开发者

Active Directory: Get RootDSE in domain residing in Forest with multiple roots?

I have a client that's utilizing a windows service I wrote that polls a specified active directory LDAP server for users in specified groups within that LDAP server.

Once it finds a user, it fills out the user information (i.e. username, email, etc.) and attempts to retrieve the user's domain within that LDAP server.

When I attempt to retrieve the user's domain for this specific client, I'm hitting a DirectoryServicesCOMException: Logon failure: unkonwn user name or bad password. This exception is being thrown when I attempt to reference a property on the RootDSE DirectoryEntry object I instantiate.

This client has a Forest with two roots, setup as follows.

Active Directory Domains and Trusts

  • ktregression.com

  • ktregression.root

I assume this is the issue. Is there any way around this? Any way to still retrieve the netb开发者_运维技巧iosname of a specific domain object without running into this exception?

Here is some sample code pointing to a test AD server setup as previously documented:

        string domainNameLdap = "dc=tempe,dc=ktregression,dc=com";

        DirectoryEntry RootDSE = new DirectoryEntry (@"LDAP://10.32.16.6/RootDSE");
        DirectoryEntry servers2 = new DirectoryEntry (@"LDAP://cn=Partitions," + RootDSE.Properties["configurationNamingContext"].Value ); //*****THIS IS WHERE THE EXCEPTION IS THROWN********

        //Iterate through the cross references collection in the Partitions container
        DirectorySearcher clsDS = new DirectorySearcher(servers2);
        clsDS.Filter = "(&(objectCategory=crossRef)(ncName=" + domainNameLdap + "))";
        clsDS.SearchScope = SearchScope.Subtree;
        clsDS.PropertiesToLoad.Add("nETBIOSName");

        List<string> bnames = new List<string>();

        foreach (SearchResult result in clsDS.FindAll() )
            bnames.Add(result.Properties["nETBIOSName"][0].ToString());


It seems that the user account with which the Active Directory tries to authenticate "you" does not exist as your DirectoryServicesCOMException reports it.

DirectoryServicesCOMException: Logon failure: unkonwn user name or bad password.

Look at your code sample, it seems you're not using impersonation, hence the security protocol of the Active Directory take into account the currently authenticated user. Make this user yourself, then if you happen not to be defined on both of your domain roots, one of them doesn't know you, which throws this kind of exception.

On the other hand, using impersonation might solve the problem here, since you're saying that your Windows Service account has the rights to query both your roots under the same forest, then you have to make sure the authenticated user is your Windows Service.

In clear, this means that without impersonation, you cannot guarantee that the authenticated user IS your Windows Service. To make sure about it, impersonation is a must-use.

Now, regarding the two roots

  1. ktregression.com;
  2. ktregression.root.

These are two different and independant roots. Because of this, I guess you should go with two instances of the DirectoryEntry class fitting one for each root.

After having instantiated the roots, you need to search for the user you want to find, which shall be another different userName than the one that is impersonated.

We now have to state whether a user can be defined on both roots. If it is so, you will need to know when it is better to choose one over the other. And that is of another concern.

Note
For the sake of simplicity, I will take it that both roots' name are complete/full as you mentioned them.

private string _dotComRootPath = "LDAP://ktregression.com";
private string _dotRootRootPath = "LDAP://ktregression.root";
private string _serviceAccountLogin = "MyWindowsServiceAccountLogin";
private string _serviceAccountPwd = "MyWindowsServiceAccountPassword";

public string GetUserDomain(string rootPath, string login) {
    string userDomain = null;

    using (DirectoryEntry root = new DirectoryEntry(rootPath, _serviceAccountLogin, _serviceAccountPwd)) 
        using (DirectorySearcher searcher = new DirectorySearcher()) {
            searcher.SearchRoot = root;
            searcher.SearchScope = SearchScope.Subtree;
            searcher.PropertiesToLoad.Add("nETBIOSName");
            searcher.Filter = string.Format("(&(objectClass=user)(sAMAccountName={0}))", login);

            SearchResult result = null;

            try {
                result = searcher.FindOne();

                if (result != null) 
                    userDomain = (string)result.GetDirectoryEntry()
                                    .Properties("nETBIOSName").Value;                                     
            } finally {
                dotComRoot.Dispose();
                dotRootRoot.Dispose();
                if (result != null) result.Dispose();
            }
        }            

    return userDomain;
}

And using it:

string userDomain = (GetUserDomain(_dotComRoot, "searchedLogin") 
                        ?? GetUserDomain(_dotRootRoot, "searchedLogin")) 
                    ?? "Unknown user";

Your exception is thrown only on the second DirectoryEntry initilization which suggests that your default current user doesn't have an account defined on this root.

EDIT #1

Please see my answer to your other NetBIOS Name related question below:
C# Active Directory: Get domain name of user?
where I provide a new and probably easier solution to your concern.

Let me know if you have any further question. =)


I believe that the DirectoryEntry has properties to specify for an AD account that can perform LDAP queries or updates, you can also delegate that control down from your parent domain.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜