Brendan Tompkins [MVP]

Darrell, I know, but this server was behind our firewall. I'm not sure what else could have fixed it.

Darrell, I know, but this server was behind our firewall. I'm not sure what else could have fixed it.

I'm not saying you did anything wrong. The permission is there for a reason, but there are security implications to using it. Just an cautionary FYI.

Brendan, Darrell, I tried this code and get some error, is there anyone who can solve my problem?

The error details:

1. If I tried this on WinXp wich is my developer serever I got the following error at the "de.SchemaEntry.RefreshCache(new string [] {PropertyName});" line:

Not implemented

2. I tried this on a Win2003 server too. In this case I got another error in the same line wich is "better" then the first one:

Unknown error (0x80005000)
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Runtime.InteropServices.COMException: Unknown error (0x80005000)

Please anybody help me.

Thanks

Zoli...

If you have trusted for delegation on the Server 2003 machine for current impersonated user, then you are over the first hump.

Second, make sure that your AD contains the property that you are trying to refresh. If you mistype the property, or it's not there, you'll error.

Here are some properties that should be there for AD..

GetProperty(dirEntry, "sAMAccountName");
GetProperty(dirEntry, "givenName");
GetProperty(dirEntry, "sn");
GetProperty(dirEntry, "mail");
GetProperty(dirEntry, "description");
GetProperty(dirEntry, "displayName");
GetProperty(dirEntry, "facsimileTelephoneNumber");
GetProperty(dirEntry, "telephoneNumber");
GetProperty(dirEntry, "title");
GetProperty(dirEntry, "company");
GetProperty(dirEntry, "l");
GetProperty(dirEntry, "department");

Brendan...

1. I checked the chekbox Trusted for delegation in the AD and I use Windows authentication and impersonate true. I tried my own account and domain admin too.

2. I wrote a small control, which lists all the properties name for the searched user. I can choose which poperty value will be shown by the number of the property in the list. I use foreach (foreach(string sPropName in osRes.GetDirectoryEntry().Properties.PropertyNames)) to walk through the properties. If the number is equal the selected property number I call the GetProperty whith the sPropName. I think it must be good.

Any new idea?

Thanks

Well, I'm not sure. I can tell you that your syntax has to be perfect for this to all work. Are you loading the properies when you first get the DirectoryEntery?

One thing that may help you is TokenMon you can get this for free at http://www.sysinternals.com/

Running this on the server will give you an idea if there are permissions problems..

Brendan

If You think oADSearchResult.PropertiesToLoad.Add(sPropName);
It is in the code.

I install the TokenMon but I can't see how it can help me. Here is the part of the program, which is working with the AD. Can You check it, please if You see any error.

string NameFilter = tbAdSearchfilter.Text;
string DepartmentFilter="";
string PhoneFilter="";
string sFilterText = "";

DirectoryEntry oADMainEntry = new DirectoryEntry(ConfigurationSettings.AppSettings["ADConnectionString"].ToString());
DirectorySearcher oADSearchResult = new DirectorySearcher(oADMainEntry);oADSearchResult.PropertyNamesOnly = true;
oADSearchResult.Sort = new SortOption("name", SortDirection.Ascending);
sFilterText = "(&(objectCategory=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))";
sFilterText = sFilterText + "(name=" + NameFilter + "*)";
sFilterText = sFilterText + "(department=" + DepartmentFilter + "*)";
sFilterText = sFilterText + "(|(telephoneNumber=" + PhoneFilter + "*)(mobile=" + PhoneFilter + "*))";
sFilterText = sFilterText + ")";
oADSearchResult.Filter = sFilterText;
foreach(SearchResult osRes in oADSearchResult.FindAll())
{
if (cbOnlyUserpCount.Checked)
{
this.Page.Response.Write(osRes.GetDirectoryEntry().Properties["name"].Value + " - " + osRes.GetDirectoryEntry().Properties.Count + "<br>");
}
else
{
int iProp = 0;
foreach(string sPropName in osRes.GetDirectoryEntry().Properties.PropertyNames)
{ this.Page.Response.Write(sPropName); if (cbPropValue.Checked) {
if(tbPropNum.Text.Trim() == "" || int.Parse(tbPropNum.Text) == iProp) {
oADSearchResult.PropertiesToLoad.Add(sPropName);
this.Page.Response.Write(" - " + GetProperty(osRes.GetDirectoryEntry(),sPropName));
}
} this.Page.Response.Write("<br>");
iProp++;
}
}
}


Tanks Zoli

Zoli,

When you do your foreach, are you failing the first time? If not, there may be a problem with a particluar property.

Also, I'd remove the line PropertyNamesOnly = true; while testing. But, I'm not sure if these could be causing your error.

And, I'd do my GetDirectoryEntry() call once, setting an obj reference, then using that reference.

-B

Brendan,

The program always fails at the line
de.SchemaEntry.RefreshCache(new string [] {PropertyName});
This line is called once in the foreach, on that property which I choosed.
If I don't use this line it works fine for exmaple the cn property but fails for the department property. At this time the error occured in the line: de.Properties[PropertyName][0].ToString(), and the error is:
The directory datatype cannot be converted to/from a native DS datatype.
I tried to use the RefreshCache(); without any parameters, but it doesn't help too. Although it not fails in the RefreshCache line, but the error is come in the same line as there wasn't any RefreshCache call.


Changing the PropertyNameOnly is no effect.

Setting up the DirectoryEntry once and using this refence also doesn't indicate any chages.

Zoli...

Try calling this method within your foreach and run DebugView from http://www.sysinternals.com/ to see what all your properties are.

/// <summary>
/// Write out all of the properties of a given directory entry
/// </summary>
/// <param name="dirEntry" type="System.DirectoryServices.DirectoryEntry">
/// <para>
/// Directory Entry
/// </para>
/// </param>
/// <returns>
/// A void value...
/// </returns>
public static void WriteProperties(DirectoryEntry dirEntry)
{
string[] propNames = new string[dirEntry.Properties.Count];
dirEntry.Properties.PropertyNames.CopyTo(propNames,0);

for (int propertyIndex = 0; propertyIndex < dirEntry.Properties.Count; propertyIndex++)
{
System.Diagnostics.Trace.WriteLine("Name: {0}", propNames[propertyIndex]);
int valueCount = dirEntry.Properties[propNames[propertyIndex]].Count;
for (int valueIndex = 0; valueIndex < valueCount; valueIndex++)
System.Diagnostics.Trace.WriteLine(String.Format(" Value {0}: {1}", valueIndex, dirEntry.Properties[propNames[propertyIndex]][valueIndex]));
}
}

Brendan,

At first I would like to very thanks to your help. I don't know what's happened but when I call this method, the progam not fails and starts to work. After that I commented the method call and it is still working. Another sites is start to work after that, althought I didn't modified that code. So if You can expalin me why will it be good, I will be very very happy and probably cleverer too. If You can't expalain the reason, I just congartulate to You because You solved an almost 1 year old problem. Thank You again to your help!

Zoli

Error Type: (0x80072020),
I am not able to acces samaccount name from a windows server2003 active directory from an asp page ( windows script), where i was able to access all the attributes from from windows 2000 server. what would be the proble.

KerbTray, part of the Windows Resource Kit, is another useful program for debugging Kerberos/delegation issues. Also, check the security event logs on the AD server to see whether the conenctions are coming in authenticated.

Also, if you are using custom properties / directory entry types, you need to check that the SCHEMA is permissioned appropriately as well or you will see this same "directory datatype could not be..." error.