I am getting an intermittent COM Exception "An operations error occurred (0x80072020)" (shown below) when I try and query Active Directory using the method GroupPrincipal.FindByIdentity
我得到了一个断断续续的COM异常“发生了一个操作错误(0x80072020)”(如下所示)当我尝试使用GroupPrincipal.FindByIdentity方法查询活动目录时
Here is my code:
这是我的代码:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, Environment.UserDomainName);
GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(ctx, IdentityType.Name, "Group to find");
I am receiving Exception:
我收到例外:
Inner Exception: System.Runtime.InteropServices.COMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
The code is running from a Windows service on a Windows 2003 SP2 server.
代码运行于Windows 2003 SP2服务器上的Windows服务。
I have found another Stack Overflow question, Active Directory, enumerating user's groups, COM exception, suggesting that enabling Kerberos as an option in the PrincipalContext constructor will fix this problem but I am receiving a different hex code than in this question.
我还发现了另一个堆栈溢出问题,Active Directory,列举了用户的组COM exception,这表明在PrincipalContext构造函数中启用Kerberos作为选项可以解决这个问题,但我收到的十六进制代码与这个问题不同。
My questions are:
我的问题是:
- Is this particular COM Exception definitely an authentication issue? I need to be sure that this will 100% fix the problem before releasing the software.
- 这个特殊的COM异常肯定是一个身份验证问题吗?在发布软件之前,我需要确保这将100%地修复问题。
- Is there a resource somewhere which lists all the possible COM exception hex codes so that I can help myself a bit better in the future?
- 是否有一个资源列出所有可能的COM异常十六进制代码,以便我能在未来更好地帮助自己?
8 个解决方案
#1
37
The issue is often that the context for which the Active Directory calls is made is under a user that does not have permissions (also can happen when identity impersonate="true" in ASP.NET, due to the fact that the users token is a "secondary token" that cannot be used when authenticating against another server from: https://social.technet.microsoft.com/Forums/en-US/f188029c-51cf-4b50-966a-eee7160d0353/an-operations-error-occured).
问题通常是,发起活动目录调用的上下文位于一个没有权限的用户之下(在ASP中,标识模拟=“true”时也可能发生这种情况)。NET,由于用户令牌是一个“次要令牌”,在对另一个服务器进行身份验证时不能使用它:https://social.technet.microsoft.com/forums/en - us/f188029c -51cf-4b50-966a-eee7160d0353/an- operationerror -error- red。
The following code will ensure that the block of code your are running, is run under the context of say the AppPool (i.e. NETWORKSERVICE) that your service or site is running under.
下面的代码将确保正在运行的代码块在您的服务或站点运行的AppPool(即NETWORKSERVICE)的上下文中运行。
using (HostingEnvironment.Impersonate())
{
var domainContext = new PrincipalContext(ContextType.Domain, "myDomain.com");
var groupPrincipal = GroupPrincipal.FindByIdentity(domainContext, IdentityType.Name, "PowerUsers");
if (groupPrincipal != null)
{
//code to get the infomation
}
}
However, one super important detail is that all the code calling Active Directory must be in that block. I had used some code a team member of mine wrote that was returning a LINQ query results of type Users (custom class), but not evaluting the expression (bad practice). Therefore the expression tree was returned instead of the results.
然而,一个非常重要的细节是,调用Active Directory的所有代码都必须位于该块中。我使用了我的一个团队成员编写的一些代码,这些代码返回类型为Users(自定义类)的LINQ查询结果,但没有计算表达式(糟糕的实践)。因此,返回表达式树而不是结果。
What ended up happening is the calling code eventually evaluated the results and the An operations error occurred message still appeared. I though the code fix above didn't work. When in fact it did, but there was code evaluating the results outside the block.
最终发生的是调用代码最终对结果进行评估,而发生的操作错误消息仍然出现。我认为上面的代码修正没有起作用。实际上它是这样做的,但是有代码在块之外评估结果。
In a nutshell, make sure all code to access Active Directory is inside that using block and the exception should be fixed one the service/app is deployed to the server.
简而言之,确保所有访问活动目录的代码都在使用block的代码中,并且应该修复服务/应用程序部署到服务器的异常。
#2
19
I've now found another answer Unable to add user with CrmService API in Dynamics CRM which states that 0x80072020 is indeed a permission issue. I have changed my service to run under a domain level account instead of the local system account and this seems to have cured my problem.
我现在找到了另一个无法在Dynamics CRM中添加CrmService API的用户的答案,该API指出0x80072020确实是一个权限问题。我已经将我的服务更改为在域级别帐户而不是本地系统帐户下运行,这似乎解决了我的问题。
#3
9
Granted this is 2 years later, I ran into this and found that the following solved my issue:
假设这是两年之后,我遇到了这个问题,发现下面的问题解决了我的问题:
using System.Web.Hosting;
...
...
// Code here runs as the logged on user
using (HostingEnvironment.Impersonate()) {
// This code runs as the application pool user
DirectorySearcher searcher ...
}
参考
#4
4
This happened to me in ASP.NET (Windows 2008 R2 / IIS7) where I was messing around with Web.config and this error started happening on every FindByIdentity call. The root cause was that the App Pool was running as DefaultAppPool, and it started working again once I changed it to run as Network Service. I don't quite understand why it would get changed, but it did.
这发生在我的ASP。NET (Windows 2008 R2 / IIS7),我在那里摆弄网络。配置和这个错误开始发生在每个FindByIdentity调用上。根本原因是应用程序池运行时是DefaultAppPool,而当我将其更改为网络服务时,它再次开始工作。我不太明白为什么会改变,但它确实改变了。
#5
2
I had the same problem. I got success after changing the application pool as below: Process model load user profile = true
我也有同样的问题。在更改了应用程序池之后,我获得了成功,如下所示:Process model load user profile = true
#6
0
In my case, the web app pool was running as "DefaultAppPool" which did not have sufficient access to connect to Company's Active Directory. So, I impersonated an account which has access to AD in my code and everything worked fine.
在我的例子中,web应用程序池运行为“DefaultAppPool”,它没有足够的访问权限连接到公司的活动目录。所以,我模拟了一个账户,它可以在我的代码中访问广告,一切都很好。
#7
0
If you got a error code, "An operations error occurred (0x80072020)", it might mean "Access denied".
如果您有错误代码,“发生操作错误(0x80072020)”这可能意味着“访问被拒绝”。
- Check your Web server whether or not in AD Domain
- If not you have to put authentication into PrincipalContext.
- 如果不是,则必须将身份验证放到PrincipalContext中。
- 检查您的Web服务器是否在AD域中(如果不是的话),您必须将身份验证放入到PrincipalContext中。
public bool foo(String username, String password) {
string ADIPaddress = "[ipaddress]";
ContextOptions options = ContextOptions.Negotiate;
PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, AD_IPaddress, null, options, username, password);
bool isAuthenticated = principalContext.ValidateCredentials(username, password, options);
return isAuthenticated;
}
- C#網頁登入AD網域進行LDAP驗證
- c#網頁登入广告網域進行LDAP驗證
#8
0
For me, I ran into the same problem with trying to login to one of the domain controllers, I have 2 domain controllers, 1 of them is working and the other is not working, I believe it has something to do with the user profile, still investigating...
对我来说,我尝试登录到一个域控制器时遇到了同样的问题,我有两个域控制器,一个在工作,另一个不工作,我相信这与用户配置文件有关,还在调查……
#1
37
The issue is often that the context for which the Active Directory calls is made is under a user that does not have permissions (also can happen when identity impersonate="true" in ASP.NET, due to the fact that the users token is a "secondary token" that cannot be used when authenticating against another server from: https://social.technet.microsoft.com/Forums/en-US/f188029c-51cf-4b50-966a-eee7160d0353/an-operations-error-occured).
问题通常是,发起活动目录调用的上下文位于一个没有权限的用户之下(在ASP中,标识模拟=“true”时也可能发生这种情况)。NET,由于用户令牌是一个“次要令牌”,在对另一个服务器进行身份验证时不能使用它:https://social.technet.microsoft.com/forums/en - us/f188029c -51cf-4b50-966a-eee7160d0353/an- operationerror -error- red。
The following code will ensure that the block of code your are running, is run under the context of say the AppPool (i.e. NETWORKSERVICE) that your service or site is running under.
下面的代码将确保正在运行的代码块在您的服务或站点运行的AppPool(即NETWORKSERVICE)的上下文中运行。
using (HostingEnvironment.Impersonate())
{
var domainContext = new PrincipalContext(ContextType.Domain, "myDomain.com");
var groupPrincipal = GroupPrincipal.FindByIdentity(domainContext, IdentityType.Name, "PowerUsers");
if (groupPrincipal != null)
{
//code to get the infomation
}
}
However, one super important detail is that all the code calling Active Directory must be in that block. I had used some code a team member of mine wrote that was returning a LINQ query results of type Users (custom class), but not evaluting the expression (bad practice). Therefore the expression tree was returned instead of the results.
然而,一个非常重要的细节是,调用Active Directory的所有代码都必须位于该块中。我使用了我的一个团队成员编写的一些代码,这些代码返回类型为Users(自定义类)的LINQ查询结果,但没有计算表达式(糟糕的实践)。因此,返回表达式树而不是结果。
What ended up happening is the calling code eventually evaluated the results and the An operations error occurred message still appeared. I though the code fix above didn't work. When in fact it did, but there was code evaluating the results outside the block.
最终发生的是调用代码最终对结果进行评估,而发生的操作错误消息仍然出现。我认为上面的代码修正没有起作用。实际上它是这样做的,但是有代码在块之外评估结果。
In a nutshell, make sure all code to access Active Directory is inside that using block and the exception should be fixed one the service/app is deployed to the server.
简而言之,确保所有访问活动目录的代码都在使用block的代码中,并且应该修复服务/应用程序部署到服务器的异常。
#2
19
I've now found another answer Unable to add user with CrmService API in Dynamics CRM which states that 0x80072020 is indeed a permission issue. I have changed my service to run under a domain level account instead of the local system account and this seems to have cured my problem.
我现在找到了另一个无法在Dynamics CRM中添加CrmService API的用户的答案,该API指出0x80072020确实是一个权限问题。我已经将我的服务更改为在域级别帐户而不是本地系统帐户下运行,这似乎解决了我的问题。
#3
9
Granted this is 2 years later, I ran into this and found that the following solved my issue:
假设这是两年之后,我遇到了这个问题,发现下面的问题解决了我的问题:
using System.Web.Hosting;
...
...
// Code here runs as the logged on user
using (HostingEnvironment.Impersonate()) {
// This code runs as the application pool user
DirectorySearcher searcher ...
}
参考
#4
4
This happened to me in ASP.NET (Windows 2008 R2 / IIS7) where I was messing around with Web.config and this error started happening on every FindByIdentity call. The root cause was that the App Pool was running as DefaultAppPool, and it started working again once I changed it to run as Network Service. I don't quite understand why it would get changed, but it did.
这发生在我的ASP。NET (Windows 2008 R2 / IIS7),我在那里摆弄网络。配置和这个错误开始发生在每个FindByIdentity调用上。根本原因是应用程序池运行时是DefaultAppPool,而当我将其更改为网络服务时,它再次开始工作。我不太明白为什么会改变,但它确实改变了。
#5
2
I had the same problem. I got success after changing the application pool as below: Process model load user profile = true
我也有同样的问题。在更改了应用程序池之后,我获得了成功,如下所示:Process model load user profile = true
#6
0
In my case, the web app pool was running as "DefaultAppPool" which did not have sufficient access to connect to Company's Active Directory. So, I impersonated an account which has access to AD in my code and everything worked fine.
在我的例子中,web应用程序池运行为“DefaultAppPool”,它没有足够的访问权限连接到公司的活动目录。所以,我模拟了一个账户,它可以在我的代码中访问广告,一切都很好。
#7
0
If you got a error code, "An operations error occurred (0x80072020)", it might mean "Access denied".
如果您有错误代码,“发生操作错误(0x80072020)”这可能意味着“访问被拒绝”。
- Check your Web server whether or not in AD Domain
- If not you have to put authentication into PrincipalContext.
- 如果不是,则必须将身份验证放到PrincipalContext中。
- 检查您的Web服务器是否在AD域中(如果不是的话),您必须将身份验证放入到PrincipalContext中。
public bool foo(String username, String password) {
string ADIPaddress = "[ipaddress]";
ContextOptions options = ContextOptions.Negotiate;
PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, AD_IPaddress, null, options, username, password);
bool isAuthenticated = principalContext.ValidateCredentials(username, password, options);
return isAuthenticated;
}
- C#網頁登入AD網域進行LDAP驗證
- c#網頁登入广告網域進行LDAP驗證
#8
0
For me, I ran into the same problem with trying to login to one of the domain controllers, I have 2 domain controllers, 1 of them is working and the other is not working, I believe it has something to do with the user profile, still investigating...
对我来说,我尝试登录到一个域控制器时遇到了同样的问题,我有两个域控制器,一个在工作,另一个不工作,我相信这与用户配置文件有关,还在调查……