views:

591

answers:

5

There's Active directory on windows 2000 advance server, I have a web server on Windows 2008 server Enterprise Edition, the following code works fine in Winsows 2003 server but when I installed Win 2008 server, it gives me the following error, the webserver is not subdomain of the AD server. but they have the same range IP address.

A local error has occurred.\r\n"} System.Exception system.DirectoryServices.DirectoryServicesCOMException} I want to Authenticate Via AD from my webserver, I even test the port 389 and it was open(by telnet), I even added port 389 UDP and TCP to firewall of webserver to be sure it is open, even I turned the firewall off but nothing changed. I don't know what's wrong with Windows 2008 server that cannot run my code, I search Internet but I found nothing. any solution would be helpful. Thank you

public bool IsAuthenticated(string username, string  pwd,string group)
{
  string domainAndUsername = "LDAP://192.xx.xx.xx:389/DC=test,DC=oc,DC=com" ;
string usr="CN=" + username + ",CN=" + group;
  DirectoryEntry entry = new DirectoryEntry(domainAndUsername, usr, pwd,  AuthenticationTypes.Secure );

  try
  {

    DirectorySearcher search = new DirectorySearcher(entry);

    search.Filter = "(SAMAccountName=" + username + ")";

    SearchResult result = search.FindOne();

    if (result == null)
    {
        return false;
    }


  }
  catch (Exception ex)
  {
      return false;
  }
  return true;
}
A: 

The error you're getting indicates that you're able to access Active Directory (not a firewall issue) but AD is unable to process the request.

I'm not sure why the code worked on Server 2003 because these two lines...

string usr="CN=" + username + ",CN=" + group;
DirectoryEntry entry = new DirectoryEntry(domainAndUsername, usr, pwd,  AuthenticationTypes.Secure );

...should never work because you're not supplying the username in the correct way (you can't simply add the username to a group name, it's not a valid DN). If you change it to...

DirectoryEntry entry = new DirectoryEntry(domainAndUsername, username, pwd,  AuthenticationTypes.Secure );

...you should be able to make a successful connection to AD. There won't be any check if the user belongs to the supplied group however.

Per Noalt
A: 

Thank you for your post, I just found that line in MSDN, and so it works fine for me on 2000 and 2003. my usr string is correct, because even I checked the way you said , I mean without authenticate user by specified group, and it did not work in 2008. the problem should be related to connection, or maybe Kerbous, not sure... still I didn't find any way. I checked many different Authentication type but some of them gives me another error that " server is not operational"

Sara
+2  A: 

Ok, let's try a different approach... You indicated that you're on Windows 2008 which means that you should be able to use the new System.DirectoryServices.AccountManagement-namespace introduced in .NET 3.5.

I've written a quick function that you can try out which should work better than the code you're currently using:

using System.DirectoryServices.AccountManagement;

//...

private Boolean IsAuthenticated(String username, String password, String group)
{
  PrincipalContext domain;
  try
  {
    // Connect to the domain:
    domain = new PrincipalContext(ContextType.Domain, "192.xx.xx.xx", username, password);
  }
  catch
  {
    // Unable to connect to the domain (connection error or bad username/password):
    return false;
  }

  PrincipalSearcher searcher = new PrincipalSearcher();

  // Search for the user in the domain:
  UserPrincipal findUser = new UserPrincipal(domain);
  findUser.SamAccountName = username;
  searcher.QueryFilter = findUser;
  UserPrincipal foundUser = (UserPrincipal)searcher.FindOne();

  // Search for the group in the domain:
  GroupPrincipal findGroup = new GroupPrincipal(domain);
  findGroup.SamAccountName = group;
  searcher.QueryFilter = findGroup;
  GroupPrincipal foundGroup = (GroupPrincipal)searcher.FindOne();

  if (foundGroup != null)
  {
    // Return true if group exists and the user is a member:
    return foundUser.IsMemberOf(foundGroup);
  }
  else
  {
    // Group was not found:
    return false;
  }
}

However I would recommend that you set up a service account in your domain and use that account (with a password that you know) in your application instead of connecting to the directory with the username/password of the user that you're autenticating.

Per Noalt
Thank you very much, it works fine for me
Sara
A: 

I want to vote you but it said you should have reputation... everytime I clicked on Vote up it gives me this message, if you know how to do this, I will vote you. Thank you , you helped me alot. you know before your answer, I wrote a webservice and run it on my AD and everytime I called it but now I can connect directly to my AD :-)

Sara
Happy to help. You need to post and answer more questions (thus gaining more reputaion) before you can vote up. See the StackOverflow FAQ (http://stackoverflow.com/faq) for more on that.
Per Noalt
A: 

The DirectorySearcher class is most likely the culprit.

Per MSDN on DirectorySearcher:

"Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role not supported), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements. "

Mark