CODEWITHSUNDEEP
c#exceptionauthenticationactive-directoryasp.net-mvc-5
timmy
timmy

Reputation: 31

DirectoryServiceCOMException (0x80072020) when calling UserPrincipal.FindByIdentity

Trying to troubleshoot a bug with user creation based on AD credentials and I'm getting the above exception, but because of access restrictions my available information is somewhat limited to logfiles. I know this is a permissions issue, but all the suggestions I've found have produced no different results.

This main project is set up to use forms authentication and anonymous authentication, but we have a separate "Employee" project to use Windows Authentication to authenticate internal users against AD.

I've changed the following based on the suggestions I've found:

The current server configuration is working on an internal staging server using the same AD server. Here is the stack dump I'm getting in the logs:

2014-09-09 15:33:24,365 |28| (Services.Security.UserManagement.UserPrincipal) [ INFO] - About to call FindByIdentity 
2014-09-09 15:33:24,365 |28| (Services.Security.UserManagement.UserPrincipal) [ INFO] - Current IIS user is: IIS APPPOOL\DefaultAppPool 
2014-09-09 15:33:24,397 |28| (Services.Security.UserManagement.UserPrincipal) [ERROR] - EXCEPTION in Method: Initialize - Exception: System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
   at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
   at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
   at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue)
   at Services.Security.UserManagement.UserPrincipal.Initialize() 
System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.

The code that appears to be causing the exception is below: 

private void Initialize()
{
    if (this.principal == null)
    {
        if (HttpContext.Current != null)
        {
            HttpCookie cookie = HttpContext.Current.Request.Cookies[ConstantsEnum.WindowsAuthCookie];

            if (cookie != null)
            {
            string username = this.AesEncryptor.Decrypt(cookie.Value);

                this.context = new PrincipalContext(ContextType.Domain, ConstantsEnum.DomainName);
                this.principal = System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(this.context, username);

                if (this.principal == null)
                {
                        throw new ArgumentNullException(string.Format("The UserPrincipal for {0} was not found.", username));
                }
            }
        }
    }

Upvotes: 1

Views: 1174

Answers (1)

timmy
timmy

Reputation: 31

After adding some logging (which resulted in the info lines above) in the code and finding exactly what was going on I saw that the app wasn't trying to pass the logged-in user token, but instead was using the DefaultAppPool identity. I found that this question described my situation and when changing the DefaultAppPool Identity to LocalSystem from ApplicationPoolIdentity I was able to use the project as expected.

Upvotes: 2

Related Questions