I'm having a strange problem with code that worked so far in production. I can't tell when it started to fail.
Basically, I'm using AspNetActiveDirectoryProvider to validate user credentials with the help of Membership.ValidateUser()
Here is the exception :
<Exception>
<ExceptionTypeName>System.Configuration.ConfigurationErrorsException</ExceptionTypeName>
<Message>The server cannot handle directory requests. (D:\blabla....\web.config line 318)</Message>
<Source>System.Web</Source>
<StackTrace> at System.Web.Configuration.ProvidersHelper.InstantiateProvider(ProviderSettings providerSettings, Type providerType)
at System.Web.Configuration.ProvidersHelper.InstantiateProviders(ProviderSettingsCollection configProviders, ProviderCollection providers, Type providerType)
at System.Web.Security.Membership.Initialize()
at System.Web.Security.Membership.ValidateUser(String username, String password)
...
</Exception>
I've been using the defaut configuration of secure connection to Active Directory (which in turns use SSL because it's available) with implicit credentials (the application pool identity).
I have been able to make it work again, setting connectionProctection to "None" and providing explicit credentials.
Sure the real problem here is not a configuration error exception but a LDAP exception. And I'm afraid that the true reason of the error is hidden in encrypted LDAP over SLL data...
It turns out that the real exception is of type DirectoryServiceOperationException.
I wrote a simple console test program to reproduce the problem. If this program is run in the context of a user with no certificate in its personal store, it is working fine. But in the context of a user that has a certificate (with client authentication
intent) in its personal store, it fails :
- Message [The server cannot handle directory requests.]
- StackTrace [ at System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)
at System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()
at System.Web.Security.DirectoryInformation.SetSessionOptionsForSecureConnection(LdapConnection connection, Boolean useConcurrentBind)
at System.Web.Security.DirectoryInformation.CreateNewLdapConnection(AuthType authType)
at System.Web.Security.ActiveDirectoryMembershipProvider.Initialize(String name, NameValueCollection config)
at System.Web.Security.Membership.Initialize()
at System.Web.Security.Membership.ValidateUser(String username, String password)]
The client (W2K3) and the DC (W2K3) are on the same domain, different subnets though. SSL is enabled on the DC. .NET Framework SP2 is correctly installed on the client (checked with .NET Framework verification tool).
Raising the logging level of the
LDAP interface Events of NTDS Service to 1 on the directory server gives me more insight on the problem !
Event Type: Information
Event Source: NTDS LDAP
Event Category: LDAP Interface
Event ID: 1535
Date: 24/11/2010
Time: 09:30:50
User: XXXXXX
Computer: XXXXXX
Description:
Internal event: The LDAP server returned an error.
Additional Data
Error value:
00002035: LdapErr: DSID-0C090E07, comment: Fast bind mode can only be invoked on an unbound connection. This connection has already been bound., data 0, vece
There is a workaround if you're not tied to the .NET Framework 2.0.
Use System.DirectoryServices.AccountManagement (.NET 3.5 Full) instead.
Sample code follows:
// establish context with AD LDS PrincipalContext ldsContext = newPrincipalContext( ContextType.Domain, "mydomain.private", "OU=MyOU,DC=mydomain,DC=private");
// determine whether a user can validate to the directory if ( ldsContext.ValidateCredentials(@usertovalidate@mydomain.private, @"mypassword", ContextOptions.SimpleBind & ContextOptions.SecureSocketLayer) ) { Console.WriteLine(@"Succeeded !"); } else { Console.WriteLine(@"Failed !"); }
omatrot
Member
25 Points
16 Posts
AspNetActiveDirectoryProvider weird ConfigurationErrorsException
Nov 08, 2010 02:50 PM|LINK
I'm having a strange problem with code that worked so far in production. I can't tell when it started to fail.
Basically, I'm using AspNetActiveDirectoryProvider to validate user credentials with the help of Membership.ValidateUser()
Here is the exception :
<Exception> <ExceptionTypeName>System.Configuration.ConfigurationErrorsException</ExceptionTypeName> <Message>The server cannot handle directory requests. (D:\blabla....\web.config line 318)</Message> <Source>System.Web</Source> <StackTrace> at System.Web.Configuration.ProvidersHelper.InstantiateProvider(ProviderSettings providerSettings, Type providerType) at System.Web.Configuration.ProvidersHelper.InstantiateProviders(ProviderSettingsCollection configProviders, ProviderCollection providers, Type providerType) at System.Web.Security.Membership.Initialize() at System.Web.Security.Membership.ValidateUser(String username, String password) ... </Exception>I've been using the defaut configuration of secure connection to Active Directory (which in turns use SSL because it's available) with implicit credentials (the application pool identity).
I have been able to make it work again, setting connectionProctection to "None" and providing explicit credentials.
Sure the real problem here is not a configuration error exception but a LDAP exception. And I'm afraid that the true reason of the error is hidden in encrypted LDAP over SLL data...
Any Help appreciated.
asp.net 2.0
omatrot
Member
25 Points
16 Posts
Re: AspNetActiveDirectoryProvider weird ConfigurationErrorsException
Nov 18, 2010 05:51 AM|LINK
It turns out that the real exception is of type DirectoryServiceOperationException.
I wrote a simple console test program to reproduce the problem. If this program is run in the context of a user with no certificate in its personal store, it is working fine. But in the context of a user that has a certificate (with client authentication intent) in its personal store, it fails :
- Message [The server cannot handle directory requests.]
- StackTrace [ at System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)
at System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()
at System.Web.Security.DirectoryInformation.SetSessionOptionsForSecureConnection(LdapConnection connection, Boolean useConcurrentBind)
at System.Web.Security.DirectoryInformation.CreateNewLdapConnection(AuthType authType)
at System.Web.Security.ActiveDirectoryMembershipProvider.Initialize(String name, NameValueCollection config)
at System.Web.Security.Membership.Initialize()
at System.Web.Security.Membership.ValidateUser(String username, String password)]
The client (W2K3) and the DC (W2K3) are on the same domain, different subnets though. SSL is enabled on the DC. .NET Framework SP2 is correctly installed on the client (checked with .NET Framework verification tool).
According to http://support.microsoft.com/kb/969876 this should have been fixed in .NET Framework 2.0 SP2.
omatrot
Member
25 Points
16 Posts
Re: AspNetActiveDirectoryProvider weird ConfigurationErrorsException
Nov 24, 2010 09:55 AM|LINK
Raising the logging level of the LDAP interface Events of NTDS Service to 1 on the directory server gives me more insight on the problem !
Event Type: Information
Event Source: NTDS LDAP
Event Category: LDAP Interface
Event ID: 1535
Date: 24/11/2010
Time: 09:30:50
User: XXXXXX
Computer: XXXXXX
Description:
Internal event: The LDAP server returned an error.
Additional Data
Error value:
00002035: LdapErr: DSID-0C090E07, comment: Fast bind mode can only be invoked on an unbound connection. This connection has already been bound., data 0, vece
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
This is definitely a bug in the provider :)
</div>omatrot
Member
25 Points
16 Posts
Re: AspNetActiveDirectoryProvider weird ConfigurationErrorsException
Nov 29, 2010 09:06 AM|LINK
There is a workaround if you're not tied to the .NET Framework 2.0.
Use System.DirectoryServices.AccountManagement (.NET 3.5 Full) instead.
Sample code follows:
</div>