Solved

What type of AD account do I need to bind to AD root directory using C#?

Posted on 2014-12-16
12
148 Views
Last Modified: 2014-12-17
Hi,
System people gave me an AD admin account.  I used that in my code to bind serverlessly to rootDse but I'm getting log error.  Saying my userid and password is unknown.  Is there a special AD account I would need to bind to the rootDse?
DirectoryEntry deRoot = new DirectoryEntry("LDAP://rootDSE", "admin_id", "somePassword!");

Also for serverless binding, can I specify a domain to bind to?

Thank you.
0
Comment
Question by:lapucca
  • 8
  • 4
12 Comments
 
LVL 3

Expert Comment

by:Guillermin-go
ID: 40503998
Hi:

Well, if you are getting an unknown user message, try to put the admin_id this way (the full path to the user object in the directory):

"cn=admin_id,o=mycompany"
0
 

Author Comment

by:lapucca
ID: 40505038
Well, that looks odd.    cn is the user id name but just the o attribute may qualify the full path and I'm not sure if that would work but I'm working on finding the full path and give it a try.  So just the user id and O is organization right?  Where do I see that in AD users and Computers snap in?

What about if I bind to a specific user group / security group instead?  so what would the coded look like?  Something like
DirectoryEntry deRoot = new DirectoryEntry("LDAP://full path sytax like cn=xxx cn=xxx.....", "admin_id", "somePassword!");

Would that work for serverless binding?
Thank you.
0
 

Author Comment

by:lapucca
ID: 40505127
If I'm binding to AD using userid and password, do I still need to use impernation C# code before binding?
0
 
LVL 3

Expert Comment

by:Guillermin-go
ID: 40505166
hi:

To get the full path to the user object, the easier way is to use adsiedit (from my point of view).

Locate where is the user object in the users and computers snap in (right click the domain name and click find) double click the user object and then look at the "object" tab, there you have where is the object stored in AD (if you dont see the "object" tab, then go to the users and computers snap in, on the top, click view,then click  advanced features and find the user again; now you should see the "object" tab) .

Now that you know where the user object is stored, start, run, and run adsiedit.msc, navigate to the container or OU where the user object is stored, right click the user object,then click properties, and double click the distinguishedname attribute, then copy the string value. This is the full path to the user object in AD and i think this is what you should type in the admin_id field. I suggest you to use this way to  get any path you want to use (users, groups and organizational units or containers)

Yes, I think that should work.
0
 

Author Comment

by:lapucca
ID: 40505294
G, Thank you for such detail, precise steps to get to the Object tab and that does work.

I run adsiedit.msc, click menu item "Connect to"  button then there was a pop, enter the userid and the password I used to bind in my code and got error.  Please see the attached screen shot.  does that mean that userid and password needs additional permission to bind?

I then just double click on the root node that has the label "ADSIEdit" then the tree expands up and I see the objects.  It's using my windows login id I think.

I was able to get full path of the admin account per your instruction.  I put that in my code and now that Logon error or unknown userid or password goest away.  I not get System.Directoryservcies.directoryServiesCOMException.  In the Locals windows in VS bottom, in the base attribute of my deRoot object it shows an error message of "A local error has occurred.\r\n" and a extended error of -2146893052.  Any advice on what could cause this?  Have I gotten over the login issue?
ADSIEDIT-ERRO.jpg
0
 

Author Comment

by:lapucca
ID: 40505299
Attached is a screen shot of error in VS.  Thank you.
ADSIEDIT-ERRO2.jpg
0
 
LVL 3

Expert Comment

by:Guillermin-go
ID: 40505482
Hi lapucca

Change the "admin_id" when binding. Instead of the "Distinguished name", try  "YourDomain\YouAdminAccountName" or "YouAdminAccountName@yourdomain" please
0
 

Author Comment

by:lapucca
ID: 40505491
So you don't think I got pass the logon error yet?  The error message seemed to have changed to " A local error.."

okay will try both your suggestion now.  Thank you.
0
 

Author Comment

by:lapucca
ID: 40505494
"YourDomain\YouAdminAccountName" or "YouAdminAccountName@yourdomain", the "YouAdminAccountNam" part is just the account name and not the path bu does it need CN=YouAdminAccountNam, the "CN=" part?
0
 
LVL 3

Accepted Solution

by:
Guillermin-go earned 500 total points
ID: 40505542
Hi

You are using secure authentication, so I´m asking you to try "domain\admin_n....s" or "admin_n....s@domain" becouse "CN=domain_n....s + full path "  is not supported for secure authentication in the "admin_id" filed. That´s my fault, I´m sorry, I realiced after my previous post. The error you get can be due to this.
0
 

Author Comment

by:lapucca
ID: 40505569
Using "YourDomain\YouAdminAccountName"  gives the same previous error of
-            base      {"Logon failure: unknown user name or bad password.\r\n"}      System.Runtime.InteropServices.ExternalException {System.Runtime.InteropServices.COMException}

Reverting order to "YouAdminAccountName@yourdomain" gets me the smae logon failure "YouAdminAccountName@yourdomain" as listed above

How can I test if this service account has permission to bind to AD?  Since I can see the AD snap in and able to use the ADSIEdit, maybe I will try my credential next?
0
 

Author Comment

by:lapucca
ID: 40505580
"YouAdminAccountName@yourdomain", work! The problem is with the service account's permission level, I think.  Once I use my window's credential, it allowed me to bind to the root.    Thank you so much for your patient helping me.  I actually need help binding to a Security Group.  The code I have is not working.  I'm creating a new question for it, hoping you can help again.
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now