Directory Programming .NET

Please help, we are getting an Intermittent ldap error : LDAP server is unavailable. I am using the following code

 

private static PrincipalContext domainCtx = new PrincipalContext(ContextType.Domain, ad_DomainName);

 

private bool validateUser(string userName, string pwd)

{

try

{

//check if the usernamer has the ad_DomainName

userName = AppendDomain(userName);

return domainCtx.ValidateCredentials(userName, pwd,ContextOptions.SimpleBind);

}

catch (LdapException ex)

{

//doing it again because if the service not available error -- this a temp fix....

return domainCtx.ValidateCredentials(userName, pwd);

}

 

}

 

The error occurs in ValidateCredentials functions. Any help is appreciated.

 

 

 

That error is pretty accurate.  What is the name format you are using for the domain?  Can you reach the domain using ldp.exe (File > Connect)?  If you can't get it through ldp.exe, you can't get it in code either.

---

Ryan Dunn
Extemporaneous Mumblings
The .NET Developer's Guide to Directory Services Programming

I can connect with the code in the post and ldp.exe with the given domain name.  This error does not occur all the time.

 

 

 

Domain format is : devtest.net

Is this a single domain, or do you have trusts involved?  For instance, is it failing when the user is from another domain?

---

Ryan Dunn
Extemporaneous Mumblings
The .NET Developer's Guide to Directory Services Programming

For dev single domain and production it is muti-domain. No trust issues since it is configured to run in the same domain as the web.

 

Thank you for your help.

Try to get the stack trace for it.  There are alternate authentication paths depending on environment, I believe.  Maybe we can narrow it down to what it is trying for you.

---

Ryan Dunn
Extemporaneous Mumblings
The .NET Developer's Guide to Directory Services Programming

I was able to set my wcf service to trace...and here it is :

Stack trace:

System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
System.DirectoryServices.Protocols.LdapConnection.Bind(NetworkCredential newCredential)
System.DirectoryServices.AccountManagement.CredentialValidator.lockedLdapBind(LdapConnection current, NetworkCredential creds, ContextOptions contextOptions)
System.DirectoryServices.AccountManagement.CredentialValidator.BindLdap(NetworkCredential creds, ContextOptions contextOptions)
System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String userName, String password, ContextOptions connectionMethod)
System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String userName, String password, ContextOptions options)
CenturaServices.AdAccountMgrServiceImplementation.validateUser(String userName, String pwd) in C:\Projects\PasswordResetTool\WCFServices\WCFADService\CenturaServices\CenturaServices\AdAccountMgrServiceImplementation.cs:line 1163
CenturaServices.AdAccountMgrServiceImplementation.GetUser(String userName, String pwd) in C:\Projects\PasswordResetTool\WCFServices\WCFADService\CenturaServices\CenturaServices\AdAccountMgrServiceImplementation.cs:line 552
SyncInvokeGetUser(Object , Object[] , Object[] )
System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc& rpc)
System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage3(MessageRpc& rpc)
System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage2(MessageRpc& rpc)
System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage1(MessageRpc& rpc)
System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

Exception type:

System.DirectoryServices.Protocols.DirectoryOperationException, System.DirectoryServices.Protocols, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

 

Message:

The server is unavailable.

 

Thank you for your help.

I don't see it right away, but I am tracing the code paths with my eyes.  What are you doing in the AppendDomain method?  How is the username being formatted?

The only thing I can see is that SDS.AM is using a connection cache in the BindLdap method where it attempts to setup a fast bind or locks and does a bind without it.  You say you are hosting this in WCF and I am wondering if the connection is somehow getting disposed in the cache and you are hitting a stale connection.

Is this fast, or does it hang for a bit before returning?

---

Ryan Dunn
Extemporaneous Mumblings
The .NET Developer's Guide to Directory Services Programming

 

private string AppendDomain( string userName)

{

if (userName.IndexOf("\\") < 0)

userName = domainName + @"\" + userName;

return userName;

}

and I just notice something. Currently I am testing

domainCtx.ValidateCredentials(userName, pwd, ContextOptions.SimpleBind) 

 domainCtx.ValidateCredentials(userName, pwd, ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing);

the principalContext is instanciated like this :

private static PrincipalContext domainCtx = new PrincipalContext(ContextType.Domain, ad_DomainName);

Thank you.

 

Note:I had login issue and had to create a new account.

I don't see the problem honestly.  It looks to me like it works when using the default context options and fails when using the simple bind option.  The simple bind option is nice when you have support for fast concurrent binding, but otherwise I would just use the default Negotiate bind.

You might need to open a PSS case and send in a network trace to see the problem.

---

Ryan Dunn
Extemporaneous Mumblings
The .NET Developer's Guide to Directory Services Programming

I am opening a ticket with Microsoft today. While waiting for this issue to be resolved do you recommend using the following method to authenicate users  using a wcf service that will be called from a web application:

 

public bool AuthenticateDE(string userName, string pwd)

{

bool ret = false;

try

{

userName = AppendDomain(userName);

LdapConnection ldpConnection = new LdapConnection(domainName);

System.Net.NetworkCredential nc = new System.Net.NetworkCredential(userName, pwd);

ldpConnection.AuthType = AuthType.Basic;

ldpConnection.Bind(nc);

ldpConnection.Dispose();

ret = true;

return ret;

}

catch (LdapException ex)

{

//this is the ldap server not available try again ??

//return false;

throw ex;

}

catch (Exception e)

{

string error = e.Message;

throw e;

}

finally

{

}

}

 

What happens when you use the authentication code I have in Chapter 12 here using SDS.P?

---

Ryan Dunn
Extemporaneous Mumblings
The .NET Developer's Guide to Directory Services Programming

Can you please email me the link for chapter 12. I have used similar code in a previous project but for this project I wanted to improve performence and try to use one ldap connection for all users to do the authentication. ( Static principal context object )

private static PrincipalContext domainCtx = new PrincipalContext(ContextType.Domain, ad_DomainName);

Note: I used SDS and not SDS.P in the previous project.