9/11/2009 3:28:09 PM
MED1
Posts: 15
|
Hello,
The feature that automatically populates of new user's e-mail addresses is not working. (I am using the windows authentication mode in WEB.config, and that feature IS working.)
I see a corresponding error in the windows event log. I get the same information if I configure HELPDESK to deliver system errors by e-mail. The error is posted below. Are there are user-configurable settings related to the LDAP communication? I couldn't find anything in the site's config files. Any help is appreciated!
System.Runtime.InteropServices.COMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
at HelpDesk.BusinessLayer.ADUtils.FindPhoneByUserName(String userAccount)
|
|
• permalink
|
9/11/2009 3:32:35 PM
MED1
Posts: 15
|
I should also mention that it logs 3 or 4 of these each time with the last line being different: One says "FindEmailByUserNAme", another says "Find FirstName by Username" etc, so it does not seem to be tripping up on just one piece of information...
|
|
• permalink
|
9/11/2009 4:00:54 PM
MED1
Posts: 15
|
I also tried switching to an application pool that was configured to run worker process using a domain account, but this killed all authentication to the site....
|
|
• permalink
|
9/13/2009 5:50:10 AM
jitbit
Administrator
Posts: 1306
|
Have you enabled impersonation in the web.cofig?
|
|
• permalink
|
9/14/2009 2:54:27 AM
wit01
Posts: 69
|
I get exactly the same problem as MED1, each time with a different user info (first name, last name, email, phone etc).
I have impersonation on in web.config, and I have also run LDAP tests (Microsoft PortQueryUI) from the server to our Domain Controller (Server 2003) and everything is fine.
For some reason it is just the helpdesk app that can't seem to make any LDAP queries, and causes some delay on the application opening (it'll time out after a while, then connect)
|
|
• permalink
|
9/14/2009 7:14:04 AM
MED1
Posts: 15
|
Yeah, I double checked and the '<identity impersonate="true"/>' line is not remarked out...
|
|
• permalink
|
9/14/2009 7:21:32 AM
MED1
Posts: 15
|
I think I might have fixed it, but I still need to test to be sure. I found a reference to the 0x80072020 error in another forum. Apparently this error can occur on a member server when it's machine account is not trusted for delegation. I made this change and so far I have not seen any more errors logged. I let you know if the e-mail address populates on a new account....
|
|
• permalink
|
9/14/2009 7:56:28 AM
MED1
Posts: 15
|
Confirmed - Enabling delegation corrected the problem.... You gotta love search engines!
|
|
• permalink
|
9/15/2009 9:55:07 AM
wit01
Posts: 69
|
Good man.
Thanks for that, fixed my problem too!
|
|
• permalink
|
9/16/2009 3:30:10 AM
dazlin
Posts: 5
|
I've just been given a link to this post - I've got exactly the same problem. I've enabled 'Trust this computer for delegation' on my domain comtroller for the server in question and rebooted the webserver, but am still seeing this issue. Is there anything else I need to do, either on the webserver or on my domain controller.
BTW, my webserver is running Windows 2003 R2 SP2 and I'm running a Windows 2000 Native domain.
Thanks in advance.
|
|
• permalink
|
9/16/2009 7:11:13 AM
MED1
Posts: 15
|
Did you try an IISRESET after making the changes?
|
|
• permalink
|
9/16/2009 7:15:45 AM
MED1
Posts: 15
|
Nevermind, if you already rebooted then that would not apply.... 
|
|
• permalink
|
9/16/2009 7:30:38 AM
MED1
Posts: 15
|
Only advice I would have left would be to run NETDIAG on your web server, and look for any kerberos related issues..
|
|
• permalink
|
9/22/2009 4:10:34 AM
dazlin
Posts: 5
|
MED1 wrote:
Only advice I would have left would be to run NETDIAG on your web server, and look for any kerberos related issues..
I have run the netdiag command from the web server and have pasted the results below. Does anyone have any other ideas as I've exhausted all of mine.
Thanks
Dazlin
.......................................
Computer Name: KPWEB02
DNS Host Name: KPWEB02.domain
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 6 Model 15 Stepping 6, GenuineIntel
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection 2
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : KPWEB02
IP Address . . . . . . . . : 192.168.0.17
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.0.1
Primary WINS Server. . . . : 192.168.0.8
Secondary WINS Server. . . : 192.168.0.59
Dns Servers. . . . . . . . : 192.168.0.8
192.168.0.59
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{9543CA67-D94F-4F06-8A7E-05DE3E0A89BF}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{9543CA67-D94F-4F06-8A7E-05DE3E0A89BF}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{9543CA67-D94F-4F06-8A7E-05DE3E0A89BF}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'KUDOS' is to '\\KPADMIN03.kudospharma.co.uk'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
The command completed successfully
|
|
• permalink
|
9/25/2009 4:52:06 AM
wit01
Posts: 69
|
I think the one to note is: LDAP test. . . . . . . . . . . . . : Passed
As long as that passed it should connect into your AD.
I thought that our problems were fixed, but not. Every now and then it takes upto 3 minutes to open the application, but when I look at the event viewer I can see it's where it's trying to connect into the AD.
I've considered promoting our app server to a DC, as theoretically that should solve the problem. Not sure why member servers are having issues with LDAP queries to DCs, but all the Microsoft tests show no problems?
|
|
• permalink
|
9/25/2009 5:11:28 AM
dazlin
Posts: 5
|
wit01 wrote:
I think the one to note is: LDAP test. . . . . . . . . . . . . : Passed
As long as that passed it should connect into your AD.
I think that LDAP is working - when I start the helpdesk (v3.6.1), it does recognise who I am, the only error I get in the event log relates to updating properties from AD.
Error in Jitbit HelpDesk: Error updating properties from AD
System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
at HelpDesk.BusinessLayer.ADUtils.FindEmailByUserName(String userAccount)
at HelpDesk.BusinessLayer.User.get_CurrentUserID().
Before the upgrade (I was running v3.5.9) I was receiving an event log error relating to updating email from AD.
Error in Jitbit HelpDesk: Error updating email from AD
System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
at HelpDesk.BusinessLayer.ADUtils.FindEmailByUserName(String userAccount).
Does this sound familiar to anyone?
Cheers.
Dazlin
|
|
• permalink
|
9/25/2009 7:23:34 AM
MED1
Posts: 15
|
While the event in your log looks similar, it is actually a different error you are goetting:
0x8007203A : The server is not operational
Do you have a CA installed into your directory? I ran a couple searches on your error, and saw a few people who were querying a domain controller with an expired certificate. Also, is there any routing being done between your member server and your DC that might be blocking certain ports?
|
|
• permalink
|
9/25/2009 7:35:37 AM
MED1
Posts: 15
|
Also, do you have more than one domain controller? Or have you removed a domain controller from the network in the past, which might still be referenced?
|
|
• permalink
|
9/25/2009 9:15:17 AM
dazlin
Posts: 5
|
MED1 wrote:
Do you have a CA installed into your directory? I ran a couple searches on your error, and saw a few people who were querying a domain controller with an expired certificate. Also, is there any routing being done between your member server and your DC that might be blocking certain ports?
MED1 wrote:
Also, do you have more than one domain controller? Or have you removed a domain controller from the network in the past, which might still be referenced?
We are not using and do not have CA installed. Also, we have 2 domain controllers on our domain. Is it possible to 'tell' the application which LDAP server to look at (ie force it to use a particular one)?
Regards,
Dazlin
|
|
• permalink
|
9/25/2009 9:24:33 AM
MED1
Posts: 15
|
If a CA is not installed, your domain controllers will not listen on the secure LDAP ports at all. If the .NET framework is trying to communicate with your domain controllers using secure LDAP, this could explain the error, and also explain why your command line network diags reported no problems. I would rule this issue out first by installing the CA feature on one of your member servers or one of your domain controllers. After installing it as an "enterprise root CA", I would wait about 15 minutes, then reboot each domain controller as time allows. Then, do an IISRESET on your website, and try again!
|
|
• permalink
|