Active Directory Issue - COMException 0x80072020 An operations erroroccurred

[paul.haines]

I've developed an ASP.NET 2.0 website, at the place I work at, that
needs to support both web accounts and windows accounts, (via A.D. -
it's complicated so I won't bore you). Therefore I've extended the
SqlMembershipProvider to include A.D. support via custom code. The
problem I have is that, whilst it works on my local test server, when
the website's published to a 'testing' server the A.D. code doesn't
work at all.

My requirement is to find the GUID for the current user's account, (so
it can be looked up via a separate system, which I can't change). The
basic code I use to get this data is;

// See if there's a windows log-in account entry for the current user.
WindowsIdentity objWindowsIdentity = WindowsIdentity.GetCurrent();
if (objWindowsIdentity != null)
{
// Now look it up via A.D. to find their corresponding account
there.
// -> First set-up the searching options to find this user.
DirectoryEntry objParentDirEntry = new DirectoryEntry(...);
//if (objParentDirEntry != null)
//{
// -> As the windows account name will be '{network}\
{username}', extract the actual name to locate.
string strUsername = objWindowsIdentity.Name.Split('\\')[1];
DirectorySearcher objSearcher = new
DirectorySearcher(objParentDirEntry,
String.Format("(sAMAccountName={0})", strUsername));
SearchResult objResult = objSearcher.FindOne();
if (objResult != null)
{
// -> Their A.D. information has been successfully found, so
return the results.
pobjDirEntry = objResult.GetDirectoryEntry();
}
//}
}
Where the 'pobjDirEntry' is the DirectoryEntry used for finding the
GUID.

The problem is I get the following error when the search is performed:
System.Runtime.InteropServices.COMException (0x80072020): An
operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean
throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
...

Can someone point out what I've done wrong, or a better way of
performing the above? Or simply explain why I'm getting the error, and
what I can do to fix it?
Everything I've read about the error says the search criteria is
wrong, but it works locally and the details it uses , as far as
everyone I've spoken to at my company is concerned, are correct.
Otherwise it's that the user's security isn't high enough, but no-one
says what it *should* be. Can someone explain it to me

Thanks in advance,
Paul

 

[Dave]

Looking at my notes on this error, I had to use a service account as follows...
entry = new DirectoryEntry(path, ServiceAccount, ServiceAccountPwd);

Also, from a posting I recieved...

"The trick here is that if the AD server is on a different machine (very
likely), you'll need to Kerberos Delegation to get this impersonation to
work. Read these articles:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572"

I recall our web ops guys had to enable Kerberos or a set a "negotiate"
property since the authentication was getting dropped between servers. I
think this is referred to as a "double-hop" as mentioned in the above
article...

I wish I could be more of a help on this but it's been awhile...

I've developed an ASP.NET 2.0 website, at the place I work at, that
needs to support both web accounts and windows accounts, (via A.D. -
it's complicated so I won't bore you). Therefore I've extended the
SqlMembershipProvider to include A.D. support via custom code. The
problem I have is that, whilst it works on my local test server, when
the website's published to a 'testing' server the A.D. code doesn't
work at all.

My requirement is to find the GUID for the current user's account, (so
it can be looked up via a separate system, which I can't change). The
basic code I use to get this data is;

// See if there's a windows log-in account entry for the current user.
WindowsIdentity objWindowsIdentity = WindowsIdentity.GetCurrent();
if (objWindowsIdentity != null)
{
// Now look it up via A.D. to find their corresponding account
there.
// -> First set-up the searching options to find this user.
DirectoryEntry objParentDirEntry = new DirectoryEntry(...);
//if (objParentDirEntry != null)
//{
// -> As the windows account name will be '{network}\
{username}', extract the actual name to locate.
string strUsername = objWindowsIdentity.Name.Split('\\')[1];
DirectorySearcher objSearcher = new
DirectorySearcher(objParentDirEntry,
String.Format("(sAMAccountName={0})", strUsername));
SearchResult objResult = objSearcher.FindOne();
if (objResult != null)
{
// -> Their A.D. information has been successfully found, so
return the results.
pobjDirEntry = objResult.GetDirectoryEntry();
}
//}
}
Where the 'pobjDirEntry' is the DirectoryEntry used for finding the
GUID.

The problem is I get the following error when the search is performed:
System.Runtime.InteropServices.COMException (0x80072020): An
operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean
throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
...

Can someone point out what I've done wrong, or a better way of
performing the above? Or simply explain why I'm getting the error, and
what I can do to fix it?
Everything I've read about the error says the search criteria is
wrong, but it works locally and the details it uses , as far as
everyone I've spoken to at my company is concerned, are correct.
Otherwise it's that the user's security isn't high enough, but no-one
says what it *should* be. Can someone explain it to me

Thanks in advance,
Paul