Discussion:
An operations error occurred while using System.DirectoryServices
(too old to reply)
s***@gmail.com
2005-12-30 21:35:14 UTC
Permalink
I am accessing the Active Directory from a ASPX page to display the
Active Directory Groups. I have 2 Windows 2003 development server where
the same application is deployed for testing purpose. Accessing the
Active directory groups works fine from one server and gives the
following error on the other server. Both servers are part of the same
active directory domain. I do not see any difference between these two
servers IIS configuration. I am using the following code:


StringCollection groupSrcList = new StringCollection();
DirectoryEntry ent = new
DirectoryEntry(_activeDirectoryParams.ServerPath);


using (ent) // Dispose entry once done
{

DirectorySearcher searcher = new DirectorySearcher(ent);
searcher.PropertiesToLoad.Add(ImportExternalUsersConstants.USER_ATTRIBUTE_CN);
searcher.Filter = _activeDirectoryParams.GroupFilter;
searcher.SearchScope = SearchScope.Subtree;
using (SearchResultCollection src = searcher.FindAll())
{
foreach(SearchResult result in src)
{
foreach( string memberColl in
result.Properties[ImportExternalUsersConstants.USER_ATTRIBUTE_CN])
{
if (null != memberColl)
{
groupSrcList.Add(memberColl);
}
}
}
}
}
return groupSrcList;

If I pass the user name and password in the DirectoryEntry constructor
then it solves the problem. But I need to know at what situation I
should pass the user name and password so that our customers do not
have this issue. I appreciate if some one can help me to figure this
out!




ERROR I get is:


An operations error occurred
Description: An unhandled exception occurred during the execution of
the current web request. Please review the stack trace for more
information about the error and where it originated in the code.

Exception Details: System.Runtime.InteropServices.COMException: An
operations error occurred

Source Error:


Line 113: searcher.Filter = _activeDirectoryParams.GroupFilter;
Line 114: searcher.SearchScope = SearchScope.Subtree;
Line 115: using (SearchResultCollection src = searcher.FindAll())
Line 116: {
Line 117: foreach(SearchResult result in src)


Source File:
c:\mercury\plugins\authentication\activedirectory\activedirectoryhelper.cs
Line: 115

Stack Trace:


[COMException (0x80072020): An operations error occurred]
System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
+705
System.DirectoryServices.DirectoryEntry.Bind() +10
System.DirectoryServices.DirectoryEntry.get_AdsObject() +10
System.DirectoryServices.DirectorySearcher.FindAll(Boolean
findMoreThanOne) +199
System.DirectoryServices.DirectorySearcher.FindAll() +10

Inmagic.Mercury.Plugins.Authentication.ActiveDirectory.ActiveDirectoryHelper.GetActiveDirectoryGroups()
in
c:\mercury\plugins\authentication\activedirectory\activedirectoryhelper.cs:115

Inmagic.Mercury.Plugins.Authentication.ActiveDirectory.ActiveDirectory.GetGroups()
in
C:\Mercury\Plugins\Authentication\ActiveDirectory\ActiveDirectory.cs:78

Inmagic.Mercury.Components.Authentication.AuthenticationPluginManager.GetGroups()
in
C:\Mercury\Components\Authentication\AuthenticationPluginManager.cs:183
Marc Scheuner [MVP ADSI]
2005-12-31 10:34:52 UTC
Permalink
Post by s***@gmail.com
I am accessing the Active Directory from a ASPX page to display the
Active Directory Groups.
DirectoryEntry ent = new DirectoryEntry(_activeDirectoryParams.ServerPath);
What does your ServerPath look like? In ASP.NET, you often have to
specify both a server (DC) that you wish to use (as opposed to
serverless binding, which is the best option for winforms apps), and
secondly, you often have to specify an account with sufficient
privileges to do the bind (including specifying the
"AuthenticationType" to be .Secure).

Marc
s***@gmail.com
2006-01-03 20:11:54 UTC
Permalink
Thanks for your reply Mark!

I have figured out the reason why it was giving an error on one server.
IIS 6.0 was configured to use IIS 5.0 in isolation mode. So ASPNET user
was used as an identity.. Now I configured to not to use IIS 5.0 in
isolation mode. Now it runs under Network service identity. Now
everything works fine on both machine.

Does it mean that Network Service has enough permission to access the
Active Directory or it is passing the logged on domain credential from
the client to access the AD?

Because I have another web server which is not part of the Active
Directory domain but it is in the same network where Active Directory
server is located. So the web server can access the Active Directory
even though it is not part of the AD domain. IIS 6.0 is running under
Network Service and the same application gives me the same "Operations
error occurred." Obviously it is not passing the domain credential to
access the AD as it is not even part of the AD domain. I wonder why it
did not work while Network Service has a permission to access the AD.

Please some one help me to figure this out!

Thanks
Joe Kaplan (MVP - ADSI)
2006-01-04 03:21:24 UTC
Permalink
Network Service uses the computer account's credentials when operating on
the network, so if the computer is a domain member, AD will trust the
account and LDAP operations will be performed with its permissions. If the
computer is not a domain member, AD will not trust the account and AD
operations will be performed as the anonymous (null token) user which
generally won't let you do anything.

If the machine is not a domain member, you will typically need to supply
credentials to the DirectoryEntry object directly. Serverless binding also
will not work, so you should specify a DNS domain name in your binding
string as well.

Joe K.
Post by s***@gmail.com
Thanks for your reply Mark!
I have figured out the reason why it was giving an error on one server.
IIS 6.0 was configured to use IIS 5.0 in isolation mode. So ASPNET user
was used as an identity.. Now I configured to not to use IIS 5.0 in
isolation mode. Now it runs under Network service identity. Now
everything works fine on both machine.
Does it mean that Network Service has enough permission to access the
Active Directory or it is passing the logged on domain credential from
the client to access the AD?
Because I have another web server which is not part of the Active
Directory domain but it is in the same network where Active Directory
server is located. So the web server can access the Active Directory
even though it is not part of the AD domain. IIS 6.0 is running under
Network Service and the same application gives me the same "Operations
error occurred." Obviously it is not passing the domain credential to
access the AD as it is not even part of the AD domain. I wonder why it
did not work while Network Service has a permission to access the AD.
Please some one help me to figure this out!
Thanks
s***@gmail.com
2006-01-05 20:51:13 UTC
Permalink
Thanks for the explanation! I really helped me to understand.

I have another question. When passing the credentials to the
DirectoryEntry constructor the syntax of the username should include
the domain name according to the documents. But if I specifiy the wrong
domain name still it authenticates. I do not understand why? Doesn't it
care about the domain name or it automatically finds it?
Joe Kaplan (MVP - ADSI)
2006-01-05 21:49:22 UTC
Permalink
The syntax of the user name actually depends on the type of authentication
being used. In general, AD can accept the NT style name (domain\user) and
the UPN (***@domain.com) for any type of authentication, but will only
accept the distinguished name (CN=user,CN=users,DC=domain,DC=com) for a
simple bind and will only accept the plain user name for a secure bind.

I have no idea why it would accept an invalid domain name though. I've
never tested that.

Joe K.
Post by s***@gmail.com
Thanks for the explanation! I really helped me to understand.
I have another question. When passing the credentials to the
DirectoryEntry constructor the syntax of the username should include
the domain name according to the documents. But if I specifiy the wrong
domain name still it authenticates. I do not understand why? Doesn't it
care about the domain name or it automatically finds it?
d***@sterling-consulting.com
2006-01-06 10:59:18 UTC
Permalink
Hey Joe,

I'm having a similar problem albiet with SharePoint; I have an AD
Lookup part that has worked great in multiple instances, however, in
one install, the part works great on the system itself, but not when I
connect from the "outside" but within the domain. I consistently get
the "Referrer" message or the Operation Failed.

The path is simple: LDAP://DC=HMSMain, DC=com

Any ideas?
Post by Joe Kaplan (MVP - ADSI)
The syntax of the user name actually depends on the type of authentication
being used. In general, AD can accept the NT style name (domain\user) and
accept the distinguished name (CN=user,CN=users,DC=domain,DC=com) for a
simple bind and will only accept the plain user name for a secure bind.
I have no idea why it would accept an invalid domain name though. I've
never tested that.
Joe K.
Post by s***@gmail.com
Thanks for the explanation! I really helped me to understand.
I have another question. When passing the credentials to the
DirectoryEntry constructor the syntax of the username should include
the domain name according to the documents. But if I specifiy the wrong
domain name still it authenticates. I do not understand why? Doesn't it
care about the domain name or it automatically finds it?
Joe Kaplan (MVP - ADSI)
2006-01-06 16:12:27 UTC
Permalink
SharePoint impersonates the logged in user, so LDAP will use that security
context for determining a domain controller when a serverless binding string
is used and will also try to use that user's security context if no
credentials are supplied.

Assuming that you aren't supplying credentials, you probably need to have
Kerberos delegation enabled and working in order to make your scenario work.
If things work correctly from within the firewall but not outside, it may be
the case that you are failing over to NTLM from the outside world and are
not getting Kerberos authentication on the web server. This would most
likely prevent delegation from working.

Can you provide more details about your environment to make sure that I'm
barking up the right tree?

Thanks!

Joe K.
Post by d***@sterling-consulting.com
Hey Joe,
I'm having a similar problem albiet with SharePoint; I have an AD
Lookup part that has worked great in multiple instances, however, in
one install, the part works great on the system itself, but not when I
connect from the "outside" but within the domain. I consistently get
the "Referrer" message or the Operation Failed.
The path is simple: LDAP://DC=HMSMain, DC=com
Any ideas?
Post by Joe Kaplan (MVP - ADSI)
The syntax of the user name actually depends on the type of
authentication
being used. In general, AD can accept the NT style name (domain\user) and
accept the distinguished name (CN=user,CN=users,DC=domain,DC=com) for a
simple bind and will only accept the plain user name for a secure bind.
I have no idea why it would accept an invalid domain name though. I've
never tested that.
Joe K.
Post by s***@gmail.com
Thanks for the explanation! I really helped me to understand.
I have another question. When passing the credentials to the
DirectoryEntry constructor the syntax of the username should include
the domain name according to the documents. But if I specifiy the wrong
domain name still it authenticates. I do not understand why? Doesn't it
care about the domain name or it automatically finds it?
An
2006-01-24 01:06:02 UTC
Permalink
Hi Joe,
I encountered similar problem, can you please help -

I have a domain domain.com and a child domain child1.domain.com
I use ADsOpenObject() function to authenticate user using the DN for the
username instead of other form. Authencating user work on the domain.com but
failed on the child1.domain.com with 0x80072020

My application is on the domain.com

I supplied the correct user DN and password. I'm wondering why it returned
error in the child domain.

here is the sample code that I used:

HRESULT hr = 0;
IADs pADs = NULL;

hr = ADsOpenObject (
L"LDAP://cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"password",
0,
IID_IADs,
(void**)&pADs );

Do you see anything wrong with this. Any suggestion is greatly appreciated.
Thanks,
An
Joe Kaplan (MVP - ADSI)
2006-01-24 04:04:48 UTC
Permalink
Ah, the dreaded operations error. I'm not sure on this. By specifying 0, I
assume you are trying to get a simple bind instead of secure bind. The DN
syntax works for simple bind, so that should be fine.

I think that the problem is that you can't use simple bind to authenticate
with other domains in the forest. I believe you need secure bind for this.

Just out of curiosity, why not use secure bind? It is secure (which is all
around better for security :)) and has more options. If you only have the
DN as input, you can use IADsNameTranslate or DsCrackNames to convert it to
UPN or NT Logon Name.

Joe K.
Post by An
Hi Joe,
I encountered similar problem, can you please help -
I have a domain domain.com and a child domain child1.domain.com
I use ADsOpenObject() function to authenticate user using the DN for the
username instead of other form. Authencating user work on the domain.com but
failed on the child1.domain.com with 0x80072020
My application is on the domain.com
I supplied the correct user DN and password. I'm wondering why it returned
error in the child domain.
HRESULT hr = 0;
IADs pADs = NULL;
hr = ADsOpenObject (
L"LDAP://cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"password",
0,
IID_IADs,
(void**)&pADs );
Do you see anything wrong with this. Any suggestion is greatly appreciated.
Thanks,
An
An
2006-01-24 17:38:55 UTC
Permalink
Hi Joe,
Thank you for replying so quick.

I used 0 because it was what suggested in the Microsoft site
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/adsopenobject.asp
that if the DN is used then the flag must be 0.

I would like the secure bind just like you said as well but I don't know if
using it would cause any problem at all seen the MS website specific say that
0 must be used.

I did further investigation last night after I sent you the email, I just
tried ADS_SECURE_AUTHENTICATION for the flag and found that it works for both
domains. So do you think I should use this option instead of the suggested
"0"?

One thing that cause me is that on WIndow 2000 though, if I provide an
invalid password then a very misleading error is returned : 0x8007203B
For window 2003 the same case I would get error : 0x8007052e which would
make sense.
I depend on the returned error to send back proper message for my customer,
in the case of Window 2000 it is really unexpected. Do you know why there
different returned error for different OS?
thanks -
Post by Joe Kaplan (MVP - ADSI)
Ah, the dreaded operations error. I'm not sure on this. By specifying 0, I
assume you are trying to get a simple bind instead of secure bind. The DN
syntax works for simple bind, so that should be fine.
I think that the problem is that you can't use simple bind to authenticate
with other domains in the forest. I believe you need secure bind for this.
Just out of curiosity, why not use secure bind? It is secure (which is all
around better for security :)) and has more options. If you only have the
DN as input, you can use IADsNameTranslate or DsCrackNames to convert it to
UPN or NT Logon Name.
Joe K.
Post by An
Hi Joe,
I encountered similar problem, can you please help -
I have a domain domain.com and a child domain child1.domain.com
I use ADsOpenObject() function to authenticate user using the DN for the
username instead of other form. Authencating user work on the domain.com but
failed on the child1.domain.com with 0x80072020
My application is on the domain.com
I supplied the correct user DN and password. I'm wondering why it returned
error in the child domain.
HRESULT hr = 0;
IADs pADs = NULL;
hr = ADsOpenObject (
L"LDAP://cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"password",
0,
IID_IADs,
(void**)&pADs );
Do you see anything wrong with this. Any suggestion is greatly appreciated.
Thanks,
An
Joe Kaplan (MVP - ADSI)
2006-01-24 18:15:08 UTC
Permalink
It says that you must use 0 IF you use the DN as the username syntax. If
you use a different user name syntax, you can use secure binding.

Definitely use secure binding if you don't have a hard requirement to use
the DN username syntax. I also suggested a way to translate it to a
different syntax if you need to, so in my opinion there is no reason to need
to use simple bind here at all.

I'm not sure why you get a different error message with 2K3. Typically you
get that if there was a problem in the underlying Kerberos authentication to
the KDC when the secure bind was performed, but I would have expected to get
a normal credentials failure.

BTW, if you really just need to authenticate a use and don't need to do some
LDAP operations, you would probably be happier just using SSPI
(initializesecuritycontext/acceptsecuritycontext) to authenticate. That's
what LDAP is doing under the hood when you use secure authentication.

Joe K.
Post by An
Hi Joe,
Thank you for replying so quick.
I used 0 because it was what suggested in the Microsoft site
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/adsopenobject.asp
that if the DN is used then the flag must be 0.
I would like the secure bind just like you said as well but I don't know if
using it would cause any problem at all seen the MS website specific say that
0 must be used.
I did further investigation last night after I sent you the email, I just
tried ADS_SECURE_AUTHENTICATION for the flag and found that it works for both
domains. So do you think I should use this option instead of the suggested
"0"?
One thing that cause me is that on WIndow 2000 though, if I provide an
invalid password then a very misleading error is returned : 0x8007203B
For window 2003 the same case I would get error : 0x8007052e which would
make sense.
I depend on the returned error to send back proper message for my customer,
in the case of Window 2000 it is really unexpected. Do you know why there
different returned error for different OS?
thanks -
Post by Joe Kaplan (MVP - ADSI)
Ah, the dreaded operations error. I'm not sure on this. By specifying 0, I
assume you are trying to get a simple bind instead of secure bind. The DN
syntax works for simple bind, so that should be fine.
I think that the problem is that you can't use simple bind to
authenticate
with other domains in the forest. I believe you need secure bind for this.
Just out of curiosity, why not use secure bind? It is secure (which is all
around better for security :)) and has more options. If you only have the
DN as input, you can use IADsNameTranslate or DsCrackNames to convert it to
UPN or NT Logon Name.
Joe K.
Post by An
Hi Joe,
I encountered similar problem, can you please help -
I have a domain domain.com and a child domain child1.domain.com
I use ADsOpenObject() function to authenticate user using the DN for the
username instead of other form. Authencating user work on the
domain.com
but
failed on the child1.domain.com with 0x80072020
My application is on the domain.com
I supplied the correct user DN and password. I'm wondering why it returned
error in the child domain.
HRESULT hr = 0;
IADs pADs = NULL;
hr = ADsOpenObject (
L"LDAP://cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"password",
0,
IID_IADs,
(void**)&pADs );
Do you see anything wrong with this. Any suggestion is greatly appreciated.
Thanks,
An
An
2006-01-24 20:10:10 UTC
Permalink
I know I can use the DN to find the UPN of the user to do authentication, but
that will slow down the authentication process because of the search. I want
to authenticate user as fast as possible. Since I already the DN at hand I
can use it for authencation as suggested as one of the format.
But I guess I can't use DN with the ADS_SECURE_AUTHENTICATION flag?

What is SSPI? would I still be able to use it if my application use AD?
Thank you for your help so far - An
Post by Joe Kaplan (MVP - ADSI)
It says that you must use 0 IF you use the DN as the username syntax. If
you use a different user name syntax, you can use secure binding.
Definitely use secure binding if you don't have a hard requirement to use
the DN username syntax. I also suggested a way to translate it to a
different syntax if you need to, so in my opinion there is no reason to need
to use simple bind here at all.
I'm not sure why you get a different error message with 2K3. Typically you
get that if there was a problem in the underlying Kerberos authentication to
the KDC when the secure bind was performed, but I would have expected to get
a normal credentials failure.
BTW, if you really just need to authenticate a use and don't need to do some
LDAP operations, you would probably be happier just using SSPI
(initializesecuritycontext/acceptsecuritycontext) to authenticate. That's
what LDAP is doing under the hood when you use secure authentication.
Joe K.
Post by An
Hi Joe,
Thank you for replying so quick.
I used 0 because it was what suggested in the Microsoft site
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/adsopenobject.asp
that if the DN is used then the flag must be 0.
I would like the secure bind just like you said as well but I don't know if
using it would cause any problem at all seen the MS website specific say that
0 must be used.
I did further investigation last night after I sent you the email, I just
tried ADS_SECURE_AUTHENTICATION for the flag and found that it works for both
domains. So do you think I should use this option instead of the suggested
"0"?
One thing that cause me is that on WIndow 2000 though, if I provide an
invalid password then a very misleading error is returned : 0x8007203B
For window 2003 the same case I would get error : 0x8007052e which would
make sense.
I depend on the returned error to send back proper message for my customer,
in the case of Window 2000 it is really unexpected. Do you know why there
different returned error for different OS?
thanks -
Post by Joe Kaplan (MVP - ADSI)
Ah, the dreaded operations error. I'm not sure on this. By specifying 0, I
assume you are trying to get a simple bind instead of secure bind. The DN
syntax works for simple bind, so that should be fine.
I think that the problem is that you can't use simple bind to authenticate
with other domains in the forest. I believe you need secure bind for this.
Just out of curiosity, why not use secure bind? It is secure (which is all
around better for security :)) and has more options. If you only have the
DN as input, you can use IADsNameTranslate or DsCrackNames to convert it to
UPN or NT Logon Name.
Joe K.
Post by An
Hi Joe,
I encountered similar problem, can you please help -
I have a domain domain.com and a child domain child1.domain.com
I use ADsOpenObject() function to authenticate user using the DN for the
username instead of other form. Authencating user work on the
domain.com
but
failed on the child1.domain.com with 0x80072020
My application is on the domain.com
I supplied the correct user DN and password. I'm wondering why it returned
error in the child domain.
HRESULT hr = 0;
IADs pADs = NULL;
hr = ADsOpenObject (
L"LDAP://cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"password",
0,
IID_IADs,
(void**)&pADs );
Do you see anything wrong with this. Any suggestion is greatly appreciated.
Thanks,
An
Joe Kaplan (MVP - ADSI)
2006-01-25 16:24:24 UTC
Permalink
I think you are better off doing a quick name translation than worrying
about the perf cost.

SSPI is the authentication protocol for Windows. It is a provider model has
providers for things like NTLM, Negotiate, Digest and SChannel. It works
fine with AD. Check out the SDK samples for more info. It is the preferred
method for authenticating credentials in Windows.

Joe K.
Post by An
I know I can use the DN to find the UPN of the user to do authentication, but
that will slow down the authentication process because of the search. I want
to authenticate user as fast as possible. Since I already the DN at hand I
can use it for authencation as suggested as one of the format.
But I guess I can't use DN with the ADS_SECURE_AUTHENTICATION flag?
What is SSPI? would I still be able to use it if my application use AD?
Thank you for your help so far - An
Post by Joe Kaplan (MVP - ADSI)
It says that you must use 0 IF you use the DN as the username syntax. If
you use a different user name syntax, you can use secure binding.
Definitely use secure binding if you don't have a hard requirement to use
the DN username syntax. I also suggested a way to translate it to a
different syntax if you need to, so in my opinion there is no reason to need
to use simple bind here at all.
I'm not sure why you get a different error message with 2K3. Typically you
get that if there was a problem in the underlying Kerberos authentication to
the KDC when the secure bind was performed, but I would have expected to get
a normal credentials failure.
BTW, if you really just need to authenticate a use and don't need to do some
LDAP operations, you would probably be happier just using SSPI
(initializesecuritycontext/acceptsecuritycontext) to authenticate.
That's
what LDAP is doing under the hood when you use secure authentication.
Joe K.
Post by An
Hi Joe,
Thank you for replying so quick.
I used 0 because it was what suggested in the Microsoft site
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/adsopenobject.asp
that if the DN is used then the flag must be 0.
I would like the secure bind just like you said as well but I don't
know
if
using it would cause any problem at all seen the MS website specific
say
that
0 must be used.
I did further investigation last night after I sent you the email, I just
tried ADS_SECURE_AUTHENTICATION for the flag and found that it works
for
both
domains. So do you think I should use this option instead of the suggested
"0"?
One thing that cause me is that on WIndow 2000 though, if I provide an
invalid password then a very misleading error is returned : 0x8007203B
For window 2003 the same case I would get error : 0x8007052e which would
make sense.
I depend on the returned error to send back proper message for my customer,
in the case of Window 2000 it is really unexpected. Do you know why there
different returned error for different OS?
thanks -
Post by Joe Kaplan (MVP - ADSI)
Ah, the dreaded operations error. I'm not sure on this. By
specifying
0, I
assume you are trying to get a simple bind instead of secure bind.
The
DN
syntax works for simple bind, so that should be fine.
I think that the problem is that you can't use simple bind to authenticate
with other domains in the forest. I believe you need secure bind for this.
Just out of curiosity, why not use secure bind? It is secure (which
is
all
around better for security :)) and has more options. If you only have the
DN as input, you can use IADsNameTranslate or DsCrackNames to convert
it
to
UPN or NT Logon Name.
Joe K.
Post by An
Hi Joe,
I encountered similar problem, can you please help -
I have a domain domain.com and a child domain child1.domain.com
I use ADsOpenObject() function to authenticate user using the DN for the
username instead of other form. Authencating user work on the
domain.com
but
failed on the child1.domain.com with 0x80072020
My application is on the domain.com
I supplied the correct user DN and password. I'm wondering why it returned
error in the child domain.
HRESULT hr = 0;
IADs pADs = NULL;
hr = ADsOpenObject (
L"LDAP://cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"password",
0,
IID_IADs,
(void**)&pADs );
Do you see anything wrong with this. Any suggestion is greatly appreciated.
Thanks,
An
An
2006-01-31 03:35:27 UTC
Permalink
I finally talked to MS support team and it turns out that if you used the DN
then you can't do serverless binding when authenticating users on other
domain.
The document on Microsoft website is with the assumption that authentication
is on that same domain.
Thank you for your help. An
Post by Joe Kaplan (MVP - ADSI)
I think you are better off doing a quick name translation than worrying
about the perf cost.
SSPI is the authentication protocol for Windows. It is a provider model has
providers for things like NTLM, Negotiate, Digest and SChannel. It works
fine with AD. Check out the SDK samples for more info. It is the preferred
method for authenticating credentials in Windows.
Joe K.
Post by An
I know I can use the DN to find the UPN of the user to do authentication, but
that will slow down the authentication process because of the search. I want
to authenticate user as fast as possible. Since I already the DN at hand I
can use it for authencation as suggested as one of the format.
But I guess I can't use DN with the ADS_SECURE_AUTHENTICATION flag?
What is SSPI? would I still be able to use it if my application use AD?
Thank you for your help so far - An
Post by Joe Kaplan (MVP - ADSI)
It says that you must use 0 IF you use the DN as the username syntax. If
you use a different user name syntax, you can use secure binding.
Definitely use secure binding if you don't have a hard requirement to use
the DN username syntax. I also suggested a way to translate it to a
different syntax if you need to, so in my opinion there is no reason to need
to use simple bind here at all.
I'm not sure why you get a different error message with 2K3. Typically you
get that if there was a problem in the underlying Kerberos authentication to
the KDC when the secure bind was performed, but I would have expected to get
a normal credentials failure.
BTW, if you really just need to authenticate a use and don't need to do some
LDAP operations, you would probably be happier just using SSPI
(initializesecuritycontext/acceptsecuritycontext) to authenticate.
That's
what LDAP is doing under the hood when you use secure authentication.
Joe K.
Post by An
Hi Joe,
Thank you for replying so quick.
I used 0 because it was what suggested in the Microsoft site
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/adsopenobject.asp
that if the DN is used then the flag must be 0.
I would like the secure bind just like you said as well but I don't
know
if
using it would cause any problem at all seen the MS website specific
say
that
0 must be used.
I did further investigation last night after I sent you the email, I just
tried ADS_SECURE_AUTHENTICATION for the flag and found that it works
for
both
domains. So do you think I should use this option instead of the suggested
"0"?
One thing that cause me is that on WIndow 2000 though, if I provide an
invalid password then a very misleading error is returned : 0x8007203B
For window 2003 the same case I would get error : 0x8007052e which would
make sense.
I depend on the returned error to send back proper message for my customer,
in the case of Window 2000 it is really unexpected. Do you know why there
different returned error for different OS?
thanks -
Post by Joe Kaplan (MVP - ADSI)
Ah, the dreaded operations error. I'm not sure on this. By
specifying
0, I
assume you are trying to get a simple bind instead of secure bind.
The
DN
syntax works for simple bind, so that should be fine.
I think that the problem is that you can't use simple bind to authenticate
with other domains in the forest. I believe you need secure bind for this.
Just out of curiosity, why not use secure bind? It is secure (which
is
all
around better for security :)) and has more options. If you only have the
DN as input, you can use IADsNameTranslate or DsCrackNames to convert
it
to
UPN or NT Logon Name.
Joe K.
Post by An
Hi Joe,
I encountered similar problem, can you please help -
I have a domain domain.com and a child domain child1.domain.com
I use ADsOpenObject() function to authenticate user using the DN for the
username instead of other form. Authencating user work on the
domain.com
but
failed on the child1.domain.com with 0x80072020
My application is on the domain.com
I supplied the correct user DN and password. I'm wondering why it returned
error in the child domain.
HRESULT hr = 0;
IADs pADs = NULL;
hr = ADsOpenObject (
L"LDAP://cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"cn=test1,cn=users,dc=child1,dc=domain,dc=com",
L"password",
0,
IID_IADs,
(void**)&pADs );
Do you see anything wrong with this. Any suggestion is greatly
appreciated.
Thanks,
An
Joe Kaplan (MVP - ADSI)
2006-01-31 05:08:30 UTC
Permalink
Thanks for the follow up.

Joe K.
Post by An
I finally talked to MS support team and it turns out that if you used the DN
then you can't do serverless binding when authenticating users on other
domain.
The document on Microsoft website is with the assumption that
authentication
is on that same domain.
Thank you for your help. An
s***@gmail.com
2006-01-06 15:29:47 UTC
Permalink
I am using the Secure bind. Both plain username and valid or Invalid
domain name\username works.
Loading...