Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DirectoryServicesCOMException - Unexpected error occurred while getting domain names information #87

Closed
Yvand opened this issue Jul 18, 2019 · 2 comments
Closed

DirectoryServicesCOMException - Unexpected error occurred while getting domain names information #87

Yvand opened this issue Jul 18, 2019 · 2 comments
Assignees
@Yvand
Labels
bug

Comments

@Yvand
Copy link
Owner

Yvand commented Jul 18, 2019

Randomly, LDAPCP fails to get domain names information and records the following error:

07/18/2019 13:58:53.78	w3wp.exe (0x22A0)	0x1AE8	LDAPCP	Configuration	1337	Unexpected	[LDAPCP] Unexpected error occurred while getting domain names information for LDAP connection LDAP://contoso.local/DC=contoso,DC=local: System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred.  , Callstack:   
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)    
at System.DirectoryServices.DirectoryEntry.Bind()    
at System.DirectoryServices.DirectoryEntry.get_AdsObject()    
at System.DirectoryServices.PropertyCollection.Contains(String propertyName)    
at ldapcp.OperationContext.GetDomainInformation(DirectoryEntry directory, String& domainName, String& domainFQDN)    
at ldapcp.LDAPCP.SetLDAPConnection(Uri currentContext, LDAPConnection ldapConnection)

As a consequence, entities that use dynamic domain name tokens are missing the domain name.
For example, entity value will be "\groupName" instead of "contoso.local\groupName"
@Yvand Yvand self-assigned this Jul 18, 2019
@Yvand Yvand added the bug label Jul 18, 2019
Yvand added a commit that referenced this issue Jul 18, 2019
@Yvand
Investigating issue #87
653e1d9
@Yvand Yvand mentioned this issue Jul 25, 2019
Closed
@Yvand Yvand pinned this issue Jul 25, 2019
Yvand added a commit that referenced this issue Aug 6, 2019
@Yvand
Test workaround to bug #87
8b024e2
Yvand added a commit that referenced this issue Aug 20, 2019
@Yvand
Fixing #87
c7daef4
Yvand added a commit that referenced this issue Aug 20, 2019
@Yvand
Fix #87
a5c1646
@Yvand
Copy link
Owner Author

Yvand commented Aug 20, 2019
edited
Loading

Good news, I found the root cause and upcoming version 14 will fix it. If you are interested, here are the details about the bug:

Context

The issue occurs when LDAPCP uses the LDAP (AD) connection of the SharePoint server.
At some point LDAPCP gets the domain name by reading the LDAP property “distinguishedName” from the object DirectoryEntry:

LDAPCP/LDAPCP/LDAPCPConfig.cs

Line 1290 in a5c1646

if (directory.Properties.Contains("distinguishedName"))

Reading this property triggers an authenticated LDAP call to the AD server, using the creds of the application pool account (LDAPCP does privilege elevation).

Root cause

But this privilege elevation was missing in 2 entry points: in LDAPCP.GetClaimTypeForUserKey() and LDAPCP.GetUserKeyForEntity().
So from those methods, connection to AD server was attempted as “NT AUTHORITY\IUSR” (the default anonymous account), which of course failed: lsass was issuing a Kerberos TGS to SPN “krbtgt/NT AUTHORITY” (assuming NT AUTHORITY was an AD domain name).
This is what caused the DirectoryServicesCOMException.

Solution

I added the missing privilege elevation in method LDAPCP.GetUserKeyForEntity():

LDAPCP/LDAPCP/LDAPCP.cs

Lines 1953 to 1956 in a5c1646

SPSecurity.RunWithElevatedPrivileges(delegate ()
{
initSucceeded = Initialize(null, null);
});

But doing so in LDAPCP.GetClaimTypeForUserKey() is not possible: it causes a StackOverflowException.
So to fully fix the issue I implemented a different way to read the domain name in this scenario, and little other improvements.
The commits that fix the bug are those with #87 in their title:

Upcoming version 14 will contain the fix. I will publish it as soon as possible, with hopefully a pre-release today if unit tests pass.

Yvand added a commit that referenced this issue Aug 20, 2019
@Yvand
Fix for bug #87 in scenario where local config already exists but mus…
dee7f5e 
…t be recreated
@Yvand
Copy link
Owner Author

Yvand commented Aug 21, 2019

The pre-release that fixes this bug is https://github.com/Yvand/LDAPCP/releases/tag/14.0.20190821.952

@Yvand Yvand mentioned this issue Sep 2, 2019
Merged
@Yvand Yvand closed this as completed in aedfa5d Sep 2, 2019
@Yvand Yvand mentioned this issue Sep 12, 2019
Closed
@Yvand Yvand mentioned this issue Oct 3, 2019
Closed
@Yvand Yvand unpinned this issue Jun 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Yvand Yvand

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Yvand