6
votes

I have the following code to retrieve AD groups of a given user name in my MVC3 web application:

PrincipalContext userDomain = new PrincipalContext(ContextType.Domain, username.Split('\\')[0]);
UserPrincipal user = UserPrincipal.FindByIdentity(userDomain, username);
PrincipalSearchResult<Principal> memberOfGroups = user.GetGroups();
IEnumerator<Principal> memberOfGroupsEnumerator = memberOfGroups.GetEnumerator();
List<string> userADGroups = new List<string>();

try
{
    while (memberOfGroupsEnumerator.MoveNext())
    {
        userADGroups.Add(memberOfGroupsEnumerator.Current.ToString());
    }
}
catch
{
    // When trying to access AD groups of a different domain, issues can arise at the end of the enumerator. These may be ignored.

}

This works fine locally but when deployed onto another machine on the network errors out with the following error:

An operations error occurred.

The stack trace for the error:

System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue)
at MvcSFIWebSite.Models.User..ctor(String username)

The error message is rather ambiguous and I am unable to figure out what is happening as it works fine locally.

The IIS on the machine used for deployment uses a custom account instead of the AppPool identity. Should this account be granted any permissions to access the AD group directory? Are any other settings explicitly required in IIS for this to work?

Any suggestions would be very helpful. Thanks in advance.

3

3 Answers

18
votes

The issue was because identity_impersonate was set to true in web.config so the user token which was being passed was a secondary token and hence could not access the Active Directory.

This answer solved my issue.

2
votes

We had this issue also, but the configuration-file did not had this setting. But after some checking all kinds of options in IIS i found a similar option in the UI.

IIS Impersonation setting

0
votes

When Impersonation is enabled and Windows authentication is enabled Active directory won't accept the credentials of the impersonated user. You can solve that by using Basic Authentication instead of windows authentication. PS. always use SSL with basic authentication