Thursday, December 27, 2007

Impersonation in ASP.NET causes [COMException (0x80072020): An operations error occurred. ]

When you run code that uses DirectorySearcher, DirectoryEntry or other classes that communicates with network resources from a webpart in a Sharepoint site, you recieve a: [COMException (0x80072020): An operations error occurred. ]

This is caused by the fact that when a user is authenticated against a sharepoint server using NTLM or Kerberos, a "secondary token" is sent to the server that it uses to authenticate the user. This token cannot be used to authenticate the current user against another server (e.g. a domain controller).

This can be circumvented by reverting the impersonation to the application pool account used by IIS (if this account has access to Active Directory) with the following code (this is equal to running with impersonation set to false in web.config):


using System.Web.Hosting;
...
...

// Code here runs as the logged on user

using (HostingEnvironment.Impersonate()) {
// This code runs as the application pool user
     DirectorySearcher searcher ...
}

// Code here runs as logged on user again

33 comments:

Anonymous said...

Thanks very much for sharing :)

Max Schmeling said...

Solved me problem! Thank you for the information.

Richard said...

Finally a solution that works! Thank you.

Anonymous said...

L.E.G.E.N.D!

Steven Chen said...

Thanks god I see the Post.
And thanks you very very much.

Anonymous said...

Excellent! You are the man...

Tigger said...

Fail, in asp.net 1.1 not can use this function, and can't change the value impersonate=false in web.config How to do?

Anonymous said...

HostingEnvironment not existing in ASP.Net 1.1....any solutions?

Anonymous said...

Excellent!

seabase said...

hi,
i wanna get the detail information from active directory .after the user login by intergrated windows authentication.
i donnt want the user to input password twice.
when i set impersonate false, i can not run well in debug mode(http://localhost/proj_name)
but when i set impersonate true ,i can run well in debug mode.but can not in http://10.0.1.22/proj_name.
i init the entry instance by below:
DirectoryEntry entry = new DirectoryEntry("GC://test.test.biz", null, null, AuthenticationTypes.Secure)

can you help me?
thanks in advance!

seabase said...

i found a post in internet said that .when you said username,password in null ,the asp.net will user integrated windows authentication to get the access permission by active directory.
is that true?

balle3201 said...

Thx alot.

Solved all my problems as well :-)

Anonymous said...

Man, today you are my personal hero :) Was already think about jumping out of the window because of this problem ;)

Sven De Bont said...

Thanks for the info.

Solved an annoying issue for me.

Sven

Anonymous said...

Saved my day. Thanks for the information

Anonymous said...

Many thanks.

Tahir said...

Thanks a lot...

Anonymous said...

tooo good! After all sorts of configurations and unsuccessfull attempts, this paid off 3 days of unworthiness.

Anonymous said...

thank you very much!

Anonymous said...

Hi,

I have used hostenvironment but it doesnot work for me in ASP.NET

Below is the code...
(HostingEnvironment.Impersonate())
{

DirectorySearcher deSearch = new DirectorySearcher();
deSearch.SearchRoot = RootDirectory;
deSearch.PropertiesToLoad.Add("cn");
deSearch.PropertiesToLoad.Add("SAMAccountName");
deSearch.Filter = "(&(objectClass=user)(SAMAccountName=" + employeeName + "))";
deSearch.SearchScope = SearchScope.Subtree;
results = deSearch.FindOne();


Mode = Windows
IMpersonation = True

pls help me to resolve..

Anonymous said...

Nice one. We are developing an ASP.net application and when deploying the same in server, it was giving the same error. Now it is been solved. Thanks a lot.

Anonymous said...

Thank you very much.
It solved my problem. I have been debugging this error for very very long time.

Chris Drake said...

This solved my problem.

Chris Drake said...

This solved my issue. I read a lot of posts about how this could be related to the connection pool or calling refreshcache on the directoryentry objects. Thanks.

@SPJeff said...

THANK YOU! This was exactly what I needed when coding an extra ASPX page for a website that does not have Kerberos enabled.

Anonymous said...

Great post. Solved my issue. Thank You!!!

Anonymous said...

when I use your code I get Unable to cast object of type System.DirectoryServices.AccountManagement.GroupPrincipal to type System.DirectoryServices.AccountManagement.UserPrincipal surname. any suggestions?

EC said...

THANKS!!!!!! really helps me a lot!

Anonymous said...

Thanks a lot. It saved my Time

Anonymous said...

Thank you very much. This solved my problem. I was all set for hours of lost productivity but I found your post right away and it fixed it for me.

Six years later and your post is still saving people!

Anonymous said...

Issue still there for 2003 Server!

Thanks! 3 days of searching and trying everything.

Curt Marsden said...

You ROCK!

Jaroslav Velíšek said...

Well done!