Introduction
I'm maintaining a legacy ASP.NET 3.5 application that queries Active Directory. The application uses "Integrated Windows Authentication" and is designed to connect to Active Directory using its own security context rather than a dedicated username and password.
Here is the relevant code.
using (DirectoryEntry root = new DirectoryEntry())
using (DirectorySearcher searcher = new DirectorySearcher(root))
{
searcher.Filter = string.Format("(&(samAccountName={0})(objectClass=user)(objectCategory=person))", userName.Trim());
SearchResultCollection results = searcher.FindAll();
}
Although it uses ASP.NET 3.5, it needs to be runnable from an ASP.NET 4.0 application pool due to existing infrastructure constraints.
Problem
The call to FindAll throws the following exception under certain circumstances:
System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.
When I inspect the exception object with the Visual Studio debugger, the ExtendedErrorMessage property contains more detailed information:
000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1
The following screenshot shows what this looks like in Visual Studio's debugger:
What Works
I've found some work-arounds to make this work, but none of them are acceptable to me:
- Disabling Integrated Windows Authentication and instead using Basic Authentication.
- In IIS, running the application under ASP.NET 2.0 with the Network Service account and ASP.NET impersonation disabled.
- Only accessing the application from the web server, using localhost as the host name.
- Using ASP.NET impersonation with a hard-coded account in web.config.
What Doesn't Work
I've found some suggestions from the Internet, but none of them completely resolved the problem:
- Using
HostingEnvironment.Impersonate(). - Disabling impersonation.
What I Want
I would like to make this work without having to reconfigure anything in Active Directory. It works fine under certain IIS configuration as shown above, so I believe it should be possible to make it work by reconfiguring the application or IIS (except for changing the .NET framework version).
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://i.stack.imgur.com/UTmWF.png', '推荐 我欲成王,谁敢阻挡 的文章《DirectoryServicesCOMException (0x80072020) when us》','https://www.manongdao.com/article-995744.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}