Active Directory: Get RootDSE in domain residing in Forest with multiple roots?

1
votes

I have a client that's utilizing a windows service I wrote that polls a specified active directory LDAP server for users in specified groups within that LDAP server.

Once it finds a user, it fills out the user information (i.e. username, email, etc.) and attempts to retrieve the user's domain within that LDAP server.

When I attempt to retrieve the user's domain for this specific client, I'm hitting a DirectoryServicesCOMException: Logon failure: unkonwn user name or bad password. This exception is being thrown when I attempt to reference a property on the RootDSE DirectoryEntry object I instantiate.

This client has a Forest with two roots, setup as follows.

Active Directory Domains and Trusts

  • ktregression.com

  • ktregression.root

I assume this is the issue. Is there any way around this? Any way to still retrieve the netbiosname of a specific domain object without running into this exception?

Here is some sample code pointing to a test AD server setup as previously documented:

        string domainNameLdap = "dc=tempe,dc=ktregression,dc=com";

        DirectoryEntry RootDSE = new DirectoryEntry (@"LDAP://10.32.16.6/RootDSE");
        DirectoryEntry servers2 = new DirectoryEntry (@"LDAP://cn=Partitions," + RootDSE.Properties["configurationNamingContext"].Value ); //*****THIS IS WHERE THE EXCEPTION IS THROWN********

        //Iterate through the cross references collection in the Partitions container
        DirectorySearcher clsDS = new DirectorySearcher(servers2);
        clsDS.Filter = "(&(objectCategory=crossRef)(ncName=" + domainNameLdap + "))";
        clsDS.SearchScope = SearchScope.Subtree;
        clsDS.PropertiesToLoad.Add("nETBIOSName");

        List<string> bnames = new List<string>();

        foreach (SearchResult result in clsDS.FindAll() )
            bnames.Add(result.Properties["nETBIOSName"][0].ToString());
2
c#active-directory
Have you made sure that either RootDSE.Properties["configurationNamingContext"].Value returns a value which is actually not null, or respects the LDAP nomenclature of LDAP://CN=Partitions,DC=ktregression,DC=com or the like?Will Marcouiller
Have you taken an eye out the code sample I provided you for your other similar question of yesterday?Will Marcouiller
@Will, yeah I took a look at it and gave it a go. I actually responded to that with another question. I think I'm actually having two separate issues though, which is why I started this one as well. The issue where I have an instance of two roots in a single forest.ghost_mv
As far as making sure RootDSE.Properties["configurationNamingContext"].Value returns a value and is not null, I can't make that check because the second I attempt to retrieve whether it has a value, the exception is thrown.ghost_mv
@Micheal: I get your point. Please, might you explain limpidly what is your objective, forgetting about the code and everything else, just tell what you need to be accomplished so that I might make up my mind up to something. I have worked a lot and still do with the Active Directory for the last few weeks. I hope I can help you further. As a second thought, given that you have two different roots, why not simply create two independant instance of the DirectoryEntry class which would represent each of your roots, and work with them?Will Marcouiller

2 Answers

2
votes

It seems that the user account with which the Active Directory tries to authenticate "you" does not exist as your DirectoryServicesCOMException reports it.

DirectoryServicesCOMException: Logon failure: unkonwn user name or bad password.

Look at your code sample, it seems you're not using impersonation, hence the security protocol of the Active Directory take into account the currently authenticated user. Make this user yourself, then if you happen not to be defined on both of your domain roots, one of them doesn't know you, which throws this kind of exception.

On the other hand, using impersonation might solve the problem here, since you're saying that your Windows Service account has the rights to query both your roots under the same forest, then you have to make sure the authenticated user is your Windows Service.

In clear, this means that without impersonation, you cannot guarantee that the authenticated user IS your Windows Service. To make sure about it, impersonation is a must-use.

Now, regarding the two roots

  1. ktregression.com;
  2. ktregression.root.

These are two different and independant roots. Because of this, I guess you should go with two instances of the DirectoryEntry class fitting one for each root.

After having instantiated the roots, you need to search for the user you want to find, which shall be another different userName than the one that is impersonated.

We now have to state whether a user can be defined on both roots. If it is so, you will need to know when it is better to choose one over the other. And that is of another concern.

Note
For the sake of simplicity, I will take it that both roots' name are complete/full as you mentioned them.

private string _dotComRootPath = "LDAP://ktregression.com";
private string _dotRootRootPath = "LDAP://ktregression.root";
private string _serviceAccountLogin = "MyWindowsServiceAccountLogin";
private string _serviceAccountPwd = "MyWindowsServiceAccountPassword";

public string GetUserDomain(string rootPath, string login) {
    string userDomain = null;

    using (DirectoryEntry root = new DirectoryEntry(rootPath, _serviceAccountLogin, _serviceAccountPwd)) 
        using (DirectorySearcher searcher = new DirectorySearcher()) {
            searcher.SearchRoot = root;
            searcher.SearchScope = SearchScope.Subtree;
            searcher.PropertiesToLoad.Add("nETBIOSName");
            searcher.Filter = string.Format("(&(objectClass=user)(sAMAccountName={0}))", login);

            SearchResult result = null;

            try {
                result = searcher.FindOne();

                if (result != null) 
                    userDomain = (string)result.GetDirectoryEntry()
                                    .Properties("nETBIOSName").Value;                                     
            } finally {
                dotComRoot.Dispose();
                dotRootRoot.Dispose();
                if (result != null) result.Dispose();
            }
        }            

    return userDomain;
}

And using it:

string userDomain = (GetUserDomain(_dotComRoot, "searchedLogin") 
                        ?? GetUserDomain(_dotRootRoot, "searchedLogin")) 
                    ?? "Unknown user";

Your exception is thrown only on the second DirectoryEntry initilization which suggests that your default current user doesn't have an account defined on this root.

EDIT #1

Please see my answer to your other NetBIOS Name related question below:
C# Active Directory: Get domain name of user?
where I provide a new and probably easier solution to your concern.

Let me know if you have any further question. =)

0
votes

I believe that the DirectoryEntry has properties to specify for an AD account that can perform LDAP queries or updates, you can also delegate that control down from your parent domain.