Search code examples
active-directoryldapdirectoryservicesadsidirectorysearcher

LDAP Error: The user has insufficient access rights. : LdapErr: DSID-0C09099D, comment: Error processing control,

I want to get incremental changes from Active Directory using C# and for that I am trying to build a solution as mentioned in the following article (using DirSync Control).

https://learn.microsoft.com/en-us/windows/win32/ad/polling-for-changes-using-the-dirsync-control

However, I am facing following problems:

  1. When using following code, I am getting exception that The user has insufficient access rights. The user is part of administrators group.

What more permission needs to be given to that account? And how?

LdapConnection connection = new LdapConnection("adfs.fed.zzz.com");
connection.SessionOptions.ProtocolVersion = 3;
connection.Credential = new System.Net.NetworkCredential("adfsfed\\username", "password");
connection.AuthType = AuthType.Basic;
connection.Bind();

var filter = "(&(objectClass=*))";
var searchRequest = new SearchRequest("", filter, SearchScope.Subtree, properties);

DirSyncRequestControl dirSyncRC = new DirSyncRequestControl(null, DirectorySynchronizationOptions.None);
searchRequest.Controls.Add(dirSyncRC);

var response = connection.SendRequest(searchRequest) as SearchResponse;
  1. If I am using below code, then I am not getting any exception but getting empty result in cookie.
String[] properties = { "objectGUID", "sAMAccountName", "displayName", "mail", "member" };
String filter = "(|(objectClass=group)(objectClass=user))";
DirectorySearcher directorySearcher = new DirectorySearcher(myLdapConnection, filter, properties);
var dSynch = new DirectorySynchronization(System.DirectoryServices.DirectorySynchronizationOptions.None); 
directorySearcher.DirectorySynchronization = dSynch;
directorySearcher.SearchScope = System.DirectoryServices.SearchScope.Subtree;
var results = directorySearcher.FindAll();
var cookie = dSynch.GetDirectorySynchronizationCookie();

Considerations:

  1. I have only one Domain Controller
  2. I am system admin. So, I can assign appropriate permissions to the user.

Please help.

Solution

  • Based on the response given by @KartikBhiwapurkar-MT, I figured out the bug.

    1. The error The user has insufficient access rights is completely misleading (User had already Replicating Directory Changes rights and was part of Domain Administrators group). The error was happening in System.DirectoryServices.Protocols is that I was passing out "" as first parameter (distinguishedName)
    new SearchRequest("", filter, SearchScope.Subtree, properties);

    but it should have been passed as

    new SearchRequest("DC=adfs,DC=fed,DC=zzz,DC=com", filter, SearchScope.Subtree, properties);
    1. I was getting empty cookie in System.DirectoryServices because of bug in latest nuget package (6.0.0). At the time of writing this answer, the bug is still open.

    Reference to bug