We have some code running in an ASP.NET MVC 4 application. The application is hosted in IIS on Windows Server 2012. The application ID is not standard, but rather a specific user, for example. iis-appPool-username listed below. The application runs in .NET 4.0 with integrated mode for a managed pipeline.
- I tried this both with the username and without it in the
DirectoryEntry object. - I can run a console application that does the same thing as the same user (command.exe, which runs as the same user), on the same computer, and it works.
- It should be noted that the console application did not work until I manually specified the LDAP path and
AuthenticationTypes.ReadonlyServer , as it pushes the read-only domain controller. This gave me the same error for the console application until I specify the LDAP path and type Readonly. However, while the console application is working now, while the IIS application is not working.
The code is below.
// also tried: var searchRoot = new DirectoryEntry(@"LDAP://DC=subdom,DC=ourdomain,DC=com"); var searchRoot = new DirectoryEntry(@"LDAP://DC=subdom,DC=ourdomain,DC=com", @"domain\iis-appPool-username", "password"); searchRoot.AuthenticationType = AuthenticationTypes.ReadonlyServer; using (var searcher = new DirectorySearcher(searchRoot)) { searcher.Filter = string.Format("(&(objectClass=group)(sAMAccountName={0}))", "someGroupName"); searcher.PropertiesToLoad.Add("distinguishedName"); // This is where the failure happens var result = searcher.FindOne(); }
The w / stack trace error looks like this:
System.Runtime.InteropServices.COMException (0x8007054B): The specified domain either does not exist or could not be contacted. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.PropertyValueCollection.PopulateList() at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) at System.DirectoryServices.DirectorySearcher.get_SearchRoot() at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) at System.DirectoryServices.DirectorySearcher.FindOne()
EDIT: Also, this is the same error if I explicitly use the wrong username and password. From my local machine, if I use the wrong username and password, I get an auth error. However, from IIS, with the wrong username and password, it does not even reach.
EDIT: I pointed to web.config for complete trust:
<securityPolicy> <trustLevel name="Full" policyFile="internal"/> </securityPolicy>
And we also provided user privileges on the box. Keep getting the same error: System.Runtime.InteropServices.COMException: The specified domain either does not exist or could not be contacted.
UPDATE: So this turned out to be a combination of two problems.
1) As noted below, I initially did not have the DirectoryEntry parameter before DirectorySearcher . In my search, I tried different possibilities, combinations, I managed to skip this change when I had a working console application, and updated the application code to reflect it.
2) When I added the parameter to DirectorySearcher , I was still getting the error. The message was identical, and the stack trace was almost identical. There was one line in the middle of the stack trace — a second call to another method that needed a DirectoryEntry argument to use its own DirectorySearcher . I looked at the problem for so long that my eyes saw only one error message and what seemed to be the same stack trace when it was actually new. Passing my DirectoryEntry object to these calls resolves this issue.
The final solution did not require that I have the server identifier in transit (but your mileage may differ from this if your environment cannot resolve the domain controller without it).