DirectorySearcher works locally in VS2005 but not on webserver

  • Thread starter Thread starter Jason Wilson
  • Start date Start date
J

Jason Wilson

I have written a web app in ASP.NET that works fine in VS2005, but
DirectorySearcher fails when I copy it to the web server.

Here's some code:

Dim sUser As String = Environment.UserName
Dim adEntry As New DirectoryEntry("LDAP://
DC=radnet,DC=ausrad,DC=com")
Dim adSearcher As New DirectorySearcher(adEntry)
adSearcher.SearchScope = SearchScope.Subtree
adSearcher.Filter = "(&(objectCategory=person)
(objectClass=user)(sAMAccountName=" & sUser & "))"
adSearcher.PropertiesToLoad.Add("mail")

adSearcher.PropertiesToLoad.Add("extensionAttribute1") 'This
contains employee SSN
Dim adResult As SearchResult = adSearcher.FindOne
***hfUserEmail.Value =
adResult.GetDirectoryEntry().Properties("mail").Value
***hfUserSSN.Value =
adResult.GetDirectoryEntry().Properties("extensionAttribute1").Value

*** These 2 lines give me: Object reference not set to an instance of
an object. (nullreference exception)

I've tried adding credentials to the DirectoryEntry with the same
results.

Thanks in advance,

Jason Wuksib
 
Hi,

My guess is that the webserver is not a member of the domain that it is
querying. This will cause the query to fail.

Regards,
Kueh.
 
It's an intranet server and is a member of the domain. Also if it was
a security issue I think that I would get an access denied exception
 
Just a thought, but I am expecting the webserver to the do the query
under the context of the user of the web page. Do I need to do
something to make this happen? I mean do I need to somehow turn
impersonation on?

Jason
 
That was it. I added:

<identity impersonate="true" userName="domain\user" password="*****"/>

And now it works. It was running under the local system account
before which didn't have necessary rights (you'd think you'd get an
exception, but no).

I tried just turning on impersonation without providing credentials
and it failed because Kerberos doesn't like the 2 hop token. I think
you can get around that with enabling the webserver for delegation in
AD, but that gets kind of messy. This will work for now.
 
Back
Top