Geek Answers Handbook

Cannot query AD (get DirectoryServicesCOMException)

I am trying to request AD in an ASP.Net (4.0) application that runs on Windows Server 2008 R2 (IIS7 is installed). (It also does not work at startup as application 2.0)

This is not new to me, as I have done it many times before. I wrote a small ASP.Net program that works fine on my machine (Windows XP with IIS6), but does not work when launched in the 2008 window.

(As a result, you see a list of groups of which the user is a member in the text box)

(on button_click) var userName = txtUserName.Text; if (userName.Trim().Length == 0) { txtResults.Text = "-- MISSING USER NAME --"; return; } var entry = new DirectoryEntry("LDAP://blah.blah/DC=blah,DC=blah", "cn=acct, dc=blah, dc=blah", "pass"); var search = new DirectorySearcher(entry); search.Filter = "(SAMAccountName=" + userName + ")"; search.PropertiesToLoad.Add("memberOf"); var groupsList = new StringBuilder(); var result = search.FindOne(); if (result != null) { int groupCount = result.Properties["memberOf"].Count; for (int counter = 0; counter < groupCount; counter++) { groupsList.Append((string)result.Properties["memberOf"][counter]); groupsList.Append("\r\n"); } } txtResults.Text = groupsList.ToString();

When I run this code, I get the following search error. FindOne ():

 System.DirectoryServices.DirectoryServicesCOMException (0x8007203B): A local error has occurred. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) at System.DirectoryServices.DirectorySearcher.FindOne() at WebApplication1._Default.btnSearch_Click(Object sender, EventArgs e)

We did a lot of research with this and bonded every IIS7 setting that we can think of, but don't go yet. Any clues?

+4
source share
4 answers

Change the username parameter from "cn = xxx, dc = yyy, dc = zzz" to "Domain \ Username"

+3
source

You can also change the IIS application pool to run the domain account with the search queries you are looking for.

I have a few more comments:

  • Verify that the first entry for the DirectoryEntry constructor includes a container for users. This should help DirectorySearcher work more reliably.
  • I believe that the second parameter in the DirectoryEntry constructor should be the username, not the AD request path.
  • You must also set the AuthenticationType property. With Server 2008, by default, this should be set to AuthenticationTypes.Secure | AuthenticationTypes.ServerBind | AuthenticationTypes.Sealing. I would suggest that 2008R2 has a similar requirement.
0
source

I see that the question is quite old, but after dealing with this, I thought to mention that it is really possible to use the LDAP username style (as opposed to the DNS style). This works well for me:

  string connString = "LDAP://MyDomain/CN=blah,DC=blah,DC=blah"; string username = "CN=MyAdmin,CN=Users,CN=blah,DC=blah,DC=blah"; string password = "myLittleSecret"; DirectoryEntry root = new DirectoryEntry( connString, username, password, AuthenticationTypes.None);

Where MyAdmin is a member in the role of Administrators .

One small thing that took me a while to find the AuthenticationTypes.None parameter, which is necessary if you do not want to communicate via SSL. Of course, you want to do this during the production process, but for development purposes it may be OK to skip encryption.

Environment: Windows 7

0
source

I also got this exception when trying to query the active directory:

 SearchResult result = srch.FindOne();

To solve this problem, simply enter the code above Security.RunWithElevatedPrivileges() .

Final decision:

 SPSecurity.RunWithElevatedPrivileges(delegate() { result = srch.FindOne(); });
0
source

More articles:


All Articles