Reputation: 3434
Active Directory COM Exception - An operations error occurred (0x80072020)
I am getting an intermittent COM Exception "An operations error occurred (0x80072020)" (shown below) when I try and query Active Directory using the method GroupPrincipal.FindByIdentity
Here is my code:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, Environment.UserDomainName);
GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(ctx, IdentityType.Name, "Group to find");
I am receiving Exception:
Inner Exception: System.Runtime.InteropServices.COMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
The code is running from a Windows service on a Windows 2003 SP2 server.
I have found another Stack Overflow question, Active Directory, enumerating user's groups, COM exception, suggesting that enabling Kerberos as an option in the PrincipalContext constructor will fix this problem but I am receiving a different hex code than in this question.
My questions are:
- Is this particular COM Exception definitely an authentication issue? I need to be sure that this will 100% fix the problem before releasing the software.
- Is there a resource somewhere which lists all the possible COM exception hex codes so that I can help myself a bit better in the future?
Upvotes: 28
Views: 64275
Answers (8)
Reputation: 21304
The issue is often that the context for which the Active Directory calls is made is under a user that does not have permissions (also can happen when identity impersonate="true" in ASP.NET, due to the fact that the users token is a "secondary token" that cannot be used when authenticating against another server from: https://social.technet.microsoft.com/Forums/en-US/f188029c-51cf-4b50-966a-eee7160d0353/an-operations-error-occured).
The following code will ensure that the block of code your are running, is run under the context of say the AppPool (i.e. NETWORKSERVICE) that your service or site is running under.
using (HostingEnvironment.Impersonate())
{
var domainContext = new PrincipalContext(ContextType.Domain, "myDomain.com");
var groupPrincipal = GroupPrincipal.FindByIdentity(domainContext, IdentityType.Name, "PowerUsers");
if (groupPrincipal != null)
{
//code to get the infomation
}
}
However, one super important detail is that all the code calling Active Directory must be in that block. I had used some code a team member of mine wrote that was returning a LINQ query results of type Users (custom class), but not evaluting the expression (bad practice). Therefore the expression tree was returned instead of the results.
What ended up happening is the calling code eventually evaluated the results and the An operations error occurred message still appeared. I though the code fix above didn't work. When in fact it did, but there was code evaluating the results outside the block.
In a nutshell, make sure all code to access Active Directory is inside that using block and the exception should be fixed one the service/app is deployed to the server.
Upvotes: 44
Reputation: 12349
Granted this is 2 years later, I ran into this and found that the following solved my issue:
using System.Web.Hosting;
...
...
// Code here runs as the logged on user
using (HostingEnvironment.Impersonate()) {
// This code runs as the application pool user
DirectorySearcher searcher ...
}
3rd party
The HostingEnvironment.Impersonate Method was available in .Net 4.8. But starting with .NET Core 1.0 it is no longer available
The requested page is not available for .NET Core 1.0. You have been redirected to the newest product version this page is available for.
Upvotes: 9
Reputation: 159
For me, I ran into the same problem with trying to login to one of the domain controllers, I have 2 domain controllers, 1 of them is working and the other is not working, I believe it has something to do with the user profile, still investigating...
Upvotes: 0
Reputation: 124
If you got a error code, "An operations error occurred (0x80072020)", it might mean "Access denied".
- Check your Web server whether or not in AD Domain
- If not you have to put authentication into PrincipalContext.
public bool foo(String username, String password) {
string ADIPaddress = "[ipaddress]";
ContextOptions options = ContextOptions.Negotiate;
PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, AD_IPaddress, null, options, username, password);
bool isAuthenticated = principalContext.ValidateCredentials(username, password, options);
return isAuthenticated;
}
Upvotes: 0
Reputation: 21
I had the same problem. I got success after changing the application pool as below: Process model load user profile = true
Upvotes: 2
Reputation: 409
In my case, the web app pool was running as "DefaultAppPool" which did not have sufficient access to connect to Company's Active Directory. So, I impersonated an account which has access to AD in my code and everything worked fine.
Upvotes: 0
Reputation: 3252
This happened to me in ASP.NET (Windows 2008 R2 / IIS7) where I was messing around with Web.config and this error started happening on every FindByIdentity call. The root cause was that the App Pool was running as DefaultAppPool, and it started working again once I changed it to run as Network Service. I don't quite understand why it would get changed, but it did.
Upvotes: 4
Reputation: 3434
I've now found another answer Unable to add user with CrmService API in Dynamics CRM which states that 0x80072020 is indeed a permission issue. I have changed my service to run under a domain level account instead of the local system account and this seems to have cured my problem.
Upvotes: 21
Related Questions
- System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred
- COMException Unknown error (0x80005000) - DirectoryServices
- DirectoryServicesCOMException (0x80072020) when using Active Directory from ASP.NET application
- -2147016672 "An operations error occured" System.DirectoryServices.AccountManagement
- Unhandled Exception Active Directory
- System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred.
- Intermittant Exception in System.DirectoryServices
- The requested operation did not satisfy one or more constraints associated with the class of the object?
- Strange COM interop exception 0x80005000 using System.DirectoryServices.AccountManagement libraries
- C# - COMException was unhandled