Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 207
  • Last Modified:

What type of AD account do I need to bind to AD root directory using C#?

Hi,
System people gave me an AD admin account.  I used that in my code to bind serverlessly to rootDse but I'm getting log error.  Saying my userid and password is unknown.  Is there a special AD account I would need to bind to the rootDse?
DirectoryEntry deRoot = new DirectoryEntry("LDAP://rootDSE", "admin_id", "somePassword!");

Also for serverless binding, can I specify a domain to bind to?

Thank you.
0
lapucca
Asked:
lapucca
  • 8
  • 4
1 Solution
 
Guillermo FeijóoSystems administratorCommented:
Hi:

Well, if you are getting an unknown user message, try to put the admin_id this way (the full path to the user object in the directory):

"cn=admin_id,o=mycompany"
0
 
lapuccaAuthor Commented:
Well, that looks odd.    cn is the user id name but just the o attribute may qualify the full path and I'm not sure if that would work but I'm working on finding the full path and give it a try.  So just the user id and O is organization right?  Where do I see that in AD users and Computers snap in?

What about if I bind to a specific user group / security group instead?  so what would the coded look like?  Something like
DirectoryEntry deRoot = new DirectoryEntry("LDAP://full path sytax like cn=xxx cn=xxx.....", "admin_id", "somePassword!");

Would that work for serverless binding?
Thank you.
0
 
lapuccaAuthor Commented:
If I'm binding to AD using userid and password, do I still need to use impernation C# code before binding?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Guillermo FeijóoSystems administratorCommented:
hi:

To get the full path to the user object, the easier way is to use adsiedit (from my point of view).

Locate where is the user object in the users and computers snap in (right click the domain name and click find) double click the user object and then look at the "object" tab, there you have where is the object stored in AD (if you dont see the "object" tab, then go to the users and computers snap in, on the top, click view,then click  advanced features and find the user again; now you should see the "object" tab) .

Now that you know where the user object is stored, start, run, and run adsiedit.msc, navigate to the container or OU where the user object is stored, right click the user object,then click properties, and double click the distinguishedname attribute, then copy the string value. This is the full path to the user object in AD and i think this is what you should type in the admin_id field. I suggest you to use this way to  get any path you want to use (users, groups and organizational units or containers)

Yes, I think that should work.
0
 
lapuccaAuthor Commented:
G, Thank you for such detail, precise steps to get to the Object tab and that does work.

I run adsiedit.msc, click menu item "Connect to"  button then there was a pop, enter the userid and the password I used to bind in my code and got error.  Please see the attached screen shot.  does that mean that userid and password needs additional permission to bind?

I then just double click on the root node that has the label "ADSIEdit" then the tree expands up and I see the objects.  It's using my windows login id I think.

I was able to get full path of the admin account per your instruction.  I put that in my code and now that Logon error or unknown userid or password goest away.  I not get System.Directoryservcies.directoryServiesCOMException.  In the Locals windows in VS bottom, in the base attribute of my deRoot object it shows an error message of "A local error has occurred.\r\n" and a extended error of -2146893052.  Any advice on what could cause this?  Have I gotten over the login issue?
ADSIEDIT-ERRO.jpg
0
 
lapuccaAuthor Commented:
Attached is a screen shot of error in VS.  Thank you.
ADSIEDIT-ERRO2.jpg
0
 
Guillermo FeijóoSystems administratorCommented:
Hi lapucca

Change the "admin_id" when binding. Instead of the "Distinguished name", try  "YourDomain\YouAdminAccountName" or "YouAdminAccountName@yourdomain" please
0
 
lapuccaAuthor Commented:
So you don't think I got pass the logon error yet?  The error message seemed to have changed to " A local error.."

okay will try both your suggestion now.  Thank you.
0
 
lapuccaAuthor Commented:
"YourDomain\YouAdminAccountName" or "YouAdminAccountName@yourdomain", the "YouAdminAccountNam" part is just the account name and not the path bu does it need CN=YouAdminAccountNam, the "CN=" part?
0
 
Guillermo FeijóoSystems administratorCommented:
Hi

You are using secure authentication, so I´m asking you to try "domain\admin_n....s" or "admin_n....s@domain" becouse "CN=domain_n....s + full path "  is not supported for secure authentication in the "admin_id" filed. That´s my fault, I´m sorry, I realiced after my previous post. The error you get can be due to this.
0
 
lapuccaAuthor Commented:
Using "YourDomain\YouAdminAccountName"  gives the same previous error of
-            base      {"Logon failure: unknown user name or bad password.\r\n"}      System.Runtime.InteropServices.ExternalException {System.Runtime.InteropServices.COMException}

Reverting order to "YouAdminAccountName@yourdomain" gets me the smae logon failure "YouAdminAccountName@yourdomain" as listed above

How can I test if this service account has permission to bind to AD?  Since I can see the AD snap in and able to use the ADSIEdit, maybe I will try my credential next?
0
 
lapuccaAuthor Commented:
"YouAdminAccountName@yourdomain", work! The problem is with the service account's permission level, I think.  Once I use my window's credential, it allowed me to bind to the root.    Thank you so much for your patient helping me.  I actually need help binding to a Security Group.  The code I have is not working.  I'm creating a new question for it, hoping you can help again.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now