locked
DirectorySearcher returns 0 results - on hosted IIS. RRS feed

  • Question

  • User1015551006 posted

    I have a question about using System.DirectoryServices in ASP.NET

    I currently have a website that completely works.  Until I publish the site to the host IIS server.

    I do not get any errors on the Server but whenever I perform a DirectorySearcher it is not returning any results.

    The code is within it's own project and referenced by the website, DLLs are present, etc.  Again it works locally but not on the Server.

    However, as a test: I copied and pasted the code from the project to the code-behind on the main page and that worked.  It just did not work when it was encapsulated in its own project.

    I tried signing the DLLs and that did not help.  Has anyone come across this or know of a solution?

    Friday, October 18, 2013 1:46 PM

Answers

  • User1015551006 posted

    Okay, finally back to work and been checking the issues out with this and the issue had to deal with permissions on the account because the website was on a different domain than the active directory.  So, the account wasn't trusted across the domain.  Elevated the permissions and allowed the app pool to run with the elevated permissions and now it is working fine.

     

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 28, 2013 1:43 PM

All replies

  • User1508394307 posted

    If you set authentication in the web.config and do not change it in the code you should get the same result. If you have an access to the DLL source then maybe you can try to output current identity to see if it differs.

    Friday, October 18, 2013 3:37 PM
  • User1015551006 posted

    It is set to use windows authenticaion for access to Active Directory. 

    I have put trace statements in the code and there is no difference (other than being called from a dll doesn't work)

    Friday, October 18, 2013 3:53 PM
  • User1508394307 posted

    The only idea I have is to check if anonymous authentication was switched off in IIS. 

    Friday, October 18, 2013 4:07 PM
  • User753101303 posted

    Hi,

    Could it be that you are really not supposed to find what you searched for ?

    My first move would be to have a page that either does a broader search or that enumerates all the item classes you are searching for. The basic idea is to make sure that in both cases you do search through the same collection (for example something like your code doing the search on another domain or whatever could lead to not finding what you think you should find).

    Also, just in case, make sure your code doesn't hide any exception (never use an empty catch clause).

    Friday, October 18, 2013 4:51 PM
  • User1015551006 posted

    anonymous authentication is off and must be off for security purposes. 

    It is using the credentials of the person logged into the application to query active directory.

    Again, this works locally and it works on the server IF it is not in its own dll (which would be ideal for reuse)

    Sunday, October 20, 2013 10:49 AM
  • User1015551006 posted

    I hope I can find what I am searching for.  In this case I am looking for the permissions of my own account. 

    I am not changing the query that I use, nor the Active Directory that I am searching against.

    It works locally andon the server if it is in code on the site.  it only fails when it is in it's own dll (ideal for reuse) on the server (it's own dll locally works)

    It's why I think I am missing something with IIS or with the trust of the DLL itself.

     

    Sunday, October 20, 2013 10:52 AM
  • User753101303 posted

    So for now it doesn't fail ?

    You told you are looking for the "permissions" of your own account but at this step your best bet is likely to show how you are actually doing that. For example a difference between your dev box and a "true" server is that the account under which the page runs is not the same so if you actually use the "current account" rather than your "own account", it coudl explain why you don"t see the same thing.

    How do you get your "own account" ? Have you checked this is really the same account ? Please show the code you are using to search.

    Sunday, October 20, 2013 11:36 AM
  • User1015551006 posted

    Unforunately the code is on a closed network, I'll have to retype it out and post it to show you.

    We use Integrated Windows Authentication.  It doesn't matter what website I log onto it sees my network login and the Active Directory code looks to see what groups I am a member of and those groups determine what permissions/access I have within the website. 

    The code is used in multiple sites and so far it is just copied and pasted into the other sites where needed.  I was just hoping to make it work in a dll for easier reuse.  However, in a dll the same code fails to return results.  The dll works on a local box, but not on the IIS server.  The same code works if I don't put it in a dll on the server.  It only fails in a dll on the server.  There are no errors it just returns 0 results. 

    Sunday, October 20, 2013 4:14 PM
  • User753101303 posted

    If this is what I think it depends on the web site settings so it may work or not depending on which settings you used...

    Let's see how this is done...

    Sunday, October 20, 2013 4:32 PM
  • User1015551006 posted

    I'll be a bit delayed in getting back to you.  I hurt my back over the weekend and am layed up for the week (it's tearing my mind up leaving an unsolved problem like that)

     

    Monday, October 21, 2013 12:21 PM
  • User-918306365 posted

    Could you try using Basic Authentication rather than the Windows Authentication and test the results ? I would also like to understand the version of IIS being used here.

    Monday, October 21, 2013 12:43 PM
  • User1015551006 posted

    We are using IIS 7 and no, Windows Authentication is required.  I have no choice over that.

    Monday, October 21, 2013 1:08 PM
  • User-918306365 posted

    Yes, Windows Authentication would be required. However, Basic is just for testing purpose. I would want to identify if the behavior changes with Basic.

    Monday, October 21, 2013 1:25 PM
  • User1508394307 posted

    It is using the credentials of the person logged into the application to query active directory.

    If it means you set impersonation=true, then the identity in the referenced dll might be different with the one you traced in the own code. I know you told, you checked it already, but maybe you can test it one more time and output System.Security.Principal.WindowsIdentity.GetCurrent().Name from the dll.

    Also, in case the impersonation set to true, do you really need it? If you use the Network Service identity on the IIS AppPool, the application pool will use the machine account of the IIS server when accessing network resources. Usually it is enough to query AD. 

    Monday, October 21, 2013 3:29 PM
  • User1015551006 posted

    We cannot change it to Basic authentication, not even for a test. 

    What I did to try and test it (and simplify the whole thing) was put a label on a page to output the display name for the account logged into the website.

    I hard coded the active-directory credentials with my account id/pw and i hardcoded the query to look my account up in the active directory for my display name.

    This works.  No problem.  I create a new windows-library project in the solution and create a static class with a static method that return a string.  I copy the code from the code-behind into the static method and return the display name. Then I modify the code-behind to call the static method and display the returned string.

    The search method in this new class library does not return any results.  I even tried making it a non static method/class to force it to be instantiated.  It also failed.

    Monday, October 21, 2013 3:52 PM
  • User1508394307 posted

    See, it's difficult to answer without seeing the code... Are you sure that the dll code works as expected? For instance, if impersonation has failed in dll, will you get an exception back or will it be catched by try..catch and you will get a null in this case? Also an output of System.Security.Principal.WindowsIdentity.GetCurrent().Name might really clarify if impersonation was successful and under which account it really goes.

    Monday, October 21, 2013 4:17 PM
  • User1015551006 posted

    I understand not seeing the code is difficult.  Unfortunatley this past weekend has seen me in the hospital.  When I get out and back to work, I will include code.

    Monday, October 21, 2013 4:19 PM
  • User1015551006 posted

    Okay, finally back to work and been checking the issues out with this and the issue had to deal with permissions on the account because the website was on a different domain than the active directory.  So, the account wasn't trusted across the domain.  Elevated the permissions and allowed the app pool to run with the elevated permissions and now it is working fine.

     

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 28, 2013 1:43 PM