COMException (0x80072020)

This post is programming related and has nothing to do with electronics. I have not written anything programming related topics lately, but this one is worth sharing as it is related to an rather obscure error.

The error occurred during one of the application serer upgrade at work. When we migrated an ASP.Net 2.0 application on Windows Server 2003 to Windows Server 2008, the application failed to authenticate with the Active Directory (AD), and here is the exception received:

Exception Details: System.Runtime.InteropServices.COMException: An operations error occurred.

[COMException (0x80072020): An operations error occurred.]
   System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +377678
   System.DirectoryServices.DirectoryEntry.Bind() +36
   System.DirectoryServices.DirectoryEntry.get_AdsObject() +31
   System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) +78
   System.DirectoryServices.DirectorySearcher.FindOne() +47
... ...

Since this web application worked fine under IIS on Windows 2003, I knew it had to be a security related issue with the updated security models in Windows Server 2008. The application is configured with a classic ASP.NET application pool, and the IIS is configured with anonymous authentication.

The code snippet below shows where the exception occured:

DirectoryEntry e = new DirectoryEntry("LDAP://..."); //the actual LDAP info is omitted.
DirectorySearchar s = new DirectorySearcher(e);

s.Filter = "..."; //the actual filter content is omitted.
SearchResult r = s.FindOne(); //COMException (0x80072020)
ResultPropertyCollection rc = r.Properties; 

As it turned out, the default application pool identity in Windows 2008 is IUSR when using anonymous authentication. This setting needs to be changed to Application Pool Identity in order for the code above to work. This setting can be found under Sites | Site Name | Authentication | Anonymous Authentication.

Further explanations can be found here and here.

Be Sociable, Share!

2 Comments

  1. chue xiong says:

    Just curious, are you running Windows 2008, or Windows 2008 R2? The 2nd link above indicates that “Application Pool Identity” is the default in R2:

    “If you are running IIS 7.5 on Windows Server 2008 R2, you don’t have to do anything to use the new identity. For every Application Pool you create, the IIS Admin Process (WAS) will create a virtual account with the name of the new Application Pool and run the Application Pool’s worker processes under this account.

    If you are running Windows Server 2008, you have to change the IdentityType property of the Application Pools you create to “AppPoolIdentity”.”

    It’s early in the morning, so maybe I’m just not reading it all correctly :)

Leave a Reply