Re: The server is not operational
From: CalSun (calsun_at_gmail.com)
Date: 07/24/05
- Previous message: M Gallagher: "Forms Authentication: <location> authorization not bypasssing login page."
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: The server is not operational"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: The server is not operational"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 23 Jul 2005 17:27:17 -0700
Hi Joe,
thanks again for your frequent help. I meant DirectoryEntry instead of DirectorySearcher.
I haven't solved the prob yet. I double-checked the configuration and everything. It came to my attention that I have impersonate set to true in the config file, Anonymous Access checked, and the userid (webTest) is local to the webserver. webTest is not a domain user and I think it couldn't communicate with the Active Directory. I tried to browse to an AD user, but I couldn't see the domain user list from this webserver. Is there a way to archive this?
thanks
--CalSun
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:OuMXmQvjFHA.3336@tk2msftngp13.phx.gbl...
The error you get comes from the DirectoryEntry that the DirectorySearcher uses as the search root, not from the DirectorySearcher itself.
The DirectoryEntry determines what server you connect to (the problem here), the security context used to do the search and the root of the search.
Typically, this error comes from having something invalid in your path parameter or sometimes from specifying an authentication type that is not supported (such as asking for SSL on a DC that doesn't support it or not asking for SSL in a situation where the firewall only allows SSL/LDAP access to the DC).
Joe K.
"CalSun" <calsun@gmail.com> wrote in message news:O33klBvjFHA.3436@tk2msftngp13.phx.gbl...
Thanks Joe,
Here is what I got.
I pulled my laptop out of the domain and modified the code a bit. I use one directorysearcher with 2 properties loaded: one is cn and other is "memberOf". With this code, I got myself (valid user) authenticated from my laptop (not inside domain but in workgroup). However, this code won't do it when I hosted it at the webserver box (in dmz zone). Very strange!
That's all i got 4 now Joe. Please drop me anything popped of your mind. thanks
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:%23ckhF4tjFHA.3336@tk2msftngp13.phx.gbl...
When you are pulling out the group information, are you using the same server info in your path and the same credentials that you used in your initial search? Sometimes you will have some inconsistency in how you are building your directoryentry objects that causes these problems.
Joe K.
"CalSun" <calsun@gmail.com> wrote in message news:%23YUJiWtjFHA.3164@TK2MSFTNGP15.phx.gbl...
Thanks again for the advice.
I didn't solve the problem yet, but I think I make some progress on it.
I removed my laptop from the domain and ran myweb application on my laptop. I could such the AD box for a valid user, however, it failed as I try to query the groups that user belongs to. The error message is "The specified domain either does not exist of could not be contacted".
While I'm googling for the ans, I appreciate your input and help.
thanks
--CalSun
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:uLhTbpajFHA.1948@TK2MSFTNGP12.phx.gbl...
If you can, you might try putting MS's ldp.exe tool on the web server to try various connect, bind and search operations with it as well to verify the connectivity and such. Remember also that DNS needs to be able to resolve whatever DNS names you are using in your path, in case DNS might be configured totally different in the DMZ or something.
Best of luck,
Joe K.
"CalSun" <calsun@gmail.com> wrote in message news:%23NWK10YjFHA.3656@TK2MSFTNGP09.phx.gbl...
Joe and Paul thanks for helping and the links.
I've double-checked the path and the configuration. They're all in tack. I tried again and it got thru from my laptop but the webserver.
I discovered that the web svr doesn't belong to the domain (included in the _path). And I talked to the admin people and had them enable the LDAP from the firewall. The reason I do that 'cause the web srv is in the dmz zone.
I'll come back to test it out tomorrow and hope it will work.
I am sure whether the webserver could contact the AD box if it's not in the same domain.
I will keep y'all updated.
thanks again for the help.
--CalSun
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:%236joTUXjFHA.2444@tk2msftngp13.phx.gbl...
The problem is likely in your _path variable (which you do not show). If you don't specify a domain or domain controller name in the path, the ADSI/S.DS tries to determine a DC via the current security context. However, if the current security context can't do that, you'll often get this error.
Try a path like:
LDAP://yourdomain.com/DC=yourdomain,DC=com
instead of one like:
LDAP://DC=yourdomain,DC=com
If that doesn't fix it, you might have firewall issues preventing LDAP access or something.
Additionally, remember that when you specify credentials in a DirectoryEntry bind, they will be sent on the network in cleartext (in 1.1. anyway) unless you specify authenticationtype.Secure or AuthenticationTypes.SecureSocketsLayer (which requires SSL/LDAP support in AD).
HTH,
Joe K.
"CalSun" <calsun@gmail.com> wrote in message news:us3Q$dVjFHA.3568@tk2msftngp13.phx.gbl...
Hi all,
I really need your help on this problem. (no help for 1 day goolging).
I use form authentication on my 2 simple aspx pages.
User is redirected to login.aspx, then see the main content page.
I use LDAP to verify the user from a domain named Dserver where the AD users locate.
Everything works just fine on my laptop (localhost). I could verify the user from the Active Directory. I am also able to verify whether the user belongs to a group named AllowDogs and redirect accordingly (main content page or fail-message).
Problem: As I move this application to an existing IIS win2k3 std box, I failed to verify user from the Dserver. I got the error message "The server is not operational"
Here is my IsAuthenticated code:
Public Function IsAuthenticated(ByVal domain As String, ByVal act As String, ByVal ps As String) As Boolean
Dim domainAndAct As String = domain & "\" & act
Dim entry As DirectoryEntry = New DirectoryEntry(_path, domainAndAct, ps)
Try
Dim obj As Object = entry.NativeObject
Dim search As DirectorySearcher = New DirectorySearcher(entry)
search.Filter = "(SAMAccountName=" & act & ")"
search.PropertiesToLoad.Add("cn")
Dim result As SearchResult = search.FindOne()
If (result Is Nothing) Then
Return False
End If
'update the path to the user in the directory
_path = result.Path
_filterAttribute = result.Properties("cn").Item(0)
Catch ex As Exception
'Throw New Exception("Error authenticating user: " & ex.Message)
Return False
End Try
Return True
End Function
Thank you all for help/reading
--CalSun
- Previous message: M Gallagher: "Forms Authentication: <location> authorization not bypasssing login page."
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: The server is not operational"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: The server is not operational"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
