Geek Answers Handbook

Error: "An operation error occurred" in System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity

I have the following code to retrieve AD groups of a given username in my MVC3 web application:

PrincipalContext userDomain = new PrincipalContext(ContextType.Domain, username.Split('\\')[0]); UserPrincipal user = UserPrincipal.FindByIdentity(userDomain, username); PrincipalSearchResult<Principal> memberOfGroups = user.GetGroups(); IEnumerator<Principal> memberOfGroupsEnumerator = memberOfGroups.GetEnumerator(); List<string> userADGroups = new List<string>(); try { while (memberOfGroupsEnumerator.MoveNext()) { userADGroups.Add(memberOfGroupsEnumerator.Current.ToString()); } } catch { // When trying to access AD groups of a different domain, issues can arise at the end of the enumerator. These may be ignored. }

This works fine locally, but when deployed to another machine on the network, an error occurs with the following error:

An operational error has occurred.

Stack trace for error:

System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operation error occurred.
in System.DirectoryServices.DirectoryEntry.Bind (Boolean throwIfFail)
in System.DirectoryServices.DirectoryEntry.Bind ()
in System.DirectoryServices.DirectoryEntry.get_AdsObject ()
in System.DirectoryServices.PropertyValueCollection.PopulateList ()
in System.DirectoryServices.PropertyValueCollection..ctor (DirectoryEntry entry, String propertyName)
in System.DirectoryServices.PropertyCollection.get_Item (String propertyName)
in System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer ()
in System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit ()
in System.DirectoryServices.AccountManagement.PrincipalContext.Initialize ()
in System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx ()
in System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper (PrincipalContext context, type mainType, Nullable`1 identityType, String identityValue, DateTime refDate)
in System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity (PrincipalContext context, String identityValue)
in MvcSFIWebSite.Models.User..ctor (username String)

The error message is rather ambiguous, and I can’t understand what is happening as it works fine locally.

IIS on the machine used for deployment uses a user account instead of an AppPool identifier. Should this account have permission to access the AD group directory? Are there any other settings explicitly required in IIS for this?

Any suggestions would be very helpful. Thanks in advance.

+6
source share
3 answers

The problem was that identity_impersonate was set to true in web.config, so the user token that was transferred was a secondary token and therefore could not access Active Directory.

This answer solved my problem.

+16
source

We also had this problem, but the configuration file did not have this setting. But after some checking all kinds of options in IIS, I found a similar option in the user interface.

Configure IIS Impersonation

+2
source

When impersonation is enabled and Windows authentication is enabled, Active Directory will not accept the credentials of a user who impersonates another. You can solve this using basic authentication instead of Windows authentication. PS. always use SSL with basic authentication

0
source

More articles:


All Articles