A local error has occurred while connecting to AD in Windows 2008 server

There's Active directory on windows 2000 advance server, I have a web server on Windows 2008 server Enterprise Edition, the following code works fine in Winsows 2003 server but when I installed Win 2008 server, it gives me the following error, the webserver is not subdomain of the AD server. but they have the same range IP address.

A local error has occurred.

System.Dire开发者_如何学CctoryServices.DirectoryServicesCOMException

I want to Authenticate Via AD from my webserver, I even test the port 389 and it was open(by telnet), I even added port 389 UDP and TCP to firewall of webserver to be sure it is open, even I turned the firewall off but nothing changed. I don't know what's wrong with Windows 2008 server that cannot run my code, I search Internet but I found nothing. any solution would be helpful. Thank you

public bool IsAuthenticated(string username, string  pwd,string group)
{
  string domainAndUsername = "LDAP://192.xx.xx.xx:389/DC=test,DC=oc,DC=com" ;
  string usr="CN=" + username + ",CN=" + group;
  DirectoryEntry entry = new DirectoryEntry(domainAndUsername, usr, pwd,
                                            AuthenticationTypes.Secure );

  try
  {
    DirectorySearcher search = new DirectorySearcher(entry);

    search.Filter = "(SAMAccountName=" + username + ")";

    SearchResult result = search.FindOne();

    if (result == null)
    {
        return false;
    }
  }
  catch (Exception ex)
  {
      return false;
  }
  return true;
}

---

Ok, let's try a different approach... You indicated that you're on Windows 2008 which means that you should be able to use the new System.DirectoryServices.AccountManagement-namespace introduced in .NET 3.5.

I've written a quick function that you can try out which should work better than the code you're currently using:

using System.DirectoryServices.AccountManagement;

//...

private Boolean IsAuthenticated(String username, String password, String group)
{
  PrincipalContext domain;
  try
  {
    // Connect to the domain:
    domain = new PrincipalContext(ContextType.Domain, "192.xx.xx.xx", username, password);
  }
  catch
  {
    // Unable to connect to the domain (connection error or bad username/password):
    return false;
  }

  PrincipalSearcher searcher = new PrincipalSearcher();

  // Search for the user in the domain:
  UserPrincipal findUser = new UserPrincipal(domain);
  findUser.SamAccountName = username;
  searcher.QueryFilter = findUser;
  UserPrincipal foundUser = (UserPrincipal)searcher.FindOne();

  // Search for the group in the domain:
  GroupPrincipal findGroup = new GroupPrincipal(domain);
  findGroup.SamAccountName = group;
  searcher.QueryFilter = findGroup;
  GroupPrincipal foundGroup = (GroupPrincipal)searcher.FindOne();

  if (foundGroup != null)
  {
    // Return true if group exists and the user is a member:
    return foundUser.IsMemberOf(foundGroup);
  }
  else
  {
    // Group was not found:
    return false;
  }
}

However I would recommend that you set up a service account in your domain and use that account (with a password that you know) in your application instead of connecting to the directory with the username/password of the user that you're autenticating.

---

The DirectorySearcher class is most likely the culprit.

Per MSDN on DirectorySearcher:

"Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role not supported), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements. "

---

The error you're getting indicates that you're able to access Active Directory (not a firewall issue) but AD is unable to process the request.

I'm not sure why the code worked on Server 2003 because these two lines...

string usr="CN=" + username + ",CN=" + group;
DirectoryEntry entry = new DirectoryEntry(domainAndUsername, usr, pwd,  AuthenticationTypes.Secure );  

...should never work because you're not supplying the username in the correct way (you can't simply add the username to a group name, it's not a valid DN). If you change it to...

DirectoryEntry entry = new DirectoryEntry(domainAndUsername, username, pwd,  AuthenticationTypes.Secure );

...you should be able to make a successful connection to AD. There won't be any check if the user belongs to the supplied group however.