The server is not operational


C

CalSun

Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
Ad

Advertisements

P

Paul Clement

¤ Hi all,
¤
¤ I really need your help on this problem. (no help for 1 day goolging).
¤
¤ I use form authentication on my 2 simple aspx pages.
¤ User is redirected to login.aspx, then see the main content page.
¤ I use LDAP to verify the user from a domain named Dserver where the AD users locate.
¤
¤ Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).
¤
¤ Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"
¤

Any chance it's a configuration problem?

You Cannot Start the Active Directory Users and Computers Tool Because the Server Is Not Operational
http://support.microsoft.com/default.aspx?scid=kb;en-us;323542

"The Server Is Not Operational" Error Message in Active Directory Tools
http://support.microsoft.com/default.aspx?scid=kb;en-us;223321


Paul
~~~~
Microsoft MVP (Visual Basic)
 
J

Joe Kaplan \(MVP - ADSI\)

The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
C

CalSun

Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
J

Joe Kaplan \(MVP - ADSI\)

If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

Best of luck,

Joe K.

Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
C

CalSun

Thanks again for the advice.

I didn't solve the problem yet, but I think I make some progress on it.

I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

While I'm googling for the ans, I appreciate your input and help.

thanks
--CalSun
If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

Best of luck,

Joe K.

Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
Ad

Advertisements

J

Joe Kaplan \(MVP - ADSI\)

When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.

Joe K.
Thanks again for the advice.

I didn't solve the problem yet, but I think I make some progress on it.

I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

While I'm googling for the ans, I appreciate your input and help.

thanks
--CalSun
If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

Best of luck,

Joe K.

Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
C

CalSun

Thanks Joe,

Here is what I got.

I pulled my laptop out of the domain and modified the code a bit. I use one directorysearcher with 2 properties loaded: one is cn and other is "memberOf". With this code, I got myself (valid user) authenticated from my laptop (not inside domain but in workgroup). However, this code won't do it when I hosted it at the webserver box (in dmz zone). Very strange!

That's all i got 4 now Joe. Please drop me anything popped of your mind. thanks
When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.

Joe K.
Thanks again for the advice.

I didn't solve the problem yet, but I think I make some progress on it.

I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

While I'm googling for the ans, I appreciate your input and help.

thanks
--CalSun
If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

Best of luck,

Joe K.

Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
J

Joe Kaplan \(MVP - ADSI\)

The error you get comes from the DirectoryEntry that the DirectorySearcher uses as the search root, not from the DirectorySearcher itself.

The DirectoryEntry determines what server you connect to (the problem here), the security context used to do the search and the root of the search.

Typically, this error comes from having something invalid in your path parameter or sometimes from specifying an authentication type that is not supported (such as asking for SSL on a DC that doesn't support it or not asking for SSL in a situation where the firewall only allows SSL/LDAP access to the DC).

Joe K.

Thanks Joe,

Here is what I got.

I pulled my laptop out of the domain and modified the code a bit. I use one directorysearcher with 2 properties loaded: one is cn and other is "memberOf". With this code, I got myself (valid user) authenticated from my laptop (not inside domain but in workgroup). However, this code won't do it when I hosted it at the webserver box (in dmz zone). Very strange!

That's all i got 4 now Joe. Please drop me anything popped of your mind. thanks
When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.

Joe K.
Thanks again for the advice.

I didn't solve the problem yet, but I think I make some progress on it.

I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

While I'm googling for the ans, I appreciate your input and help.

thanks
--CalSun
If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

Best of luck,

Joe K.

Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
C

CalSun

Hi Joe,
thanks again for your frequent help. I meant DirectoryEntry instead of DirectorySearcher.

I haven't solved the prob yet. I double-checked the configuration and everything. It came to my attention that I have impersonate set to true in the config file, Anonymous Access checked, and the userid (webTest) is local to the webserver. webTest is not a domain user and I think it couldn't communicate with the Active Directory. I tried to browse to an AD user, but I couldn't see the domain user list from this webserver. Is there a way to archive this?

thanks
--CalSun
The error you get comes from the DirectoryEntry that the DirectorySearcher uses as the search root, not from the DirectorySearcher itself.

The DirectoryEntry determines what server you connect to (the problem here), the security context used to do the search and the root of the search.

Typically, this error comes from having something invalid in your path parameter or sometimes from specifying an authentication type that is not supported (such as asking for SSL on a DC that doesn't support it or not asking for SSL in a situation where the firewall only allows SSL/LDAP access to the DC).

Joe K.

Thanks Joe,

Here is what I got.

I pulled my laptop out of the domain and modified the code a bit. I use one directorysearcher with 2 properties loaded: one is cn and other is "memberOf". With this code, I got myself (valid user) authenticated from my laptop (not inside domain but in workgroup). However, this code won't do it when I hosted it at the webserver box (in dmz zone). Very strange!

That's all i got 4 now Joe. Please drop me anything popped of your mind. thanks
When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.

Joe K.
Thanks again for the advice.

I didn't solve the problem yet, but I think I make some progress on it.

I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

While I'm googling for the ans, I appreciate your input and help.

thanks
--CalSun
If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

Best of luck,

Joe K.

Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
J

Joe Kaplan \(MVP - ADSI\)

(Lost your reply message, so replying to mine instead :))

In your path, are you specifying the DNS name of a specific domain controller? I would start with that. Additionally, it would be wise to put ldp.exe on your web server machine and make sure you can connect to that DC with it. Ldp.exe can be very useful for troubleshooting LDAP issues.

Joe K.
 
Ad

Advertisements

C

CalSun

Thanks again.

I have used the ldp.exe tool from the webserver box, and I could not make a connection to the domain controler. On my laptop (inside the domain), I could make a connection to that domain controler.
Any idea or solution is highly appreciated.

thanks, CalSun
(Lost your reply message, so replying to mine instead :))

In your path, are you specifying the DNS name of a specific domain controller? I would start with that. Additionally, it would be wise to put ldp.exe on your web server machine and make sure you can connect to that DC with it. Ldp.exe can be very useful for troubleshooting LDAP issues.

Joe K.
 
J

Joe Kaplan \(MVP - ADSI\)

If you can't make a connection to the DC using ldp.exe from the server in question, then that tends to indicate that there may be network issues here. Are you sure you have TCP port 389 open to all of the DCs you need to contact? You may also need port 88 for Kerberos if you are using secure binding (which is a good idea).

If it is a network/firewall issue, you'll need to resolve that with your own network guys.

If it is not a network issue, then you just need to keep using ldp.exe until you find out the right server info to use from the web server. If it works in ldp.exe, then it should work in S.DS.

Joe K.
Thanks again.

I have used the ldp.exe tool from the webserver box, and I could not make a connection to the domain controler. On my laptop (inside the domain), I could make a connection to that domain controler.
Any idea or solution is highly appreciated.

thanks, CalSun
(Lost your reply message, so replying to mine instead :))

In your path, are you specifying the DNS name of a specific domain controller? I would start with that. Additionally, it would be wise to put ldp.exe on your web server machine and make sure you can connect to that DC with it. Ldp.exe can be very useful for troubleshooting LDAP issues.

Joe K.
 
R

Rinks Singh

Thanks Joe and Cal for the information on this thread. I am also getting
the same error while trying connect to the AD.

Can I use LDP.EXE from the workstation to make sure about the
connection.? From where I can downlaod LDP.EXE tool?

I am able to connect to Directory using command prompt by giving like:
Run LDAP//:DomainName

After that search box appears and I can search based on Object Type.But
when I try from program I get an error "The server is not Operational"

Need some help to solve this
 
J

Joe Kaplan \(MVP - ADSI\)

Ldp.exe ships with the Windows Server Admin Pack which comes on the CD and
also ships with ADAM. The most recent released version is with ADAM or the
Windows Server R2 beta if you can get that. I'm pretty sure there is no
separate download for it, but I can also send you a copy if you email me
offline.

LDP can be used for testing the connection to various directories using
different values for the server name.

The other important thing to know is that the ADSI binding string consists
of three parts:
<scheme>://<server>/<objectname>

The scheme is obviously "LDAP" (case-senstive; watch out!). The server part
is OPTIONAL though. If you don't supply a server name, then the LDAP API
tries to discover a server for you based on the security context of the
current thread. This is the thing that tends to trip people up in web
applications as they are often running under a local machine account which
has no domain affiliation, so the request for a "serverless bind" as it is
called fails with this exact error.

The server name can contain DNS names, IP addresses or NETBIOS names.
However, DNS names are the way to go as both Kerberos and SSL/LDAP need DNS
names to work properly. The DNS name can be the name of the domain or the
DNS name of a specific server.

The <objectname> is also optional, but I generally think you should always
specify something. If you want to search the root of the domain, specify
the distinguished name of the domain root. This is usually something like
"DC=yourdomain,DC=com" with AD. You can find out this value dynamically by
getting the "RootDSE" object and looking at its "defaultNamingContext"
attribute. This is better than hard-coding. :)

HTH,

Joe K.
 
C

CalSun

Hi Joe,
thanks for the informative message. I got ldp and could connect to the DC
using the domain as mycompany.com. I din't specify SSL or Connectionless, it
still goes.
Back to IIS, I checked on the Anonymous option and specified a local user
name + password to handle all the Anonymous loging. It fails to
connect/authenticate.
Do we need a domain user to handle the authentication process (at IIS box)?
If so, my web server (iis box) is in dmz and I can't see user list from the
domain. I tried manualy to assign a domain user to the Anonymous option such
as: domain\user + pw. And it didn't work. This got to be a local user to
this IIS box (web server).

I use form authentication. When a page is requested, client is redirected to
a login page.

Again, thanks for all the help.

CalSun
 
Ad

Advertisements

J

Joe Kaplan \(MVP - ADSI\)

When you do your bind with ldp.exe, what credentials did you use? Those are
probably the exact same credentials you need to use in your DirectoryEntry
constructor.

In ldp, the "domain" checkbox in the binding dialog is roughly equivalent to
specifying "AuthenticationTypes.Secure" in your DE constructor.

The anonymous user in IIS should not come into play unless you have
impersonation enabled in web.config AND you are not supplying credentials in
your DE constructor. If you specify credentials, it will use the ones you
specified.

The domain value that you used in ldp that worked should be the domain value
you use in your LDAP path in your DE constructor. Thus:

mydomain.com
in ldp would translate to:
LDAP://mydomain.com/<something here>

The <something here> should be the distinguished name of the object you want
to bind to or use as a search root.

You can use the "defaultNamingContext" value you see in ldp when it does the
initial "root DSE" query for you. This assumes you want to bind to the
domain root object and want to use it as a search root though.

HTH,

Joe K.
 
C

CalSun

My bad. It was a typo with a key in appsetting where I have the value set.
Thanks Joe and have a great day.
--CalSun
 
J

Joe Kaplan \(MVP - ADSI\)

Cool. Glad it turned out to be something easy. Hopefully you learned some
useful troubleshooting tips for next time.

Joe K.
 
Ad

Advertisements

J

Joe Kaplan \(MVP - ADSI\)

If you are going to post code, you should really post the values of the
variables you are using since it is the value of the Path variable that is
most likely to cause this error.

Typically, this error happens in ASP.NET apps when the path doesn't contain
a server or DNS name (serverless binding), but the current security context
is a local machine account. In this case, LDAP can't "bootstrap" a domain
to use to find a domain controller, so it fails.

This is generally fixed by simply adding the DNS domain of your AD domain to
the binding string:

LDAP://yourdomain.com/rootDSE

instead of LDAP://rootDSE

Using AuthenticationTypes.Secure is a very good idea. That is always
recommended with AD.

Also, there is no need to search the directory for the user if you just want
to validate their credentials. Just doing a bind will suffice. You can
force a bind with the NativeObject property. Do a search if you need to
look up some of their data as well.

Joe K.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top