473,583 Members | 3,566 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

DirectoryServic es error: Authentication mechanism is unknown: Solution

Hello

I posted a thread about this a while back, but I can't actually find it
again so I can reply to it with the solution I found, so I'm making a new
thread and hoping it goes to the top of the Google search results for the
error like the previous thread.

This is actually a solution to a problem, not a call for help, so you can
stop reading now unless you're actually interested in the solution :)

Problem:

When connecting to Active Directory using a DirectoryEntry object, and
passing username and password credentials, returns an error when binding.
(Binding occurs once you try to execute something, such as a search, or
access connection properties). The error message is "The authentication
mechanism is unknown".

Example code:

// Bind to Active Directory using LDAP Protocol
DirectoryEntry entry = new DirectoryEntry( "LDAP://DOMAIN", "myusername ",
"mypassword ", AuthenticationT ypes.Secure);
System.Director yServices.Prope rtyCollection props = entry.Propertie s;
foreach(string propName in props.PropertyN ames)
{
Console.WriteLi ne( "{0} = {1}", propName, props[propName] );
}

Diagnosis:

In general, this code will work and you'll get a list of the AD LDAP
properties. However, you might get the "The authentication mechanism is
unknown" error. When I searched for help on this error everywhere I could
find, nobody could supply a solution, or even an explanation of what was
happening.

What I have found is that it is almost certainly a problem with security
permissions. More specifically, if you are running under a system account
rather than an account that belongs to the domain you're connecting to. And
mostly, you will probably only get this problem when you're running ASP.NET.
To help you test what account may be causing problems for you, add this line
of code before you do any DirectoryEntry operations:

Console.WriteLi ne("Current Identity = {0}, IsSystem={1},
IsAuthenticated ={2}, AuthenticationT ype={3}, Token={4}", identity.Name,
identity.IsSyst em, identity.IsAuth enticated, identity.Authen ticationType,
identity.Token. ToString() );

When the problem occurred for me, I got this output:

Current Identity = NT AUTHORITY\SYSTE M, IsSystem=True, IsAuthenticated =True,
AuthenticationT ype=NTLM, Token=10228

If you're getting this, check your machine.config located in
%SYSTEMROOT%\Mi crosoft.NET\Fra mework\vx.x.xxx x\CONFIG e.g.
c:\windows\Micr osoft.NET\Frame work\v1.0.3705\ CONFIG for 1.0 Framework on
Windows XP. Search for the <processModel section. Have a look at userName
attribute; it will be set to "system" most probably. This runs ASP.NET under
a privileged local system account and is actually a big security hole; this
was the default setting in Beta 2 but was changed to "machine" later on.
When set to machine, ASP.NET will then run under the MACHINENAME\ASP NET
account which should actually make your code work!

In theory, the code should work anyway, because you're specifying the
credentials you are binding to the directory with. I suspect it will be
something to do with initial tokens passed when binding, from some of the
packet sniffing I was doing trying to find what happens when you bind.

Solutions:

The solution is to run your ASP.NET application under an account that can
access AD. There are a couple of ways to do this:

1) You can actually do all your work WITHOUT sending a username and password
to the DirectoryEntry bind if you're running under the system account. This
isn't an anonymous bind, it's a privileged one, because you can actually
search the whole AD tree (an anonymous bind to AD gives you almost nothing
to look at)

e.g. DirectoryEntry entry = new DirectoryEntry( "LDAP://DOMAIN");

This isn't an option for me, as I need to bind with the username and
password as a form of authentication.

2) Ensure ASP.NET runs under the MACHINENAME\ASP NET account by setting the
userName attribute in the processModel section of machine.config to
"machine" (make sure the password attribute is set to "AutoGenerate") . This
will enforce the change on all ASP.NET apps. This is recommended as using
"system" is insecure and essentially "deprecated ".

3) Run your specific web application under a specified username and
password, such as a domain login. Do this by adding the following line to
web.config:

<identity impersonate="tr ue" userName="DOMAI N\myusername"
password="mypas sword"/>
</system.web>
</configuration>

Troubleshooting :

1) First you should test that you can actually get to the Active Directory
using the LDAP method by using a standard LDAP client such as LDAPBrowser
2) You should make sure the username / password you're using can actually
bind to the AD using the LDAP Browser
3) Use the line of code a bit further up to troubleshoot what account your
app is running under (i.e. to see whether your impersonation or
machine.config changes have taken effect)

I hope this helps you! Was a frustrating error that had no documentation or
solutions I could find.

Cheers

David Moore <davidATrealdev elopments.com>
Jul 21 '05 #1
0 9012

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

10
9851
by: Fabrizio | last post by:
(Sorry for the crosspost, but I really don't know which is the right newsgroup!) Hi all, I try to change the password to a user that as to change the password at first logon: try {
6
4267
by: dhnriverside | last post by:
Hi peeps Ok, I've got a web application running (lets call it MyApp, so its namespace is MyApp). I've created a subdirectory within this application called "secure", and made than an Application in IIS too. Plus I've added another web.config in there. Then I added an aspx page (called UpdateLogin.aspx), which created itself in the...
0
458
by: David Moore | last post by:
Hello I posted a thread about this a while back, but I can't actually find it again so I can reply to it with the solution I found, so I'm making a new thread and hoping it goes to the top of the Google search results for the error like the previous thread. This is actually a solution to a problem, not a call for help, so you can stop...
7
2922
by: turbon | last post by:
Hello, I am writing code, which will copy webServices from one IIS 6.0 webserver to another and using DirentoryServices to achieve this purpose. And I have problems with authentication - I get an error whenever I try to read properties of DirectoryEntry object. I had same problems when I was using WMI, but there setting ConnectionOptions co...
5
5118
by: djhexx | last post by:
Hi. We have an asp.net intranet application written in VB that uses forms authentication for all it's pages. I have a C# asp.net application that I just wrote. The company would like the C# application to authenticate using the same mechanism as the intranet app. Therefore...if I try to login to the c# app, it should redirect me to the...
0
1434
by: ssg31415926 | last post by:
I'm using System.DirectoryServices to access a Domino LDAP server. When I get a failed authentication, I usually see this: System.Runtime.InteropServices.COMException 0x8007052E: "Logon failure: unknown user name or bad password.\r\n". Suddenly, I'm seeing this: System.Runtime.InteropServices.COMException 0x80072029: "Inappropriate...
6
5457
by: bugnthecode | last post by:
Hi, I'm building a small desktop app in VS Std 2005 with C# and .net 2.0. I've managed to get the code together to query the ldap my company has, but every time I attempt to access a specific property a COM Exception gets thrown, and I can't figure out why. This is a desktop app. example("ldap.example.com", "ou=People,dc=example,dc=com"); ...
2
3509
by: richard.markiewicz | last post by:
Hi all I have inherited a sharepoint web part from my predecessor that is displaying an issue. It calls FindAll() to locate a specific security group, and then enumerates through the group to retrieve the user's display names and email addresses. *Very* intermittently this web part will throw an exception - either...
0
2032
by: choukse | last post by:
Hi All, I am trying to bind to ADAM instance with a windows user through JNDI and it keeps failing. My ADAM and AD is running on same Windows 2k3 server. But, through LDP I am able to bind with the same windows user successfully and browse through the entire tree successfully. The error is as below
0
8172
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
8317
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7928
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
8188
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
5369
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3813
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3839
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1422
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
1151
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.