This post is programming related and has nothing to do with electronics. I have not written anything programming related topics lately, but this one is worth sharing as it is related to an rather obscure error.

The error occurred during one of the application serer upgrade at work. When we migrated an ASP.Net 2.0 application on Windows Server 2003 to Windows Server 2008, the application failed to authenticate with the Active Directory (AD), and here is the exception received:

Exception Details: System.Runtime.InteropServices.COMException: An operations error occurred.

[COMException (0x80072020): An operations error occurred.]
   System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +377678
   System.DirectoryServices.DirectoryEntry.Bind() +36
   System.DirectoryServices.DirectoryEntry.get_AdsObject() +31
   System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) +78
   System.DirectoryServices.DirectorySearcher.FindOne() +47
... ...

Since this web application worked fine under IIS on Windows 2003, I knew it had to be a security related issue with the updated security models in Windows Server 2008. The application is configured with a classic ASP.NET application pool, and the IIS is configured with anonymous authentication.

The code snippet below shows where the exception occured:

DirectoryEntry e = new DirectoryEntry("LDAP://..."); //the actual LDAP info is omitted.
DirectorySearchar s = new DirectorySearcher(e);

s.Filter = "..."; //the actual filter content is omitted.
SearchResult r = s.FindOne(); //COMException (0x80072020)
ResultPropertyCollection rc = r.Properties; 

As it turned out, the default application pool identity in Windows 2008 is IUSR when using anonymous authentication. This setting needs to be changed to Application Pool Identity in order for the code above to work. This setting can be found under Sites | Site Name | Authentication | Anonymous Authentication.

Further explanations can be found here and here.

Be Sociable, Share!