3

We have a new ASP.NET web application we are deploying that uses a separate DLL which we also built which in turn interrogates the Active Directory for simple user and group membership information. The server is Windows Server 2003.

The application works fine if I RDP to the server and browse it under localhost.

The application throws the following error when I browse to it from a separate PC. It also throws the same error if I browse to it from the RDP session on the server, but browse it under the server name.

Is this a code-access security issue? Other ideas?

Exception Details: System.Runtime.InteropServices.COMException: An operations error occurred.

Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: [COMException (0x80072020): An operations error occurred. ]

   System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +420085
   System.DirectoryServices.DirectoryEntry.Bind() +36
   System.DirectoryServices.DirectoryEntry.get_Name() +32
   USM.UsmAD.get_DomainName() in C:\DevWork\Repo_CP\UnifiedSecurity\BRANCHES\LoginVsGUID\Applications\Active Directory Search\USMAD\USMAD\UsmAD.cs:60
   USM.UsmAD.Get_UserGroupNames(String username) in C:\DevWork\Repo_CP\UnifiedSecurity\BRANCHES\LoginVsGUID\Applications\Active Directory Search\USMAD\USMAD\UsmAD.cs:190
   AdminWeb.CheckAccessDAL.GetGroupNames() in C:\DevWork\Repo_CP\UnifiedSecurity\BRANCHES\LoginVsGUID\Applications\AdminWeb\USMDAL\CheckAccessDAL.cs:28
   AdminWeb.CheckAccessDAL.SetMenuAccess(Menu mnuUSMAdmin) in C:\DevWork\Repo_CP\UnifiedSecurity\BRANCHES\LoginVsGUID\Applications\AdminWeb\USMDAL\CheckAccessDAL.cs:89
   AdminWeb.SiteMaster.TrimMainMenus() in C:\DevWork\Repo_CP\UnifiedSecurity\BRANCHES\LoginVsGUID\Applications\AdminWeb\AdminWeb\Site.Master.cs:50
   AdminWeb.SiteMaster.Page_Load(Object sender, EventArgs e) in C:\DevWork\Repo_CP\UnifiedSecurity\BRANCHES\LoginVsGUID\Applications\AdminWeb\AdminWeb\Site.Master.cs:17
   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +14
   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +35
   System.Web.UI.Control.OnLoad(EventArgs e) +91
   System.Web.UI.Control.LoadRecursive() +74
   System.Web.UI.Control.LoadRecursive() +146
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2207
AjarnMark
  • 43
  • 1
  • 5
  • What security context is the web application running as? When the request is made to Active Directory - what credentials are being passed? – Ta01 Oct 25 '11 at 17:52
  • possible duplicate of [Acitve Directory COM Exception - An operations error occured (0x80072020)](http://stackoverflow.com/questions/7285503/acitve-directory-com-exception-an-operations-error-occured-0x80072020) – NotMe Oct 25 '11 at 18:03
  • @kd7 no specific credentials are being passed. The PrincipalContext in Get_UserGroupNames is being instantiated like this: using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, DomainName + ".com"))` – AjarnMark Oct 25 '11 at 19:56
  • @ChrisLively Granted it appears similar to that, but the solution there of running under a domain account is not, at least not by itself, the solution. See my comment below regarding now being challenged to login although the web site is set to use Integrated Windows Authentication. – AjarnMark Oct 25 '11 at 20:00
  • NOTE: I originally said the Active Directory DLL was in the GAC. It is not. It is in the BIN folder. – AjarnMark Oct 25 '11 at 23:32
  • I have this same problem. Another symptom I've found is if I disable Integrated Windows Authentication and instead use Basic Authentication, the problem disappears. – Sam Jun 13 '13 at 23:29
  • In my case, when I view the exception object using the Visual Studio debugger, it includes the following extended error description property: `000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1`. – Sam Jun 14 '13 at 03:36
  • I just discovered that this problem is resolved by running the application in ASP.NET 2. – Sam Jun 14 '13 at 06:30
  • In addition to the above comment, I think the AppPool should run as "Network Service" and impersonation should be disabled. – Sam Jun 14 '13 at 06:38

2 Answers2

0

You will probably need to run your app pool under an domain level identity that has permission to access the resources it needs to talk to Active Directory.

Specify an Identity for an Application Pool (IIS 7)

Configuring Application Pool Identity with IIS 6.0 (IIS 6.0)

Here is an article if you need to do this at runtime:

How To: Use Impersonation and Delegation in ASP.NET 2.0

I also encourage you to implement an UnhandledException handler to log these run-time errors.

rick schott
  • 21,012
  • 5
  • 52
  • 81
  • When I do that, the site now prompts me to login, and it never accepts my domain credentials. After three failures, I get a 401.1 Unauthorized error. I am an Administrator on the server, so there should be no problem. The site continues to function under localhost. – AjarnMark Oct 25 '11 at 19:26
0

sounds like a perms issue on the dll

try allowing IUSR access to this file....

Matthewhall58
  • 102
  • 7
  • I was wrong earlier. We did not actually deploy the DLL into the GAC yet. The IURS has access to the DLL, as does the IIS_WPG group. – AjarnMark Oct 25 '11 at 19:43
  • Tell me about how the DLL works, does it use the current users credentials for accessing AD or does it use some kind of hard coded service account.... – Matthewhall58 Oct 25 '11 at 19:59
  • No specific credentials are passed in. The code has references like this: `using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, DomainName + ".com")) { using (UserPrincipal up = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, username)) if (up != null) { using (PrincipalSearchResult Groups = up.GetAuthorizationGroups()) { foreach (GroupPrincipal g in Groups)` – AjarnMark Oct 25 '11 at 20:07