locked
An operations error occurred RRS feed

  • Question

  • User657329123 posted

    Hi there,

    I’m using ASP.NET 2.0 and C#. I’ve a web form with username and password. Username is loaded automatically by grabbing the user id of the person who is currently logged on to the machine. All user has to do is type their AD password and click on Login button.

    After the user succfully logs in, I write a session cookie having two values – username and full name (Given Name and Last Name).

    This works on the development machine running IIS 7.5.  I can login and write a cookie with both the values.  But it doesn’t work on production server running IIS 6.0. I get error -  An operations error occurred.

    Here is my code:

    string AdPath = "LDAP://mydomain:389/OU=Users,DC=com ";
     ActiveDirectoryValidator adAuth = new ActiveDirectoryValidator(AdPath);
     if (true == adAuth.IsAuthenticated(domainName, userName, password))
     {
                HttpCookie cookie = Request.Cookies["whoyou"];
                if (cookie == null)
                {
                    cookie = new HttpCookie("whoyou");
    				
    cookie["Name"] = userName;
    DirectorySearcher dssearch = new DirectorySearcher(AdPath);
    dssearch.Filter = "(sAMAccountName=" + userName + ")";
    SearchResult sresult = dssearch.FindOne();
    DirectoryEntry dsresult = sresult.GetDirectoryEntry();
    cookie["Full Name"] = dsresult.Properties["givenName"][0].ToString() + " " + dsresult.Properties["sn"][0].ToString();
    
    Response.Cookies.Add(cookie);			
    Response.Redirect("display.aspx");
                }
    }
    

    I noticed that I get this error at the following line on IIS 6

    SearchResult sresult = dssearch.FindOne();

    If I comment out the above line, then I can login and write a session cookie with just the user id.  It seems that for some reason on IIS 6 I cannot search directory.

    Here is my web.config code:

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
      <appSettings>
      </appSettings>
      <connectionStrings>
      </connectionStrings>
      <system.web>
    	<compilation debug="true" defaultLanguage="c#">
       <assemblies>
         <add assembly="System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
       </assemblies>
     </compilation>
        <authentication mode="Windows">
        </authentication>
        <authorization>
          <deny users="?" />
          <allow users="*" />
        </authorization>
        <identity impersonate="true" />
         <customErrors mode="Off" />
      </system.web>
    </configuration>
    

    On IIS 7.5, I’ve ASP.Impersonation and Windows Authentication is enabled.

    On IIS 6.0, Integrated Windows Authentication is enabled and Anonymous Access is disabled.

    I Googled for An operations error occurred. Nothing was helpful to fix the issue so far.

    Any ideas as how to get this working on IIS 6.0?

    Please Help. Thanks for your help.

    Joe

    Monday, April 28, 2014 10:15 AM

All replies

  • User1508394307 posted

    What account is set for the app pool in IIS? 

    If it is default IIS APPPOOL, then try to change it to the NetworkService

    if you use the Network Service identity on the IIS AppPool, the application pool will use the machine account of the IIS server when accessing network resources. In that case, you can confer the necessary permissions to the computer account (domain\computername$) in Active Directory.

    https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f05a7c2b-36b0-4b6e-ac7c-662700081f25.mspx?mfr=true 
    http://www.iis.net/learn/manage/configuring-security/application-pool-identities 

    Monday, April 28, 2014 11:13 AM
  • User657329123 posted

    Application Pool Identity is set to Network Service built-in account.

    Monday, April 28, 2014 12:58 PM
  • User657329123 posted

    This forum and ASP.NET really sucks.  Thought there may be quite a few ASP.NET gurus around in Advanced ASP.NET section but I guess not.

    Thursday, May 1, 2014 7:28 AM
  • User1508394307 posted

    I do not understand your problem very well but it looks like the pool identity does not have the access to search the directory. You should debug the identity (User.Identity.Name) before/after impersonation and compare the result on both servers. In my understanding the impersonation is not required to get the name of the user but it might depend on your AD setup. If you are running on Windows Server 2003 with IIS 6.0 configured to run in worker isolation mode (the default), you can avoid impersonation by configuring your ASP.NET application to run in a custom application pool that runs under a specific domain identity. 

    http://msdn.microsoft.com/en-us/library/ms998297.aspx

    Also try basic authentication

    http://forums.iis.net/p/1175285/1970515.aspx 

    Thursday, May 1, 2014 10:49 AM
  • User657329123 posted

    Can you explain me how to debug the identity (User.Identity.Name) before/after impersonation as I'ven't doen this before.

    On IIS 6.0 running Windows Server 2003, with just Basic Authentication set on IIS and Windows authentication and impersonation set in web.config, I'm able to log in and get users First and Last Name from AD.

    The moment I take off basic authentication from IIS, it fails to get First and Last Name from AD.

    Friday, May 2, 2014 11:05 AM
  • User1508394307 posted

    I'd suggest to check values of 

    HttpContext
    WindowsIdentity
    Thread

    and compare on both servers. That should help to identify the problem

    See more at http://msdn.microsoft.com/en-us/library/aa302377.aspx 

    Example of the code: http://forums.asp.net/t/1102996.aspx 

    Thursday, May 15, 2014 2:37 AM