing that tends to trip people up in web
    applications as they are often running under a local machine account which
    has no domain affiliation, so the request for a "serverless bind" as it is
    called fails with this exact error.

    The server name can contain DNS names, IP addresses or NETBIOS names.
    However, DNS names are the way to go as both Kerberos and SSL/LDAP need DNS
    names to work properly. The DNS name can be the name of the domain or the
    DNS name of a specific server.

    The <objectname> is also optional, but I generally think you should always
    specify something. If you want to search the root of the domain, specify
    the distinguished name of the domain root. This is usually something like
    "DC=yourdomain,DC=com" with AD. You can find out this value dynamically by
    getting the "RootDSE" object and looking at its "defaultNamingContext"
    attribute. This is better than hard-coding. :)

    HTH,

    Joe K.
    "Rinks Singh" <> wrote in message
    news:%...
    > Thanks Joe and Cal for the information on this thread. I am also getting
    > the same error while trying connect to the AD.
    >
    > Can I use LDP.EXE from the workstation to make sure about the
    > connection.? From where I can downlaod LDP.EXE tool?
    >
    > I am able to connect to Directory using command prompt by giving like:
    > Run LDAP//:DomainName
    >
    > After that search box appears and I can search based on Object Type.But
    > when I try from program I get an error "The server is not Operational"
    >
    > Need some help to solve this
    >
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
     
    Joe Kaplan \(MVP - ADSI\), Jul 26, 2005
    #15
  16. CalSun

    CalSun Guest

    Hi Joe,
    thanks for the informative message. I got ldp and could connect to the DC
    using the domain as mycompany.com. I din't specify SSL or Connectionless, it
    still goes.
    Back to IIS, I checked on the Anonymous option and specified a local user
    name + password to handle all the Anonymous loging. It fails to
    connect/authenticate.
    Do we need a domain user to handle the authentication process (at IIS box)?
    If so, my web server (iis box) is in dmz and I can't see user list from the
    domain. I tried manualy to assign a domain user to the Anonymous option such
    as: domain\user + pw. And it didn't work. This got to be a local user to
    this IIS box (web server).

    I use form authentication. When a page is requested, client is redirected to
    a login page.

    Again, thanks for all the help.

    CalSun

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > Ldp.exe ships with the Windows Server Admin Pack which comes on the CD and
    > also ships with ADAM. The most recent released version is with ADAM or
    > the Windows Server R2 beta if you can get that. I'm pretty sure there is
    > no separate download for it, but I can also send you a copy if you email
    > me offline.
    >
    > LDP can be used for testing the connection to various directories using
    > different values for the server name.
    >
    > The other important thing to know is that the ADSI binding string consists
    > of three parts:
    > <scheme>://<server>/<objectname>
    >
    > The scheme is obviously "LDAP" (case-senstive; watch out!). The server
    > part is OPTIONAL though. If you don't supply a server name, then the LDAP
    > API tries to discover a server for you based on the security context of
    > the current thread. This is the thing that tends to trip people up in web
    > applications as they are often running under a local machine account which
    > has no domain affiliation, so the request for a "serverless bind" as it is
    > called fails with this exact error.
    >
    > The server name can contain DNS names, IP addresses or NETBIOS names.
    > However, DNS names are the way to go as both Kerberos and SSL/LDAP need
    > DNS names to work properly. The DNS name can be the name of the domain or
    > the DNS name of a specific server.
    >
    > The <objectname> is also optional, but I generally think you should always
    > specify something. If you want to search the root of the domain, specify
    > the distinguished name of the domain root. This is usually something like
    > "DC=yourdomain,DC=com" with AD. You can find out this value dynamically
    > by getting the "RootDSE" object and looking at its "defaultNamingContext"
    > attribute. This is better than hard-coding. :)
    >
    > HTH,
    >
    > Joe K.
    > "Rinks Singh" <> wrote in message
    > news:%...
    >> Thanks Joe and Cal for the information on this thread. I am also getting
    >> the same error while trying connect to the AD.
    >>
    >> Can I use LDP.EXE from the workstation to make sure about the
    >> connection.? From where I can downlaod LDP.EXE tool?
    >>
    >> I am able to connect to Directory using command prompt by giving like:
    >> Run LDAP//:DomainName
    >>
    >> After that search box appears and I can search based on Object Type.But
    >> when I try from program I get an error "The server is not Operational"
    >>
    >> Need some help to solve this
    >>
    >>
    >> *** Sent via Developersdex http://www.developersdex.com ***

    >
    >
     
    CalSun, Jul 26, 2005
    #16
  17. When you do your bind with ldp.exe, what credentials did you use? Those are
    probably the exact same credentials you need to use in your DirectoryEntry
    constructor.

    In ldp, the "domain" checkbox in the binding dialog is roughly equivalent to
    specifying "AuthenticationTypes.Secure" in your DE constructor.

    The anonymous user in IIS should not come into play unless you have
    impersonation enabled in web.config AND you are not supplying credentials in
    your DE constructor. If you specify credentials, it will use the ones you
    specified.

    The domain value that you used in ldp that worked should be the domain value
    you use in your LDAP path in your DE constructor. Thus:

    mydomain.com
    in ldp would translate to:
    LDAP://mydomain.com/<something here>

    The <something here> should be the distinguished name of the object you want
    to bind to or use as a search root.

    You can use the "defaultNamingContext" value you see in ldp when it does the
    initial "root DSE" query for you. This assumes you want to bind to the
    domain root object and want to use it as a search root though.

    HTH,

    Joe K.

    "CalSun" <> wrote in message
    news:...
    > Hi Joe,
    > thanks for the informative message. I got ldp and could connect to the DC
    > using the domain as mycompany.com. I din't specify SSL or Connectionless,
    > it still goes.
    > Back to IIS, I checked on the Anonymous option and specified a local user
    > name + password to handle all the Anonymous loging. It fails to
    > connect/authenticate.
    > Do we need a domain user to handle the authentication process (at IIS
    > box)? If so, my web server (iis box) is in dmz and I can't see user list
    > from the domain. I tried manualy to assign a domain user to the Anonymous
    > option such as: domain\user + pw. And it didn't work. This got to be a
    > local user to this IIS box (web server).
    >
    > I use form authentication. When a page is requested, client is redirected
    > to a login page.
    >
    > Again, thanks for all the help.
    >
    > CalSun
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    >> Ldp.exe ships with the Windows Server Admin Pack which comes on the CD
    >> and also ships with ADAM. The most recent released version is with ADAM
    >> or the Windows Server R2 beta if you can get that. I'm pretty sure there
    >> is no separate download for it, but I can also send you a copy if you
    >> email me offline.
    >>
    >> LDP can be used for testing the connection to various directories using
    >> different values for the server name.
    >>
    >> The other important thing to know is that the ADSI binding string
    >> consists of three parts:
    >> <scheme>://<server>/<objectname>
    >>
    >> The scheme is obviously "LDAP" (case-senstive; watch out!). The server
    >> part is OPTIONAL though. If you don't supply a server name, then the
    >> LDAP API tries to discover a server for you based on the security context
    >> of the current thread. This is the thing that tends to trip people up in
    >> web applications as they are often running under a local machine account
    >> which has no domain affiliation, so the request for a "serverless bind"
    >> as it is called fails with this exact error.
    >>
    >> The server name can contain DNS names, IP addresses or NETBIOS names.
    >> However, DNS names are the way to go as both Kerberos and SSL/LDAP need
    >> DNS names to work properly. The DNS name can be the name of the domain
    >> or the DNS name of a specific server.
    >>
    >> The <objectname> is also optional, but I generally think you should
    >> always specify something. If you want to search the root of the domain,
    >> specify the distinguished name of the domain root. This is usually
    >> something like "DC=yourdomain,DC=com" with AD. You can find out this
    >> value dynamically by getting the "RootDSE" object and looking at its
    >> "defaultNamingContext" attribute. This is better than hard-coding. :)
    >>
    >> HTH,
    >>
    >> Joe K.
    >> "Rinks Singh" <> wrote in message
    >> news:%...
    >>> Thanks Joe and Cal for the information on this thread. I am also getting
    >>> the same error while trying connect to the AD.
    >>>
    >>> Can I use LDP.EXE from the workstation to make sure about the
    >>> connection.? From where I can downlaod LDP.EXE tool?
    >>>
    >>> I am able to connect to Directory using command prompt by giving like:
    >>> Run LDAP//:DomainName
    >>>
    >>> After that search box appears and I can search based on Object Type.But
    >>> when I try from program I get an error "The server is not Operational"
    >>>
    >>> Need some help to solve this
    >>>
    >>>
    >>> *** Sent via Developersdex http://www.developersdex.com ***

    >>
    >>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jul 26, 2005
    #17
  18. CalSun

    CalSun Guest

    My bad. It was a typo with a key in appsetting where I have the value set.
    Thanks Joe and have a great day.
    --CalSun

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:u6di8%...
    > When you do your bind with ldp.exe, what credentials did you use? Those
    > are probably the exact same credentials you need to use in your
    > DirectoryEntry constructor.
    >
    > In ldp, the "domain" checkbox in the binding dialog is roughly equivalent
    > to specifying "AuthenticationTypes.Secure" in your DE constructor.
    >
    > The anonymous user in IIS should not come into play unless you have
    > impersonation enabled in web.config AND you are not supplying credentials
    > in your DE constructor. If you specify credentials, it will use the ones
    > you specified.
    >
    > The domain value that you used in ldp that worked should be the domain
    > value you use in your LDAP path in your DE constructor. Thus:
    >
    > mydomain.com
    > in ldp would translate to:
    > LDAP://mydomain.com/<something here>
    >
    > The <something here> should be the distinguished name of the object you
    > want to bind to or use as a search root.
    >
    > You can use the "defaultNamingContext" value you see in ldp when it does
    > the initial "root DSE" query for you. This assumes you want to bind to
    > the domain root object and want to use it as a search root though.
    >
    > HTH,
    >
    > Joe K.
    >
    > "CalSun" <> wrote in message
    > news:...
    >> Hi Joe,
    >> thanks for the informative message. I got ldp and could connect to the DC
    >> using the domain as mycompany.com. I din't specify SSL or Connectionless,
    >> it still goes.
    >> Back to IIS, I checked on the Anonymous option and specified a local user
    >> name + password to handle all the Anonymous loging. It fails to
    >> connect/authenticate.
    >> Do we need a domain user to handle the authentication process (at IIS
    >> box)? If so, my web server (iis box) is in dmz and I can't see user list
    >> from the domain. I tried manualy to assign a domain user to the Anonymous
    >> option such as: domain\user + pw. And it didn't work. This got to be a
    >> local user to this IIS box (web server).
    >>
    >> I use form authentication. When a page is requested, client is redirected
    >> to a login page.
    >>
    >> Again, thanks for all the help.
    >>
    >> CalSun
    >>
    >> "Joe Kaplan (MVP - ADSI)" <>
    >> wrote in message news:...
    >>> Ldp.exe ships with the Windows Server Admin Pack which comes on the CD
    >>> and also ships with ADAM. The most recent released version is with ADAM
    >>> or the Windows Server R2 beta if you can get that. I'm pretty sure
    >>> there is no separate download for it, but I can also send you a copy if
    >>> you email me offline.
    >>>
    >>> LDP can be used for testing the connection to various directories using
    >>> different values for the server name.
    >>>
    >>> The other important thing to know is that the ADSI binding string
    >>> consists of three parts:
    >>> <scheme>://<server>/<objectname>
    >>>
    >>> The scheme is obviously "LDAP" (case-senstive; watch out!). The server
    >>> part is OPTIONAL though. If you don't supply a server name, then the
    >>> LDAP API tries to discover a server for you based on the security
    >>> context of the current thread. This is the thing that tends to trip
    >>> people up in web applications as they are often running under a local
    >>> machine account which has no domain affiliation, so the request for a
    >>> "serverless bind" as it is called fails with this exact error.
    >>>
    >>> The server name can contain DNS names, IP addresses or NETBIOS names.
    >>> However, DNS names are the way to go as both Kerberos and SSL/LDAP need
    >>> DNS names to work properly. The DNS name can be the name of the domain
    >>> or the DNS name of a specific server.
    >>>
    >>> The <objectname> is also optional, but I generally think you should
    >>> always specify something. If you want to search the root of the domain,
    >>> specify the distinguished name of the domain root. This is usually
    >>> something like "DC=yourdomain,DC=com" with AD. You can find out this
    >>> value dynamically by getting the "RootDSE" object and looking at its
    >>> "defaultNamingContext" attribute. This is better than hard-coding. :)
    >>>
    >>> HTH,
    >>>
    >>> Joe K.
    >>> "Rinks Singh" <> wrote in message
    >>> news:%...
    >>>> Thanks Joe and Cal for the information on this thread. I am also
    >>>> getting
    >>>> the same error while trying connect to the AD.
    >>>>
    >>>> Can I use LDP.EXE from the workstation to make sure about the
    >>>> connection.? From where I can downlaod LDP.EXE tool?
    >>>>
    >>>> I am able to connect to Directory using command prompt by giving like:
    >>>> Run LDAP//:DomainName
    >>>>
    >>>> After that search box appears and I can search based on Object Type.But
    >>>> when I try from program I get an error "The server is not Operational"
    >>>>
    >>>> Need some help to solve this
    >>>>
    >>>>
    >>>> *** Sent via Developersdex http://www.developersdex.com ***
    >>>
    >>>

    >>
    >>

    >
    >
     
    CalSun, Jul 26, 2005
    #18
  19. Cool. Glad it turned out to be something easy. Hopefully you learned some
    useful troubleshooting tips for next time.

    Joe K.

    "CalSun" <> wrote in message
    news:...
    > My bad. It was a typo with a key in appsetting where I have the value set.
    > Thanks Joe and have a great day.
    > --CalSun
    >
     
    Joe Kaplan \(MVP - ADSI\), Jul 26, 2005
    #19
  20. If you are going to post code, you should really post the values of the
    variables you are using since it is the value of the Path variable that is
    most likely to cause this error.

    Typically, this error happens in ASP.NET apps when the path doesn't contain
    a server or DNS name (serverless binding), but the current security context
    is a local machine account. In this case, LDAP can't "bootstrap" a domain
    to use to find a domain controller, so it fails.

    This is generally fixed by simply adding the DNS domain of your AD domain to
    the binding string:

    LDAP://yourdomain.com/rootDSE

    instead of LDAP://rootDSE

    Using AuthenticationTypes.Secure is a very good idea. That is always
    recommended with AD.

    Also, there is no need to search the directory for the user if you just want
    to validate their credentials. Just doing a bind will suffice. You can
    force a bind with the NativeObject property. Do a search if you need to
    look up some of their data as well.

    Joe K.

    "palaniselvam" <> wrote in
    message news:p...
    >
    > Hi,
    > I need to validate user/pwd on LDAP server. When i validate userid on
    > LDAP sever using following code always i am getting an error as "The
    > server is not operational". With the same path if i type in Iexplorer
    > it is opening a popup window from LDAP Server. I need to use secure
    > mode. Do i have to do any settings in IIS? Please help me asap.
    > Thanks and Regards,
    > M. Palani selvam.
    >
    > Code is:
    > ---------
    > Public Function IsAuthenticated(ByVal domain As String, ByVal username
    > As String, ByVal pwd As String) As Boolean
    >
    > Dim enTry As New DirectoryEntry(_path)
    > enTry.Username = username
    > enTry.Password = pwd
    > enTry.AuthenticationType = AuthenticationTypes.secure
    >
    >
    > Try
    >
    > Dim search As DirectorySearcher = New
    > DirectorySearcher(enTry, "(SAMAccountName=" + username + ")")
    >
    >
    >
    > search.PropertiesToLoad.Add("cn")
    > Dim result As SearchResult = search.FindOne()
    > If result Is Nothing Then
    > Return False
    > End If
    > _path = result.Path
    > _filterAttribute = CType(result.Properties("cn")(0),
    > String)
    > Catch ex As Exception
    > Throw New Exception("Error authenticating user. " +
    > ex.Message)
    > End Try
    > Return True
    > End Function
    >
    >
    > --
    > palaniselvam
    > ------------------------------------------------------------------------
    > palaniselvam's Profile: http://www.hightechtalks.com/m801
    > View this thread: http://www.hightechtalks.com/t2192113
    >
     
    Joe Kaplan \(MVP - ADSI\), Jan 23, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. dkilanko
    Replies:
    0
    Views:
    7,605
    dkilanko
    Aug 11, 2006
  2. Replies:
    0
    Views:
    505
  3. Replies:
    0
    Views:
    542
  4. Sunil007
    Replies:
    0
    Views:
    1,212
    Sunil007
    Apr 3, 2009
  5. George Durzi

    System.DirectoryServices - The server is not operational

    George Durzi, Dec 15, 2004, in forum: ASP .Net Security
    Replies:
    10
    Views:
    483
    Patrick Olurotimi Ige
    Dec 29, 2004
Loading...

Share This Page