locked
: ASP.NET IIS Impersonation after server migration RRS feed

  • Question

  • User814988518 posted

    Impersonation works fine when on server with IIS7 installed but fails on server with IIS8.5 installed. Any ideas on why impersonation will not authenticate?

    Exception Message:

    System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.PropertyValueCollection.PopulateList() at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue) at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue) at System.DirectoryServices.AccountManagement.UserPrincipal.get_Current() at CAP2.Controllers.MasterController.GetUserInfo()

     

    Monday, December 22, 2014 1:27 PM

All replies

  • User-1538479794 posted

    Hi

    Newer versions of IIS run under the ApplicationPoolIdentity account.  If you go into the advanced settings for the application pool, you can try changing the identity under the process model section to NetworkService(What iis used to use, considered less secure now) or you can change the permissions to a different account or you could manually set the ACL's for your app pool.

    More information please refer to the link below.

    http://blogs.msdn.com/b/vijaysk/archive/2009/02/13/goodbye-network-service.aspx

    Tuesday, December 23, 2014 3:02 AM
  • User814988518 posted

    Thanks for the response. My network admins won't allow it to run under NetworkService because it's less secure and would defeat the purpose of having credentials on the AppPool. Any other ideas? Thanks

    Tuesday, December 23, 2014 10:39 AM
  • User1104055534 posted

    Hi Jason,

    We find a resolution with similar issue symptom.

    If the issue cannot be resolved by that solution, we suggest you to submit a service request to Microsoft Support from below link:

    http://support.microsoft.com/select/Default.aspx?target=assistance

    CAUSE

    The "IUSR" account cannot act as the machine identity and do not have rights on the network.

    RESOLUTION

    Change the Anonymouse user identity of IIS Anonymous Authentication Credentials to another domain account.

    1. On the CRM server, open the Internet Information Services (IIS) Manager .
    2. In IIS Manager, click the CRM site.
    3. In the Features View, double-click Authentication .
    4. Select Anonymous Authentication , and then click Edit in the Actions pane.
    5. In the Edit Anonymous Authentication Credentials dialog box, click the Specific user option, and then click Set .
    6. In the Set Credentials dialog box, input the user name and password, and then click OK.

    APAC Support

    Thursday, February 19, 2015 10:29 AM