We have an application that uses LDAP to get basic information of the user. It has worked fine for years. We also have a testing application that connects to LDAP successfully, unless you perform a Clean Solution; It then fails with Server is not operational. Restore the files from that clean and it works again. Additionally, this error surfaces for users when we publish the application. Users will get that error message for a period of time (1-2 days) and then it will suddenly begin working.
Some other background; We promoted two new DCs and demoted two, and this is when the issues began. LDP.exe connects just fine. Wireshark shows an "LDAP ping" and no other LDAP communication when the connection fails. Wireshark show a SASL/GSSAPI connection when successful.
A snippet of the code for the test application.
Dim ident As WindowsIdentity = WindowsIdentity.GetCurrent()
Dim username As String = ident.Name.Substring(ident.Name.IndexOf("\") + 1)
Dim protocol As String = "LDAP"
Dim path As String = "domain.com"
Dim sResult As SearchResult = Nothing
Dim ldapPath As String = If(String.IsNullOrEmpty(path), String.Format("{0}:", protocol), String.Format("{0}://{1}", protocol, path))
Using de As New DirectoryEntry(ldapPath)
Try
If de.Properties.Count > 0 Then
Using adSearch As New DirectorySearcher(de)
adSearch.Filter = String.Format("(&(objectClass=user)(sAMAccountName={0}))", username)
sResult = adSearch.FindOne()
End Using
End If
Catch ex As Exception
Label1.Text = ex.Message
End Try
End Using
Return sResult
This sounds very similar to our issue but it is answered with a reboot fixed it. VB.NET LDAP authentication error: "The server is not operational"
You may enable LDAP client logging via the following link: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/turn-on-debug-logging-ldap-client
Please note the Domain Controller hostname/FQDN/IP while your application gives error as "Server Not Operational". To see the connections made towards to the Domain controller, from the workstation cmd line run: netstat -bn will provide executables and the destination port (389 or 636 for SSL, please note the port). The executable should correspond to your application runtime code.
If you see a 'Sync Sent' status of a connection used by your application in the netstat output with the destination port as 389 / 636, you should resolve the firewall issues between your workstation and this DC.
On the DCs, pls enable LDAP Interface logging as in the link, you should choose min.Level 2 (Basic) and 16 - LDAP Interface Events. https://learn.microsoft.com/en-US/troubleshoot/windows-server/active-directory/configure-ad-and-lds-event-logging
Run your program again, when the error re-occurs pls note the DC as above, and check the LDAP Interface Event Viewer Logs. If you see Event ID's 2886,2887,2888,2889 then there is a problem with LDAP signing requirement. Pls see https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-signing-in-windows-server#event-reference-for-ldap-signing-requirements and your workstation LDAP signing setting should be set as accordingly.
If no problems exist with firewall and LDAP signing and the connection is over SSL (Port 636) then there may be an issue with the SSL certificate, you may check this on CAPI2 logs under Event Viewer - Application And Service Logs, Microsoft, Windows, CAPI2 - Operational. You should enable it first. If there is an issue with Trusted Root etc , it should be resolved.
PLs chk also the Security Event Logs of the DC you have identified, this may reveal the authentication issues. For example if your application uses NTLM v1 it may be dropped, you should use NTLMv2. Or if Kerberos is used, you may enable Kerberos logging via the link: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-kerberos-event-logging to see what the authentication issue that blocks the LDAP communication.
As the communication stops after LDAP ping, it seems that some LDAP requirements (like signing) is not met during the connection and the connection is stopped.