0

I'm writing an API to check if an OU exists in ActiveDirectory or not. To perform this check, in C#, I run:

string ouName = "MyOrg";
bool ouExists = DirectoryEntry.Exists ($"LDAP://OU={ouName},DC=test,DC=local");

When I create a new CLI project and run these lines, they work fine (the app is running on the DC itself). But when called by a Controller in a WebAPI project, they throw a runtime COMException (80004005), with the details being "Unspecified error".

I figure this has to do with how Kestrel runs the code. It should authenticate automatically as the current loggedonuser (i.e. I can't use the username, password optional parameters).

How do I do that? And is this the right way to go about it?

Exception details:

System.Runtime.InteropServices.COMException (0x80004005): Unspecified error
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Exists(String path)
   at OUCheck.Helpers.ActiveDirectoryHelper.OUExists(String ouDN) in /Projects/OUCheck/Helpers/ActiveDirectoryHelper.cs:line 14
System.Runtime.InteropServices.COMException
Vedaant Arya
  • 475
  • 6
  • 18
  • Is dotnet.exe running under domain credentials? – Gabriel Luci Jun 29 '22 at 15:23
  • I'm not sure. How do I verify if it is? Also, running cli with dotnet works but webapi doesn't, if that's relevant - webapi only crashes on requesting the endpoint that calls Exists() – Vedaant Arya Jun 29 '22 at 15:27
  • 1
    How do you start/stop the webapi? – Gabriel Luci Jun 29 '22 at 16:02
  • I run `dotnet run`, same for cli. I also tried publishing with `-r win10-x64` and as DLL and running with `dotnet OUCheck.dll`, same problem – Vedaant Arya Jun 29 '22 at 16:35
  • @GabrielLuci Thanks, you've pointed me in the right direction. I added the same line to Program.cs in fresh webapi and cli projects, and webapi projects crash on running but cli don't – Vedaant Arya Jun 29 '22 at 17:17

1 Answers1

0

The format of the paths for the DirectoryEntry are wrong. I can't find a supporting document, but the following is the difference:

I was making the queries like this: LDAP://{DN}

LDAP://OU=MyOrg,DC=test,DC=local

While it seems the correct way to do it is: LDAP://{domain}/{DN}

LDAP://test.local/OU=MyOrg,DC=test,DC=local

CLI apps work even with the former, perhaps assuming things about the domain.

The following transcript helped me realize, also thanks to Gabriel for some direction! https://chat.stackoverflow.com/transcript/12432/2012/6/12

Also might be useful: Get all users from Active Directory?

Vedaant Arya
  • 475
  • 6
  • 18
  • 1
    The format `LDAP://{DN}` is correct, but it works only if the computer you're running from knows how to access the domain. In your case, I guess it doesn't for some reason (probably something to do with the credentials it's running under). So in those cases, providing the server to connect to in the LDAP string gives it the information it needs. – Gabriel Luci Jun 30 '22 at 15:28