0
votes

I'm trying to diagnose a problem with a server application running on a Client site. Said application authenticates user credentials against a Domain Controller in an AD environment. The behavior we're seeing is periodically no users can authenticate through the server.

We've essentially traced the failure to the "bind" failing. To further diagnose the issue, I built a super simple tool that does two types of binds: one using an LDAP server bind, and one use WinNT bind. Our server application only does LDAP bind, but to add a control, I threw in the WinNT bind.

        public static void DoWinNTBind(string domain, string login, string password)
        {
            Logger.Log("Starting WinNT Bind to {0}",domain);
            try
            {
                var serverPath = String.Format("WinNT://{0}",domain);

                Logger.Log("Creating DirectoryEntry object for {0} on domain {1}", login, serverPath);
                using (DirectoryEntry de = new DirectoryEntry(serverPath, login, password, AuthenticationTypes.Secure | AuthenticationTypes.Sealing))
                {

                    if (!de.NativeObject.Equals(null))
                    {
                        Logger.Log("WinNT Bind Success");
                    }
                    else
                    {
                        Logger.Log("WinNT Bind Failed");
                    }
                }
            }
            catch(Exception ex)
            {
                Logger.Log("{0} occured during WinNT Bind: {1}",ex.GetType().Name,ex.Message);
                Logger.Log("Stack: {0}",ex.StackTrace);
            }
        }

        public static void DoLDAPBind(string domain,string login, string password) 
        {
            Logger.Log("Starting LDAP Bind to {0}",domain);
            try
            {
                var serverPath = String.Format("LDAP://{0}",domain);

                Logger.Log("Creating DirectoryEntry object for {0} on domain {1}", login, serverPath);
                using (DirectoryEntry de = new DirectoryEntry(serverPath, login, password, AuthenticationTypes.Secure | AuthenticationTypes.Sealing))
                {

                    if (!de.NativeObject.Equals(null))
                    {
                        Logger.Log("LDAP Bind Success");
                    }
                    else
                    {
                        Logger.Log("LDAP Bind Failed");
                    }
                }
            }
            catch(Exception ex)
            {
                Logger.Log("{0} occured during LDAP Bind: {1}",ex.GetType().Name,ex.Message);
                Logger.Log("Stack: {0}",ex.StackTrace);
            }
        }

As you can see, there is not much code other than using System.DirectoryServices.DirectoryEntry to connect to a DC.

The resulting logfile is (name and domain masked).

6/29/2010 2:52:17 PM: Performing AD binds for user1 6/29/2010 2:52:17 PM: Starting LDAP Bind to xxx.xxx 6/29/2010 2:52:17 PM: Creating DirectoryEntry object for on domain LDAP://xxx.xxx 6/29/2010 2:52:17 PM: DirectoryServicesCOMException occured during LDAP Bind: Logon failure: unknown user name or bad password.

6/29/2010 2:52:17 PM: Stack: at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_NativeObject() at AdmitOne.Superglue.ActiveDirectoryHelper.DoLDAPBind(String domain, String login, String password) in C:\Projects\Galapagos\branches\Contract\2.0_SN_Peer\Src\Tools\Superglue\ActiveDirectoryHelper.cs:line 47 6/29/2010 2:52:17 PM: Starting WinNT Bind to xxx.xxx 6/29/2010 2:52:17 PM: Creating DirectoryEntry object for user1 on domain WinNT://xxx.xxx 6/29/2010 2:52:18 PM: WinNT Bind Success

So the same user name fails to bind using LDAP, but succeeds using WinNT!

Locally in our test environment, we don't see this behavior, both LDAP and WinNT succeed with no issues.

So I'm stuck. I'd like to say it's a problem with their AD environment, but without a smoking gun, I can't.

I'm first asking on Stack, to ensure that my bind code is correct. Afterwhich, I'll probably need to reask on Serverfault, which is the more appropriate place to ask for AD specific issues.

1

1 Answers

0
votes

It turns out this is not a code issue, but instead the customer's AD environment is having issues with Kerberos.

Specifically the Secure/Sealing flags instruct the LDAP provider to use only Kerberos to securely negotiate auth.

Since Kerberos is not supported by the WinNT provider, there is no issue binding with the WinNT provider.