Can't query AD (get a DirectoryServicesCOMException)

Question

I'm attempting to query AD in an ASP.Net (4.0) application that is running on Windows Server 2008 R2 (IIS7 installed). (It also fails when running as a 2.0 application as well)

This is nothing new for me, as I've done this many times before. I wrote a small ASP.Net program that runs fine on my own machine (Windows XP with IIS6), but fails when run on the 2008 box.

(The result is that you see a list of groups the user is a member of in a textbox)

(on button_click) 
var userName = txtUserName.Text;

if (userName.Trim().Length == 0)
{
     txtResults.Text = "-- MISSING USER NAME --";
     return;
}

var entry = new DirectoryEntry("LDAP://blah.blah/DC=blah,DC=blah",
                               "cn=acct, dc=blah, dc=blah",
                               "pass");

var search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + userName + ")";
search.PropertiesToLoad.Add("memberOf");

var groupsList = new StringBuilder();

var result = search.FindOne();

if (result != null)
{
   int groupCount = result.Properties["memberOf"].Count;

   for (int counter = 0; counter < groupCount; counter++)
   {
           groupsList.Append((string)result.Properties["memberOf"][counter]);
           groupsList.Append("\r\n");
    }
}

txtResults.Text = groupsList.ToString();

When I run this code I get the following error on search.FindOne():

System.DirectoryServices.DirectoryServicesCOMException (0x8007203B): A local error has occurred.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
   at System.DirectoryServices.DirectorySearcher.FindOne()
   at WebApplication1._Default.btnSearch_Click(Object sender, EventArgs e)

We've done a lot of research with this and twiddled every IIS7 setting we can think of, but no go so far. Any clues?

Answer 1

ok We've been able to impersonate the user (in the case of my example, the user is named "acct"), but this is not preferred. Is impersonation the only way to do it?

Answer 2

interesting.. We've also gotten it to work by leaving the DirectoryEntry constructor blank. (leaving out the acct name and password..)

Not what I expected..

An interesting note, the web app will now no longer work on our local XP machines.. This obviously has to do with IIS setup somehow..

Answer 3

You can also change the IIS Application Pool to run a domain account with the query priveleges you are searching for.

I have a few other comments as well:

1. Make sure the first entry for the DirectoryEntry constructor includes the container for the users as well. This should help the DirectorySearcher to work more reliably.
2. I believe the second parameter in the DirectoryEntry constructor should be the user name, not the AD query path.
3. You should set the AuthenticationType property as well. With Server 2008, by default, this needs to be set to AuthenticationTypes.Secure | AuthenticationTypes.ServerBind | AuthenticationTypes.Sealing. I'd guess that 2008R2 has a simliar requirement.

Answer 4

Change the username parameter from "cn=xxx, dc=yyy, dc=zzz" to "Domain\Username"