DirectoryServicesCOMException (0x80072020) when using Active Directory from ASP.NET application

6

Introduction

I'm maintaining a legacy ASP.NET 3.5 application that queries Active Directory. The application uses "Integrated Windows Authentication" and is designed to connect to Active Directory using its own security context rather than a dedicated username and password.

Here is the relevant code.

using (DirectoryEntry root = new DirectoryEntry())
using (DirectorySearcher searcher = new DirectorySearcher(root))
{
    searcher.Filter = string.Format("(&(samAccountName={0})(objectClass=user)(objectCategory=person))", userName.Trim());
    SearchResultCollection results = searcher.FindAll();
}

Although it uses ASP.NET 3.5, it needs to be runnable from an ASP.NET 4.0 application pool due to existing infrastructure constraints.

Problem

The call to FindAll throws the following exception under certain circumstances:

System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.

When I inspect the exception object with the Visual Studio debugger, the ExtendedErrorMessage property contains more detailed information:

000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

The following screenshot shows what this looks like in Visual Studio's debugger:

Image showing a DirectoryServicesCOMException with its ExtendedErrorMessage property set to 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

What Works

I've found some work-arounds to make this work, but none of them are acceptable to me:

  1. Disabling Integrated Windows Authentication and instead using Basic Authentication.
  2. In IIS, running the application under ASP.NET 2.0 with the Network Service account and ASP.NET impersonation disabled.
  3. Only accessing the application from the web server, using localhost as the host name.
  4. Using ASP.NET impersonation with a hard-coded account in web.config.

What Doesn't Work

I've found some suggestions from the Internet, but none of them completely resolved the problem:

  1. Using HostingEnvironment.Impersonate().
  2. Disabling impersonation.

What I Want

I would like to make this work without having to reconfigure anything in Active Directory. It works fine under certain IIS configuration as shown above, so I believe it should be possible to make it work by reconfiguring the application or IIS (except for changing the .NET framework version).

asp.net
active-directory
windows-authentication
asked on Stack Overflow Jun 14, 2013 by Sam • edited Jun 20, 2020 by Community

1 Answer

3

I believe the problem had multiple causes:

  1. Use of ASP.NET impersonation.
  2. Running the ASP.NET 3.5 application under an ASP.NET 4.0 application pool.

To resolve the second one, upgrade the application to ASP.NET 4.0 or configure IIS to use ASP.NET 2.0.

answered on Stack Overflow Jun 17, 2013 by Sam

User contributions licensed under CC BY-SA 3.0