Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > The server is not operational

Reply
Thread Tools

The server is not operational

 
 
CalSun
Guest
Posts: n/a
 
      07-20-2005
Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
Reply With Quote
 
 
 
 
Paul Clement
Guest
Posts: n/a
 
      07-20-2005
On Wed, 20 Jul 2005 11:22:20 -0700, "CalSun" <(E-Mail Removed)> wrote:

Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"


Any chance it's a configuration problem?

You Cannot Start the Active Directory Users and Computers Tool Because the Server Is Not Operational
http://support.microsoft.com/default...b;en-us;323542

"The Server Is Not Operational" Error Message in Active Directory Tools
http://support.microsoft.com/default...b;en-us;223321


Paul
~~~~
Microsoft MVP (Visual Basic)
 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      07-20-2005
The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:us3Q$(E-Mail Removed)...
Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
Reply With Quote
 
CalSun
Guest
Posts: n/a
 
      07-21-2005
Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:us3Q$(E-Mail Removed)...
Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      07-21-2005
If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

Best of luck,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:us3Q$(E-Mail Removed)...
Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
Reply With Quote
 
CalSun
Guest
Posts: n/a
 
      07-22-2005
Thanks again for the advice.

I didn't solve the problem yet, but I think I make some progress on it.

I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

While I'm googling for the ans, I appreciate your input and help.

thanks
--CalSun
"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

Best of luck,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:us3Q$(E-Mail Removed)...
Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      07-22-2005
When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.

Joe K.
"CalSun" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Thanks again for the advice.

I didn't solve the problem yet, but I think I make some progress on it.

I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

While I'm googling for the ans, I appreciate your input and help.

thanks
--CalSun
"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

Best of luck,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:us3Q$(E-Mail Removed)...
Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
Reply With Quote
 
CalSun
Guest
Posts: n/a
 
      07-22-2005
Thanks Joe,

Here is what I got.

I pulled my laptop out of the domain and modified the code a bit. I use one directorysearcher with 2 properties loaded: one is cn and other is "memberOf". With this code, I got myself (valid user) authenticated from my laptop (not inside domain but in workgroup). However, this code won't do it when I hosted it at the webserver box (in dmz zone). Very strange!

That's all i got 4 now Joe. Please drop me anything popped of your mind. thanks
"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.

Joe K.
"CalSun" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Thanks again for the advice.

I didn't solve the problem yet, but I think I make some progress on it.

I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

While I'm googling for the ans, I appreciate your input and help.

thanks
--CalSun
"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

Best of luck,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:us3Q$(E-Mail Removed)...
Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      07-22-2005
The error you get comes from the DirectoryEntry that the DirectorySearcher uses as the search root, not from the DirectorySearcher itself.

The DirectoryEntry determines what server you connect to (the problem here), the security context used to do the search and the root of the search.

Typically, this error comes from having something invalid in your path parameter or sometimes from specifying an authentication type that is not supported (such as asking for SSL on a DC that doesn't support it or not asking for SSL in a situation where the firewall only allows SSL/LDAP access to the DC).

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
Thanks Joe,

Here is what I got.

I pulled my laptop out of the domain and modified the code a bit. I use one directorysearcher with 2 properties loaded: one is cn and other is "memberOf". With this code, I got myself (valid user) authenticated from my laptop (not inside domain but in workgroup). However, this code won't do it when I hosted it at the webserver box (in dmz zone). Very strange!

That's all i got 4 now Joe. Please drop me anything popped of your mind. thanks
"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.

Joe K.
"CalSun" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Thanks again for the advice.

I didn't solve the problem yet, but I think I make some progress on it.

I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

While I'm googling for the ans, I appreciate your input and help.

thanks
--CalSun
"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

Best of luck,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:us3Q$(E-Mail Removed)...
Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
Reply With Quote
 
CalSun
Guest
Posts: n/a
 
      07-24-2005
Hi Joe,
thanks again for your frequent help. I meant DirectoryEntry instead of DirectorySearcher.

I haven't solved the prob yet. I double-checked the configuration and everything. It came to my attention that I have impersonate set to true in the config file, Anonymous Access checked, and the userid (webTest) is local to the webserver. webTest is not a domain user and I think it couldn't communicate with the Active Directory. I tried to browse to an AD user, but I couldn't see the domain user list from this webserver. Is there a way to archive this?

thanks
--CalSun
"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
The error you get comes from the DirectoryEntry that the DirectorySearcher uses as the search root, not from the DirectorySearcher itself.

The DirectoryEntry determines what server you connect to (the problem here), the security context used to do the search and the root of the search.

Typically, this error comes from having something invalid in your path parameter or sometimes from specifying an authentication type that is not supported (such as asking for SSL on a DC that doesn't support it or not asking for SSL in a situation where the firewall only allows SSL/LDAP access to the DC).

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
Thanks Joe,

Here is what I got.

I pulled my laptop out of the domain and modified the code a bit. I use one directorysearcher with 2 properties loaded: one is cn and other is "memberOf". With this code, I got myself (valid user) authenticated from my laptop (not inside domain but in workgroup). However, this code won't do it when I hosted it at the webserver box (in dmz zone). Very strange!

That's all i got 4 now Joe. Please drop me anything popped of your mind. thanks
"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.

Joe K.
"CalSun" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Thanks again for the advice.

I didn't solve the problem yet, but I think I make some progress on it.

I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".

While I'm googling for the ans, I appreciate your input and help.

thanks
--CalSun
"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.

Best of luck,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
Joe and Paul thanks for helping and the links.

I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.

I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.

I'll come back to test it out tomorrow and hope it will work.

I am sure whether the webserver could contact the AD box if it's not in the same domain.

I will keep y'all updated.

thanks again for the help.

--CalSun


"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.

Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com

instead of one like:
LDAP://DC=yourdomain,DC=com

If that doesn't fix it, you might have firewall issues preventing LDAP access or something.

Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).

HTH,

Joe K.

"CalSun" <(E-Mail Removed)> wrote in message news:us3Q$(E-Mail Removed)...
Hi all,

I really need your help on this problem. (no help for 1 day goolging).

I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.

Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).

Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"

Here is my IsAuthenticated code:

Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean

Dim domainAndAct As String = domain & "\" & act

Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)

Try

Dim obj As Object = entry.NativeObject

Dim search As DirectorySearcher = New DirectorySearcher(entry)

search.Filter = "(SAMAccountName=" & act & ")"

search.PropertiesToLoad.Add("cn")

Dim result As SearchResult = search.FindOne()

If (result Is Nothing) Then

Return False

End If

'update the path to the user in the directory

_path = result.Path

_filterAttribute = result.Properties("cn").Item(0)

Catch ex As Exception

'Throw New Exception("Error authenticating user: " & ex.Message)

Return False

End Try

Return True

End Function



Thank you all for help/reading
--CalSun
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP Error: The server is not operational. Sunil007 ASP .Net 0 04-03-2009 07:04 AM
The server is not operational eduardo.ernandes@gmail.com ASP .Net 0 06-11-2008 12:40 PM
The server is not operational eduardo.ernandes@gmail.com ASP .Net 0 06-11-2008 12:34 PM
LDAP connection error The server is not operational dkilanko ASP .Net 0 08-11-2006 06:04 PM
System.DirectoryServices - The server is not operational George Durzi ASP .Net Security 10 12-29-2004 12:00 AM



Advertisments