23
DirectoryEntry oDE = new DirectoryEntry("LDAP://DC=Test1,DC=Test2,DC=gov,DC=lk");

using (DirectorySearcher ds = new DirectorySearcher(oDE))
{
    ds.PropertiesToLoad.Add("name");
    ds.PropertiesToLoad.Add("userPrincipalName");

    ds.Filter = "(&(objectClass=user))";

    SearchResultCollection results = ds.FindAll();

    foreach (SearchResult result in results)
    {
        Console.WriteLine("{0} - {1}",
            result.Properties["name"][0].ToString(),
            result.Properties["userPrincipalName"][0].ToString());
    }
}

On the SearchResultCollection results = ds.FindAll(); line I get an exception:

A referral was returned from the server

Why do I get that exception and what does it mean?

cuongle
  • 74,024
  • 28
  • 151
  • 206
vml19
  • 3,816
  • 11
  • 45
  • 63

9 Answers9

21

Probably the path you supplied was not correct. Check that.

I would recomment the article Howto: (Almost) Everything In Active Directory via C# which really helped me in the past in dealing with AD.

Community
  • 1
  • 1
Fred
  • 389
  • 1
  • 4
12

A referral is sent by an AD server when it doesn't have the information requested itself, but know that another server have the info. It usually appears in trust environment where a DC can refer to a DC in trusted domain.

In your case you are only specifying a domain, relying on automatic lookup of what domain controller to use. I think that you should try to find out what domain controller is used for the query and look if that one really holds the requested information.

If you provide more information on your AD setup, including any trusts/subdomains, global catalogues and the DNS resource records for the domain controllers it will be easier to help you.

Anders Abel
  • 67,989
  • 17
  • 150
  • 217
  • Do you mean that I need to use an account credential which has access to the AD when creating DirectoryEntry? someone suggest that to I need to use an account which is authorized to access AD. is it? – vml19 Aug 08 '11 at 02:21
  • I am trying to access an external party's AD and I do not know about their server configuration in details. if you suggest which particular details are needed then I can request them that I need these details to access your AD and query for a particular user existence. we have given full rights to access their AD, I couldn't just because my lack of technical knowledge AD. – vml19 Aug 08 '11 at 02:40
6

This is the answer for the question.Reason for the cause is my LDAP string was wrong.

    try
    {
        string adServer = ConfigurationManager.AppSettings["Server"];
        string adDomain = ConfigurationManager.AppSettings["Domain"];
        string adUsername = ConfigurationManager.AppSettings["AdiminUsername"];
        string password = ConfigurationManager.AppSettings["Password"];
        string[] dc = adDomain.Split('.');
        string dcAdDomain = string.Empty;

        foreach (string item in dc)
        {
            if (dc[dc.Length - 1].Equals(item))
                dcAdDomain = dcAdDomain + "DC=" + item;
            else
                dcAdDomain = dcAdDomain + "DC=" + item + ",";
        }

        DirectoryEntry de = new DirectoryEntry("LDAP://" + adServer + "/CN=Users," + dcAdDomain, adUsername, password);

        DirectorySearcher ds = new DirectorySearcher(de);

        ds.SearchScope = SearchScope.Subtree;

        ds.Filter = "(&(objectClass=User)(sAMAccountName=" + username + "))";

        if (ds.FindOne() != null)
            return true;
    }
    catch (Exception ex)
    {
        ExLog(ex);
    }
    return false;
vml19
  • 3,816
  • 11
  • 45
  • 63
  • 24
    -1 because there is no indication as to what solved the problem. – Rossini May 21 '12 at 14:19
  • 5
    LDAP strings can be less than intuitive. In our case, we had one like LDAP://DC=primary,DC=secondary,DC=com which worked in most cases. But when trying to connect to its sub-domain with full trust, the string had to change to: LDAP://MyDomainController1.primary.secondary.com – Lizz Oct 17 '12 at 18:57
  • 1
    is "username" on the ds.Filter line actually "adUsername"? – Joe Johnston Sep 10 '13 at 17:39
  • DirectorySearcher ds = new DirectorySearcher("DOMAIN_NAME") - In some cases this is enough. For ex: ds.FindOne(); – hB0 Aug 12 '14 at 08:05
  • -1 for setting a super bad example for secure coding; 1) using string instead of SecureString to hold the password, and 2) for using the Configuration Manager for storing a password. – Phil Nicholas Jun 28 '21 at 19:03
3

You may also need to enable ReferralChasing on the DirectorySearcher - http://msdn.microsoft.com/en-us/library/ms180884(VS.80).aspx.

Brian Desmond
  • 4,473
  • 1
  • 13
  • 11
  • 1
    Do you have any idea on *why* a referral is returned? I thought that when not specifying a DC, it would automatically bind to one that has the information. – Anders Abel Aug 07 '11 at 16:56
  • 3
    @Brian - I'm still getting the same exception even I use your suggestion. – vml19 Aug 08 '11 at 02:17
  • I do not know why a referral had returned. – vml19 Aug 08 '11 at 02:33
  • 1
    Current link: https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directorysearcher.referralchasing?view=netframework-4.7.2#System_DirectoryServices_DirectorySearcher_ReferralChasing – Raidri Apr 04 '19 at 13:36
  • Referrals split the query into separate smaller parts by returning each child OU separately and can share the load between servers. Not all clients or intervening load balancers etc can cope. Ldap requests can disable referrals so the whole query result returns in one transaction. A client app would need some way of specifying this. – jim birch Aug 03 '20 at 03:43
2

Had the same issue and managed to resolve it.

In my case, I had an AD group in the current logon domain with members (users) from a sub domain. The server that I was running the code on could not access the domain controller of the sub domain (the server had never needed to access the sub domain before).

I struggled for a while as my desktop PC could access the domain so everything looked OK in the MMC plugin (Active Directory Users & Computers).

Hope that helps someone else.

Will
  • 340
  • 3
  • 8
2

I know this might sound silly, but I recently came across this myself, Make sure the domain controller is not read-only.

Rhodesie
  • 261
  • 2
  • 5
1

In my case I was seeing referrals when I was accessing AD via SSO with an account in a trusted domain. The problem went away when I connected with explicit credentials in the local domain.

i.e. I replaced

DirectoryEntry de = new DirectoryEntry("blah.com");

with

DirectoryEntry de = new DirectoryEntry("blah.com", "someguy@blah.com", "supersecret");

and the problem went away.

Mike Smith
  • 43
  • 4
0

A referral was returned from the server error usually means that the IP address is not hosted by the domain that is provided on the connection string. For more detail, see this link:

Referral was returned AD Provider

To illustrate the problem, we define two IP addresses hosted on different domains:

IP Address DC Name Notes

172.1.1.10 ozkary.com Production domain

172.1.30.50 ozkaryDev.com Development domain

If we defined a LDAP connection string with this format:

LDAP://172.1.1.10:389/OU=USERS,DC=OZKARYDEV,DC=COM

This will generate the error because the IP is actually on the OZKARY DC not the OZKARYDEV DC. To correct the problem, we would need to use the IP address that is associated to the domain.

ozkary
  • 2,436
  • 1
  • 21
  • 20
0

I had the same problem and it was a silly mistake of misspelling one of the DC strings.

Cheruiyot A Kirui
  • 57
  • 6