DirectoryServiceCOMException (0x80072020) when calling UserPrincipal.FindByIdentity
Trying to troubleshoot a bug with user creation based on AD credentials and I'm getting the above exception, but because of access restrictions my available information is somewhat limited to logfiles. I know this is a permissions issue, but all the suggestions I've found have produced no different results.
This main project is set up to use forms authentication and anonymous authentication, but we have a separate "Employee" project to use Windows Authentication to authenticate internal users against AD.
I've changed the following based on the suggestions I've found:
- Change .Net Framework to 4.x on AppPool
- Tried enabling .Net Impersonation via IIS interface
- Changed anonymous authentication to use the app pool identity
- The Identity is set to ApplicationPoolIdentity - Changing to network causes the app pool to stop.
The current server configuration is working on an internal staging server using the same AD server. Here is the stack dump I'm getting in the logs:
2014-09-09 15:33:24,365 |28| (Services.Security.UserManagement.UserPrincipal) [ INFO] - About to call FindByIdentity
2014-09-09 15:33:24,365 |28| (Services.Security.UserManagement.UserPrincipal) [ INFO] - Current IIS user is: IIS APPPOOL\DefaultAppPool
2014-09-09 15:33:24,397 |28| (Services.Security.UserManagement.UserPrincipal) [ERROR] - EXCEPTION in Method: Initialize - Exception: System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue)
at Services.Security.UserManagement.UserPrincipal.Initialize()
System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.
The code that appears to be causing the exception is below:
private void Initialize()
{
if (this.principal == null)
{
if (HttpContext.Current != null)
{
HttpCookie cookie = HttpContext.Current.Request.Cookies[ConstantsEnum.WindowsAuthCookie];
if (cookie != null)
{
string username = this.AesEncryptor.Decrypt(cookie.Value);
this.context = new PrincipalContext(ContextType.Domain, ConstantsEnum.DomainName);
this.principal = System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(this.context, username);
if (this.principal == null)
{
throw new ArgumentNullException(string.Format("The UserPrincipal for {0} was not found.", username));
}
}
}
}
timmy1 Answer
After adding some logging (which resulted in the info lines above) in the code and finding exactly what was going on I saw that the app wasn't trying to pass the logged-in user token, but instead was using the DefaultAppPool identity. I found that this question described my situation and when changing the DefaultAppPool Identity to LocalSystem from ApplicationPoolIdentity I was able to use the project as expected.
CommunityUser contributions licensed under CC BY-SA 3.0