1

I've been searching for an answer and can't seem to find one, but maybe I missed it. I have a WPF application and I use PrincipalContext to connect to MS AD. My development machine is not domain joined and I can connect no problem. However, on our terminal server, my application can only connect if the currently logged in user is in the Domain Admins group, even though I am passing valid credentials to the PrincipalContext constructor. I have tried using my account, a 'service' account, and even the Administrator account.

I have this working on my development machine but not on our terminal server:

PrincipalContext pc = new PrincipalContext(ContextType.Domain, "DC.mydomain.com", null, ContextOptions.SimpleBind | ContextOptions.ServerBind, Username, Password);

On the terminal server, it throws an exception. The message is "The connection cannot be established". Upon further investigation I found that LDAP is returning an error code of 91, which I have looked up as well, but I still cannot seem to get it to connect. I must have tried passing every combination of parameters to PrincipalContext.

Edit:

I've been playing with it some more. I can't get PrincipalContextor LdapConnection to connect on the terminal server, but they both work on my development machine. The only thing that will connect is DirectoryEntry. Maybe that will provide more clues?

Any suggestions?

James Wakelim
  • 63
  • 7
  • Have you tried ContextOptions.Signing ?? – Azhar Khorasany Aug 06 '13 at 22:33
  • Is your development machine trying to talk to the same domain? My guess would be that the production DC doesn't allow Basic Authentication. – Sean Hall Aug 07 '13 at 12:55
  • Signing doesn't work either. I'm connecting to the same domain...I'm pointing to the exact same server. I'm on the production network, just not joined to the domain. – James Wakelim Aug 07 '13 at 15:15
  • If you're running this as a domain user, you can just not supply the username and password and take out the SimpleBind flag. By the way, in order for me to see your comment, I had to come back to this question. If you put @Hall72215 at the beginning, it would show up in my notifications. – Sean Hall Aug 12 '13 at 15:18
  • @Hall72215 Thanks for the tip. :) I tried using the PrincipalContext constructor with just the Domain ContextType and I got the same error. I've also done network captures on the active directory server and when I get the error, there is no LDAP traffic going to the AD server at all. – James Wakelim Aug 12 '13 at 20:31
  • Sounds like DNS issues or you can't reach that DC from the terminal server. – Sean Hall Aug 12 '13 at 20:40
  • @Hall72215 DNS is ruled out (tried the IP). As for not being able to reach the DC, I can ping the DC from the terminal server and it'll work if the account I'm logged into the terminal server with is in the Domain Admins group. If I remove myself from the group it stops working again. But of course, we cant just make everyone a member of the Domain Admins group to get it to work. – James Wakelim Aug 12 '13 at 22:05
  • I'm out of ideas. I don't see how everyone could use a DirectoryEntry but PrincipalContext only works for Domain Admins. Have you tried it on another computer that's joined to the domain? – Sean Hall Aug 13 '13 at 01:36
  • @Hall72215 all 7 terminal servers in our farm and another 2 domain joined PCs. Makes no sense. – James Wakelim Aug 13 '13 at 06:08

1 Answers1

0

I managed to figure it out. It was some sort of permissions issue on the folder I was running the application from. Hope this can help someone in the future.

James Wakelim
  • 63
  • 7