Explains the 0x80072020 error in .NET 3.5 PrincipalContext when using ASP.NET impersonation with Active Directory, its cause, and security concerns with workaround.
I have found a small bug (as in, “Not working as expected!”) in the new .NET 3.5 PrincipalContext classes. When you are running on an ASP.NET site in impersonation mode you cannot retrieve information from active directory without the following error:
System.Runtime.InteropServices.COMException (0x80072020): An operations error occurred. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.PropertyValueCollection.PopulateList() at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue) at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue) at UI_Controls_SharepointControl.Page_Load(Object sender, EventArgs e)
You need to specify a fixed account to access AD using:
Dim ctx As New PrincipalContext(ContextType.Domain, “[domain]”, “[accountName]”, “[password]”)
This is not so good! What if I wanted to use the current users credentials to update only fields that they are allowed to update in AD? If I use a static account that can access any users fields then this becomes a security risk.
Ahh well, I will live with it for now, but if anyone has another suggestion…
If you've made it this far, it's worth connecting with our principal consultant and coach, Martin Hinshelwood, for a 30-minute 'ask me anything' call.
We partner with businesses across diverse industries, including finance, insurance, healthcare, pharmaceuticals, technology, engineering, transportation, hospitality, entertainment, legal, government, and military sectors.
Slaughter and May
Epic Games
Workday
Schlumberger
Graham & Brown
ProgramUtvikling
Jack Links
New Signature
Freadom
Microsoft
Big Data for Humans
Qualco
Flowmaster (a Mentor Graphics Company)
Sage
Slicedbread
Brandes Investment Partners L.P.
Lockheed Martin
Xceptor - Process and Data Automation
Washington Department of Enterprise Services
Ghana Police Service
Department of Work and Pensions (UK)
Washington Department of Transport
Nottingham County Council
New Hampshire Supreme Court
Lean SA
ALS Life Sciences
Capita Secure Information Solutions Ltd
Xceptor - Process and Data Automation
New Signature
Big Data for Humans