Active Directory and LDAP

DirectoryServicesCOMException

2012-08-20T17:34:37.63-04:00

Hello all, I have a web app that looks up a users email in AD and returns the email so the app can send a confirmation email. The lookup has been working fine for two weeks, but recently has started throwing an exception.

System.DirectoryServices.DirectoryServicesCOMException

[System.DirectoryServices.DirectoryServicesCOMException]
Inner Exception
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
   at System.DirectoryServices.DirectorySearcher.FindOne()
   at JobDB.pullestimatenum.JobInsertedSql(Object sender, SqlDataSourceStatusEventArgs e) in C:\JobDB\JobDB\pullestimatenum.aspx.cs:line 106
   at System.Web.UI.WebControls.SqlDataSourceView.ExecuteDbCommand(DbCommand command, DataSourceOperation operation)
   at System.Web.UI.DataSourceView.Insert(IDictionary values, DataSourceViewOperationCallback callback)
   at System.Web.UI.WebControls.FormView.HandleEvent(EventArgs e, Boolean causesValidation, String validationGroup)
   at System.Web.UI.WebControls.FormViewRow.OnBubbleEvent(Object source, EventArgs e)
   at System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

This is the code I am using to get the email:

//Send user email
                    DirectorySearcher searcher = new DirectorySearcher();
                    searcher.Filter = string.Format("sAMAccountName={0}", User.Identity.Name.Substring(Request.LogonUserIdentity.Name.LastIndexOf(@"\") + 1));
                    SearchResult user = searcher.FindOne();
                    string emailAddr = user.Properties["mail"][0].ToString() ?? "";

Does anyone see anything wrong with this code? I cannot figure out why this would have started all of a sudden?

Edit: I tried restarting the website, recycling the application pool, and republishing the website and it is still not working. It is fine when I debug it from my dev machine.

Thanks,
Brennan

Windows Authentication

2013-06-10T13:15:55.177-04:00

Hi ,

How to add multiple users dynamically for windows authentication not by using web.config. If we have 1000 users mentioning in web.config is not good. Is there any alternate for providing access to 1000 users. Pls help me.

What steps do we take to move from AD to local users authentication?

2013-06-13T13:42:35.68-04:00

We've got an ASP.NET Web Forms app we started 10 years ago, probably using VS 2003 at the time. Back then we used Active Directory to authenitcate our users. That website is now at VS 2008, .NET 3.5, but it still uses AD to authenticate our users.

Now we're going through a migration. Our servers are being taken over by a larger organization, and they've proposed changing from AD for authentication to using local users on the new server (a virtual machine running on their systems). This seems to satisfy a lot of things, in that the authentication calls should (I imagine) stay pretty much the same as they have been, and the organization that's going to be taking over administering servers on our behalf, don't have to create lots of new accounts in the AD network. But my question is, what steps do I need to do, as the administrator and developer of this ASP.NET website, to make it no longer authenticate with AD, but instead use local users on the VM server?

Unlock account using security Q&A using AD .net membership provider?

2013-06-04T13:29:27.69-04:00

I have a .net web app that uses AD to manager the users, I got the security question and answer working to reset the password (followed this article: http://msdn.microsoft.com/en-us/library/ms998360.aspx)

The problem: Currently AD's Lockout-Threshold is set to 0 so the user can try to login as many times they want. If I set the Lockout-Threshold to 5 attempts and the account is locked then the security question and answer don't work, cannot reset the password if AD locks the account.

Is there way to lock the account after 5 attempts but allow the user to go though the password Q&A process?

Thanks,

Tarek

AzMan ComException

2013-06-07T23:39:18.917-04:00

Hi there,

We have used Az Role Manager for 4 years, and it never had had problems.

But, during the last seven days, it has been giving us some problems, and its errors says:

-2147024838
The specified server cannot perform the requested operation. (Exception from HRESULT: 0x8007003A)
Interop.AZROLESLib
at AZROLESLib.AzAuthorizationStoreClass.Initialize(Int32 lFlags, String bstrPolicyURL, Object varReserved)
at TEF.CustomADAM.IsUserOp(enuOperaciones Operacion)
System.Runtime.InteropServices.COMException (0x8007003A): The specified server cannot perform the requested operation. (Exception from HRESULT: 0x8007003A)
at AZROLESLib.AzAuthorizationStoreClass.Initialize(Int32 lFlags, String bstrPolicyURL, Object varReserved)
at TEF.CustomADAM.IsUserOp(enuOperaciones Operacion)

But only happens sometimes in an hour,

We have a Intance Adam installation on an Windows 2003 server, and the web site in an IIS 7.0

Does anyone have been through the same error?

Property value returned by DirectorySearcher and SearchResponse are of different type System._comobject and Byte array

2012-11-19T05:57:34.223-05:00

Hi,
I am working on a website to manage active directory. I want to check that whether user has permission to change password or not.
So I have to find "ntSecurityDescriptor" property value after that I have to cast it into IADsSecurityDescriptor.
Now if I use DirectorySearcher class then property value is of type System._ComObject and easily casted to IADsSecurityDescriptor.
But when I use LdapConnection and SearchResponse I get property value of type byte[] array which is unale to cast to IADsSecityDescriptor. I am getting error
"Unable to cast System.Byte[] to IADsSecurityDescriptor".

Is there some problem with SearchResponse or I have use some kind of casting technique to achieve this.
I have some problem to use DirectoryEntry class so I can only use LdapConnction class.

Please help its urgent.
Thanks.

LDAP over SSL

2013-05-30T07:25:17.493-04:00

Hi,

I am using following code to create a user in active directory and set the password. It work fine using port 389 (without SSL).

String connectionPrefix = “LDAP://PC576-1.ADLAB.com:389/CN=Users,DC=ADLAB,DC=com”;
DirectoryEntry m_dirEntry = new DirectoryEntry(connectionPrefix);
using (m_newUserDirEntry = m_dirEntry.Children.Add(“testuser”, “user”))
{
    m_newUserDirEntry.Properties["sAMAccountName"].Value = m_userName;
    m_newUserDirEntry.CommitChanges();
    m_newUserDirEntry.Invoke("SetPassword", new object[] { "password" });
    m_newUserDirEntry.CommitChanges();
}

I need to change my application to use only LDAP over SSL. So I have changed my code to use 636 port and set the Authentication Type = “AuthenticationTypes.SecureSocketsLayer”. But it is throwing the “An operations error occurred.”

String connectionPrefix = “LDAP://PC576-1.ADLAB.com:636/CN=Users,DC=ADLAB,DC=com”;
DirectoryEntry m_dirEntry = new DirectoryEntry(connectionPrefix);
m_dirEntry.AuthenticationType = AuthenticationTypes.SecureSocketsLayer;
using (m_newUserDirEntry = m_dirEntry.Children.Add(“testuser”, “user”))
{
    m_newUserDirEntry.Properties["sAMAccountName"].Value = m_userName;
    m_newUserDirEntry.CommitChanges();
    m_newUserDirEntry.Invoke("SetPassword", new object[] { "password" });
    m_newUserDirEntry.CommitChanges();
}

I understand the SSL Certificate needs to be configured to use LDAP over SSL. I have gone through various websites like one below.

http://www.informit.com/articles/article.aspx?p=474649&seqNum=4

It suggested to use “System.DirectoryServices.Protocols” to change the password using LDAP over SSL using the SSL certificate generated from AD DS domain controller. My query is I want to make all the transaction through LDAP over SSL (not just for password reset). Is it possible? If that is the case where I need to configure SSL certificate.

Regards,
Yunus

LDAP description raise err Cannot get the data of the row from the OLE DB provider "ADSDSOObject" for linked server "ADSI". Could not convert the data value due to reasons other than sign mismatch or overflow

2013-05-29T13:01:15.087-04:00

Hi All,

i try to run:-

SELECT sAMAccountName='av\'+sAMAccountName,description,department,givenName, LE = 'ASG', sn,mail, manager=Replace(Replace(SUBSTRING(manager,1,CHARINDEX(',',manager,0)-1),'CN=',''),' ','.'), userPrincipalName

FROM OpenQuery(ADSI, '<LDAP://av.com/OU=Users,OU=Singapore,OU=.AP,DC=av,DC=com>;(&(objectClass=User)(&(objectCategory=Person)));sAMAccountName,description,department,givenName, sn, mail, manager, userPrincipalName')

i got error:-

Msg 7346, Level 16, State 2, Line 1

Cannot get the data of the row from the OLE DB provider "ADSDSOObject" for linked server "ADSI". Could not convert the data value due to reasons other than sign mismatch or overflow.

If i remove description from the sql, it work fine.

Please advise.

Regards,

Micheale

Active Directory groups

2013-05-24T17:53:01.913-04:00

I am trying to get a list of security groups in AD but I am not having much luck. When I check Active Directory Users and Computers MMC, I see:

blah.blah.com (top)

Group1

Group1_1

Group1_1_1

Group1_1_2

Group1_2

Group2

and so on. What I need is all security groups in Group1_1_2. I tried using DirectoryEntry and DirectorySearcher using "(&(objectClass=group))" as search filter but I get things I can't even find in Active Directory Users and Computers MMC.

Thanks.

Login page using MVC 4 using ldap should populate domains' dropdownlist

2013-05-02T21:50:54.2-04:00

<div>Hey Hi

Authentication seems worked in my test environment. Changed web.config

Now I'm writing a web-app that is required to present users with a login screen.</div> <div></div> <div>Users can enter username/password and select a domain from a dropdown list.</div> <div></div> <div>how to enumerate all available domains in the server's AD forest even before user login after basic authentication?</div> <div></div> <div>My doubt is ... even with out login and validating user to AD, how could dropdown box canbe populated with list of available domains so taht while login user can select respective domain?</div> <div></div> <div>will it populate domains list from sqlserver database or can pull up from AD itself?</div> <div></div> <div>Please guide me...

</div>

Configuration Error - Please Help!

2012-11-13T08:41:18.423-05:00

Dear Guys,

I'm really having like a nightmare in solving this error. I don't understand it totally. I have a small program which i created in my pc and has active directory authentication. It's perfectly working in my pc and i don't have any problem at all. SQL connectivity is perfectly configured too because i tried to run my web application from my PC using my server SQL address connectivity, it works fine. When I copy all of my files under wwwroot/comms to the server (wwwroot/comms, it gives me this error. Please check it below. I don't know how to resolve this. I hope you guys could shed your brilliant solution in my situation.

PC Specs: Windows 7, MS VS 2010 and SQL Server 2008.

Server Specs: WinSvr2008 R2, SQL Server 2012.

Thanks a lot in advance. Jim.

Server Error in '/comms' Application.

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: An operations error occurred.

Source Error:

Line 35:              maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
Line 36:              applicationName="/"/>-->
Line 37: <add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADService" attributeMapUsername="sAMAccountName"/>

Line 38:       </providers>
Line 39:     </membership>

How to reset the extensionAttributes to default

2013-05-15T07:21:26.85-04:00

Hello Everyone,

I am trying to reset the values for the extensionAttributes for the active directory users.

I was using couple of extensionAttributes to the save some information for the users, but at some point we just want to reset those extensionAttributes to default values for now i am trying to update the AD with "" value for the extension attributes but it makes the user unstable.

Could anyone tell me what should be the default value i must pass to the extensionAttributes before calling the SaveChanges for the active directory. Any kind of help will be appriciated.

Thanks in advance

Ram

does anybody know how to write the filter criteria on organizational unit(ou) in ldap filter?

2013-04-09T11:43:20.833-04:00

Hi All,

does anybody know how to write the filter criteria on organizational unit(ou) in ldap filter?

thanks,

Users' Info from Active Directory - VS2010

2012-07-10T19:40:13.94-04:00

The following code return all user name...

How do I get their 'Department' and the "Manager' names?

string groupName = "Domain Users";
            string domainName = "us.MySite.com";

            listBox1.Items.Clear();
            PrincipalContext ctx = new PrincipalContext(ContextType.Domain, domainName);
            GroupPrincipal grp = GroupPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, groupName);

            if (grp != null)
            {
                 foreach (Principal p in grp.GetMembers(false))
                    {
                        string sLoginName = p.SamAccountName;
                        if (!string.IsNullOrEmpty(sLoginName))
                            if (System.Text.RegularExpressions.Regex.IsMatch(sLoginName, @"^[a-zA-Z]+$"))
                                if (!string.IsNullOrEmpty(p.DisplayName))
                                {
                                    listBox1.Items.Add(p.DisplayName);
                                    listBox2.Items.Add(p.SamAccountName + " - " + p.DisplayName + " - " + p.UserPrincipalName);
                                }
                 }
 
 
                grp.Dispose();
                ctx.Dispose();
                Console.ReadLine();
            }
            else
            {
                Console.WriteLine("\nWe did not find that group in that domain, perhaps the group resides in a different domain?");
                Console.ReadLine();

how to find out a particular user's user name and email by ad

2013-05-04T05:38:40.387-04:00

Hi,

Does anyone has nay idea how to find out user name and email address by user ad?Because wheever an account is created, i need to find out if the user really exist in ad and hence retrive his user name and email address?

Does anyone has idea on this?

Help Please!!

The (In)Famous "Access Denied" problem

2013-04-30T20:26:24.727-04:00

I've been through literally dozens of articles and forum entries, and yet this problem hangs on. I am writing a simple ASP.NET UserControl to allow our users to update their basic profile information, and change their password. The UserControl can read anything from Active Directory. Changes will not save. "Access is denied."

Credentials are good. We have a Service Account that is correctly delegated to update user profiles and passwords.
I have also tried using my own credentials. I am a Domain Admin.
I have tested without credentials. It won't even read without credentials, so the credentials ARE working.
I have turned Windows Authentication on and off in IIS 7.
I have turned Impersonation on and off in IIS 7.
I have used Impersonation in code.
I have run IIS7's process under accounts with "god" rights.
I have used the "old" DirectoryServices.DirectoryEntry approach, and the "new" AcccountManagement.PrincipalContext approach.
I have run the code on my home machine through a VPN connection.
I have run the code on my office development machine on the domain.
I have run the code on the Intranet web server, which is on the domain.
In all three environments, I can run "ADSI Edit" or "Active Directory Users and Computers," and change anything for any object. So the credentials and network are good.
I remembered that "way back when" there was a bug somewhere, that C# code would not work, but VB.NET code would. I figured that little bug was long gone, but thought I'd try anyway. So I re-wrote the UserControl in VB.NET. No joy.

When the code runs-- no matter what-- the result is the same. "Access is denied."

I wrote a similar ASP.NET UserControl "way back when" in 2001, for use on a Win2000 domain with multiple forests. It was simple to do and worked like a charm. This present environment is a "single forest" Win2008-R2 domain. Security is tougher, sure. But the .NET code is new and more robust. So what gives?

Here is my present block of code. (Error occurs at line "up.Save();."

protected void btnSave_Click(object sender, EventArgs e)
{
	// Get logged-in user's info to be updated.
	SearchAD();
 
	// Load the control's User object from web form.
        User.Location = lblLocation.Text;
	User.DisplayName = txtDisplayName.Text;
	User.Email = txtEmail.Text;
	User.FirstName = txtFirstName.Text;
	User.HomePhone = txtHomePhone.Text;
	User.LastName = txtLastName.Text;
	User.MobilePhone = txtMobilePhone.Text;
	User.WorkPhone = txtWorkPhone.Text;
 
        // Open an AD PrincipalContext and UserPrincipal object.
	PrincipalContext context = new PrincipalContext(ContextType.Domain, @"server.domainname.local", @"domain\delegate", @"password");
	UserPrincipal up = UserPrincipal.FindByIdentity(context, User.LoginName);

        // Assign values to the Active Directory user
        //     AccountManager properties
	up.DisplayName = NullString(User.DisplayName);
	up.EmailAddress = NullString(User.Email);
	up.GivenName = NullString(User.FirstName);
	up.Surname = NullString(User.LastName);
	up.VoiceTelephoneNumber = NullString(User.WorkPhone);

        //     Properties not exposed by AccountManager
	DirectoryEntry details = (DirectoryEntry)up.GetUnderlyingObject();
	details.Properties["homePhone"].Value = NullString(User.HomePhone);
	details.Properties["mobile"].Value = NullString(User.MobilePhone);
	details.Properties["telephoneNumber"].Value = NullString(User.WorkPhone);
	details.Properties["l"].Value = NullString(User.Location);

        // Save changes
	up.Save();
}
 
private string NullString(string Value)
{
	if (string.IsNullOrWhiteSpace(Value))
		return null;
	else
		return Value;
}

This code was built and refned through many, many aritcles and forums. I am now wondering if there isn't some setting in our Active Directory that is blocking the Saves. We "inherited" our Active Directory from a team that, frankly, didn't know what they were doing. So I wouldn't be surprised.

I know it's an old, heavily beaten dead horse. But does anybody have any ideas, either for code or in AD settings?

System.Runtime.InteropServices.COMException: The server is not operational

2011-07-29T14:06:08.153-04:00

I have the following challenge:

I have an ADLDS store and a webservice that can add users. The credentials are not in the web.config, but the app pool account has full control on the ADLDS.

I created a user succesfully with an active directory membershipprovider.

Now I want to set a property, so I try to retrieve the DirectoryEntry using the same connectionString as the membershipprovider (and pass Secure as the authenticationType), but as soon as it binds (System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)) this error is thrown:

System.Runtime.InteropServices.COMException: The server is not operational

Any idea what I could be doing wrong?

LDAP DirectoryEntry SearchResult returns data differently in Windows 8 than Win7

2013-02-20T03:22:36.873-05:00

DirectoryEntry DEConnection = new DirectoryEntry("LDAP://directory.mydomain.com/dc=mydomain,dc=com");
DEConnection.AuthenticationType = AuthenticationTypes.None;
DirectorySearcher DESearch = new DirectorySearcher();
DESearch.SearchRoot = DEConnection;
DESearch.Filter = "(uid=" + txtNetID.Text + ")";
try
{
SearchResult result = DESearch.FindOne();

if (result != null)
{
DirectoryEntry myDirectoryEntry = result.GetDirectoryEntry();
txtFullName.Text = myDirectoryEntry.Properties["displayName"].Value.ToString();

txtFullName.Text = result.Properties["displayName"][0].ToString();

In Windows 7 the last two lines properly return a string containing the users displayName.

In Windows 8 instead of a string value it returns System.Byte[].

When examining the RESULT object during debugging the on Windows 8 the value is stored as a byte array of ascii values, where in Windows 7 it is stored as a string.

As yet I've been unable to find a way to get the string value out in Windows 8, or find any documentation anywhere noting this difference.

What is the easiest way to modify the code to work on both operating systems?

Want to add Helpdesk functions to a webpage

2013-04-30T19:29:34.717-04:00

I want to have a page on my internal website written in asp.net/vb that the helpdesk can go to and do the following functions:

unlock user accounts, reset passwords, change passwords.

possible adding the ability to add and remove user accounts from groups in AD.

how hard is this to code? im not that great at coding - still learning.

Help getting all "Outlook" Active Directory users

2013-04-30T21:02:57.973-04:00

Could someone please help: I am trying to figure out a routine to fetch all active directory users (but only the ones that would appear in Microsoft Outlook. When I trying running the following two sets of code, I get all users including admin etc. How can I restrict the returned list to the users that would normally appear in outlook.

This is from some code that I found on the net. It works great for getting users that begin with char's. I found the code at http://www.codegain.com/articles/activedirtocry/miscellaneous/all-operations-on-active-directory-ad-using-c-sharp.aspx

public List<ADUserDetail> GetUsersByFirstName(string fName)
{
            //UserProfile user;
            List<ADUserDetail> userlist = new List<ADUserDetail>();
            string filter = "";

            _directoryEntry = null;
            DirectorySearcher directorySearch = new DirectorySearcher(SearchRoot);
            directorySearch.Asynchronous = true;
            directorySearch.CacheResults = true
        filter = string.Format("(givenName={0}*", fName);
            filter = "(&(objectClass=user)(objectCategory=person)(givenName=" + fName + "*))";

            directorySearch.Filter = filter;
            directorySearch.ReferralChasing = ReferralChasingOption.All;

            SearchResultCollection userCollection = directorySearch.FindAll();

            foreach (SearchResult users in userCollection)
            {
                DirectoryEntry userEntry = new DirectoryEntry(users.Path, LDAPUser,
                                                             LDAPPassword);
                ADUserDetail userInfo = ADUserDetail.GetUser(userEntry);

                userlist.Add(userInfo);
            }

            directorySearch.Filter = "(&(objectClass=group)(SAMAccountName=" + fName
                                       + "*))";
            SearchResultCollection results = directorySearch.FindAll();
            if (results != null)
            {
                foreach (SearchResult r in results)
                {
                    DirectoryEntry deGroup = new DirectoryEntry(r.Path, LDAPUser,
                                                               LDAPPassword);
                    ADUserDetail agroup = ADUserDetail.GetUser(deGroup);
                    userlist.Add(agroup);
                }

            }
            return userlist;
        }

Also: I was able to find some code that does get all Users from Active directory, but again it literally get's all users. I want to filter the list to be equal to that of Outlook.

public List<ADUserDetail> GetAllUsers()
        {
            List<ADUserDetail> userlist = new List<ADUserDetail>();

            System.DirectoryServices.AccountManagement.PrincipalContext AD =
                new System.DirectoryServices.AccountManagement.PrincipalContext(System.DirectoryServices.AccountManagement.ContextType.Domain, "OurDomain.com");
            System.DirectoryServices.AccountManagement.UserPrincipal u = new System.DirectoryServices.AccountManagement.UserPrincipal(AD);
            System.DirectoryServices.AccountManagement.PrincipalSearcher search = new System.DirectoryServices.AccountManagement.PrincipalSearcher(u);

            foreach (System.DirectoryServices.AccountManagement.UserPrincipal result in search.FindAll())
            {
                if (result.DisplayName != null)
                {

                    string test = result.EmailAddress;
                }
            }

            return userlist;
        }

I am obviously very lost trying to figure this stuff out.

thanks

Dave.