Click here to Skip to main content
15,302,644 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi,
I have developed a simple VB.net application to allow a single field to be retrieved and changed for any user within Active Directory. The intention is that using delegated permissions, the application will allow this field to be controlled by basic admin staff, and avoid us having to give those admin staff the whole "Active Directory Users and Computers" application.

When you run the application, it asks you to enter a domain username and password, which it then uses to connect to Active Directory, using the following call:

de = New DirectoryServices.DirectoryEntry("LDAP://DC=testdomain,DC=local", username, Password)

This works perfectly when the username and password supplied are for a domain admin account, but if not generate a Directory Services COM Exception error, as follows:

"8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1"

I've tried setting permissions and delegated rights onto Active Directory, but nothing seems to make any difference. Can somebody please give me some advice to overcome this issue?

Thanks
Posted

Hi There,

Have you tried encapsulating your query in a Try... Catch... to capture the error.

VB
Try
    de = New DirectoryServices.DirectoryEntry("LDAP://DC=testdomain,DC=local", username, Password)
Catch Ex as Exception
    Msgbox("Login Credentials Invalid, Please try again.")
End Catch


From what i can see from your question this is what you are asking?

Regards
Dave
   
Yes, the code already has a Try, Catch, End block as follows:

Try
de = New DirectoryEntry("LDAP://DC=dryland,DC=local", txtLogon.Text, txtPassword.Text, DirectoryServices.AuthenticationTypes.Secure)
ds = New DirectorySearcher(de)
Dim tmpName As String = de.Name
Catch dscomex As DirectoryServices.DirectoryServicesCOMException
MsgBox(dscomex.Message + vbCrLf + dscomex.ExtendedErrorMessage)
Catch ex As Exception
MsgBox("Error Occurred - " + ex.Message)
End Try

The problem is that whenever I use a username/password that is NOT a Domain Admin account, the error occurs. The error is thrown when the code executes the line "Dim tmpName As String = de.Name". Within the Try, Catch, End block the DirectoryServicesCOMException error is thrown, and the dscomex.ExtendedErrorMessage is "8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1". However, for Domain Admin accounts, everything works fine

It's really strange because I believe I've ensured the non Domain Admin account I'm using has the right level of permissions to read the Active Directory, but I keep getting this error, and it's not even a simple "permission denied" error, it's a more cryptic LDAP error!

Thanks for your help
   
OK, even more strange. As part of my testing, I added Domain Admin to another account, but it still gives exactly the same error. So, the situation is actually like this:

1. If I logon to the PC as DomainA\UserA, and within the application I logon as DomainB\UserA, the application works
2. If I logon to the PC as DomainA\UserB, and within the application I logon as DomainB\UserB, the application fails
3. If I logon to the PC as DomainA\UserB, and within the application I logon as DomainA\UserA, the application works
4. If I logon to the PC as DomainA\UserA, and within the application I logon as DomainB\UserB, the application fails

So, it doesn't seem to matter which user has logged on to the PC (which makes sense, because I'm specifying the Domain B username when I log into the second domain from within the application). However, the application only works with one logon. I'm sure the issue is related to security permissions, but as both DomainB\UserA and DomainB\UserB are both Domain Admins, I can't see any reason for security issues. Help!!

Thanks
   
I've just found something that might help explain this.

The working user, UserA, has an account on DomainA and an account on DomainB, and the passwords on both accounts are the same

The non-working users either have an account on DomainB but not on DomainA, or they have accounts on both domains but with different passwords on each domain

Therefore, I think the application only works when the username and password are identical on both domains, although I don't understand why that is necessary. Can anyone explain this?

Thanks
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900