Last post Aug 02, 2012 11:54 PM by ShadowReaver
Aug 02, 2012 09:14 PM|ShadowReaver|LINK
I wrote an webapp that does some general exchange mailbox and AD user maintenance functions and I've been asked to extend some of that functionality to a second domain. However whenever I try to connect to the second domain I get a permission denied COM
COMException (0x80072020): An operations error occurred
I'm going to call Domain1 the working domain and Domain2 the new domain, these Domains are not in a forest and are completely separate entities. The app and server it resides on are in Domain1 and the app impersonates a Domain1 user.
The test code I've thrown together to connect to Domain2 is as follows:
Dim strLdapString As String
Dim strUser As String
strLdapString = "LDAP://ADcontroller.domain2.com:389/OU=Users,DC=Domain2,DC=com"
Dim ADsContainer as new DirectoryEntry(strLdapString.ToString())
ADsContainer.AuthenticationType = AuthenticationTypes.Delegation
ADsContainer.Username = application("domain2user")
ADsContainer.Password = application("domain2password")
strUser = "dom2sAMAccountName"
Dim ADsSearcher as new DirectorySearcher(ADsContainer)
ADsSearcher.SearchScope = SearchScope.Subtree
ADsSearcher.Filter = "(&(objectClass=user)(sAMAccountName=" & strUser & "))"
Dim ADsSearch as SearchResult = ADsSearcher.FindOne()
if ADsSearch Is Nothing then
errorOutput.Controls.Add(New LiteralControl("<span style=""color: red;"">No User</span> <br/>"))
I've double and triple checked the bind user DN and password are correct... I've used LDAP administrator to confirm that it can connect and perform actions on the required OU. I understand there are probably some kerberos implications here when the application
is impersonating a Domain1 user. I'm starting to get a bit out of my depth though so if some one could explain it like I'm 5 that would be great.
Aug 02, 2012 11:54 PM|ShadowReaver|LINK
Turns out I misunderstood the MSDN doco and needed to use AuthenticationTypes.Secure... I also needed to format the username as "DOMAIN2\USERNAME" rather than the DN of the user object (which wasn't shown above).