0

I'm experiencing a very weird issue using the DirectorySearcher class when trying to query groups over LDAP.

using(var directoryEntry = new DirectoryEntry(thePath,theUserName,ThePassword)
{
var ONLY_GROUPS = "(objectClass=group)"
var filter = string.format("(&{0}({1}=*{2}*))",ONLY_GROUPS,"Name","theGroupName");
using(var searcher = new DirectorySearcher(directoryEntry,filter))
{
...
 searcher.FindAll();
...
}

In some cases on our production code when calling the FindAll function some customers are getting a ComException "server is not operational". which means that the machine trying to connect to the LDAP server has no connection to it.

but as part of our code flow we are calling on the same LDAP a different query for retrieving Domain Controllers, which always works. When calling the LDAP query for retrieving groups we get the ComException.

another notes

We have C++ code that runs the groups query over the same LDAP which works.

In addition I've created an executable that runs the same production code and it works for the failing customers (so I guess we've excluded the option this is connectivity issue)

I am running out with ideas when can cause this issue.

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
Amit Barkai
  • 51
  • 1
  • 7
  • You can use [Process Explorer](https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer) to see the network request that your program is trying to make (IP and port). That might tell you more about what it's trying to do and why it's failing. – Gabriel Luci May 26 '20 at 16:21
  • Is `thePath` pointing to LDAPS (port 636)? – Gabriel Luci May 26 '20 at 16:55
  • another progress that we have , not sure if it is related , the response getting the groups from a problematic customer returns 2.5 MB ( doesn't seem like much) . and the issue happens on LDAPS . still as i said the get groups works in a external code – Amit Barkai May 27 '20 at 14:02

4 Answers4

0

Since you're using LDAPS, it's likely a problem with the SSL certificate. If the cert is not trusted on the computer that is initiating the connection, the exception you get is exactly the same as if the server could not be contacted at all.

On a problem computer, download the certificate from the server using this PowerShell script:

$webRequest = [Net.WebRequest]::Create("https://example.com:636")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "certificate.cer"

Replace example.com in the first line with your domain name. Leave the https:// and the :636 (unless you're running LDAPS from a non-standard port).

After running that script, there will be a certificate.cer file in the current directory. Open it to view it. You will see a warning if the certificate is not trusted. If it's not, then the root certificate needs to be added to the Trusted Root Certificates on the current computer.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • although it might seems it is related to the ldap certificate. It is not , as i said there is a console application that runs the same code which works. in addition we could see with wireshark the data is returned to the server but it is blocked later on. which raise another possible issue , can IIS block responses of a defined size ? can it be related in some wait to a Web API ? – Amit Barkai May 31 '20 at 05:51
  • Have you checked the certificate anyway? The cert needs to be trusted, and you have to be accessing the domain with the same domain name used in the cert (if the cert has the name of a domain controller, you have to us the full name of the domain controller in the LDAP path). – Gabriel Luci May 31 '20 at 12:05
  • Other code could possibly be ignoring cert issues in different ways. Can you show some of the code that works? – Gabriel Luci May 31 '20 at 12:09
  • the same code as mentioned in my post , i don't believe this is a certificate issue , since as i've mentioned there is another LDAP query that works , for getting the domain controllers. – Amit Barkai May 31 '20 at 14:44
  • Is `thePath` exactly the same in the one that works and the one that doesn't? Also, what is the code you're using to find domain controllers? – Gabriel Luci May 31 '20 at 18:03
  • first i would like to thank you for the help , there is nothing special when getting the domain controllers , same code. filter is different – Amit Barkai Jun 01 '20 at 14:39
  • Can you add that code to your question, including the values you are using for `thePath`? (you can replace your domain name with "example.com") There must be something different. – Gabriel Luci Jun 01 '20 at 14:50
0

here is the code for getting ldap groups

using (DirectoryEntry entry = new DirectoryEntry("LDAP://thedomain.com:636/dc=thedomain,dc=com", directory.LdapBindUser, directory.LdapBindPassword))
                {
                    string filter = "(&(objectClass=group))";
                    using (DirectorySearcher searcher = new DirectorySearcher(entry, filter))
                    {
                        searcher.FindAll();
                    }
                }

here is the code for getting ldap domain controllers


using (DirectoryEntry entry = new DirectoryEntry("LDAP://thedomain.com:636/dc=thedomain,dc=com", directory.LdapBindUser, directory.LdapBindPassword))
                {
                    string filter = "(&(objectCategory=computer)(|(primaryGroupID=516)(primaryGroupID=521)))";
                    using (DirectorySearcher searcher = new DirectorySearcher(entry, filter))
                    {
                        searcher.FindAll();
                    }
                }
Amit Barkai
  • 51
  • 1
  • 7
  • a clarification , the code for getting groups throws ComException "server is not operational" via Web Application . and the same code works for console application – Amit Barkai Jun 02 '20 at 07:12
  • another important point , the ComException is not "Server is not operational" but timeout which raise the question. what could be done on the IIS level or the web.config that might cause a timeout issues – Amit Barkai Jun 02 '20 at 12:03
0

would like to add another important update about this issue. it is seems that the first attempt to run the ldap query works ! .

meaning after iisrest , the ldap group query works but then i wait for 120 seconds things stop working and ldap query is stuck/hand on the Bind stage after another iisrest , again ldap group is working , wait for 120 seconds same result

Amit Barkai
  • 51
  • 1
  • 7
0

i now have another step with understanding my issue

after calling the code mentioned above i could see after running netstat on the ldap machine

netstat -nat | findstr my_ip_address | findstr :389 i could see the connection stays established even when the using section is done

TCP ldap_ip_address:389 my_ip_address:24730 ESTABLISHED InHost

i could see there is another parameter authentication type , by default Secure when using my code this way the connection is disposed after the using section


            using (var directoryEntry = new DirectoryEntry(
                directoryPath,
                ConfigurationManager.AppSettings["ldapUsername"],
                ConfigurationManager.AppSettings["ldapPassword"],
                AuthenticationTypes.Anonymous))
            {

            }
Amit Barkai
  • 51
  • 1
  • 7