3

I am using DirectorySearcher to look up user accounts based on email addresses:

using (var searcher = new DirectorySearcher
{
    SearchRoot = new DirectoryEntry($"LDAP://DC={companyOfficeLocation},DC={companyDomain},DC=com"),
    SearchScope = SearchScope.Subtree,
    Filter = $"(mail={email})",
    PropertiesToLoad = { "sAMAccountName" },
    ReferralChasing = ReferralChasingOption.All,
})
{
    return searcher.FindAll().Cast<SearchResult>()
        .Select(r => (string)r.Properties["sAMAccountName"][0])
        .ToList();
}

This code intermittantly fails with System.DirectoryServices.DirectoryServicesCOMException with the error message A referral was returned from the server..

These errors are not consistent across machines (e. g. on different web servers the same query might fail or succeed in the same timeframe). There is some indication that ActiveDirectory server reboots or web server reboots may trigger the errors.

I'm wondering: what are the possible causes of referral errors? Why am I seeing referral errors despite setting the ReferralChasing property to All?

EDIT:

A bit more information captured from the ExtendedErrorMessage property of the DirectoryServicesCOMException:

0000202B: RefErr: DSID-031007F3, data 0, 1 access points ref 1: 'arlington.predictivetechnologies.com'

ChaseMedallion
  • 20,860
  • 17
  • 88
  • 152
  • Please specify the exact LDAP path you pass in DirectoryEntry constructor – oldovets Apr 19 '17 at 10:11
  • @oldovets I've put in a more complete LDAP path showing the full structure. I've ommitted the actual domain part values for the specific organization. – ChaseMedallion Apr 19 '17 at 12:36
  • Take a look at http://stackoverflow.com/questions/6954170/a-referral-was-returned-from-the-server-exception-when-accessing-ad-from-c-sha – oldovets Apr 19 '17 at 20:04
  • @oldovets thanks for pointing out that post. After reading, it seems like there are many things which could cause this; was there one answer in particular that stood out to you as being relevant to my instance? – ChaseMedallion Apr 24 '17 at 20:46
  • I would recommend to replace your LDAP query with LDAP://{domainordomaincontrollerfqdn}/DC={company},DC={domain} and remove referral chasing option as suggested in the accepted answer – oldovets Apr 25 '17 at 03:05
  • @oldovets can you explain what difference adding the FQDN path segment makes? – ChaseMedallion Apr 25 '17 at 15:41
  • 1
    In case of serverless binding "a default domain controller from the domain that the security context of the calling thread is in will be used". I. e. It depends on the user that runs process/thread. I faced issues with serverless binding while using thread impersonation, when my program was trying to connect not to the domain, that was specified in LDAP string (using serverless binding). It's better to specify domain or even domain controller and not to rely on user, that runs current process. – oldovets Apr 25 '17 at 20:27

0 Answers0