Last post May 15, 2014 02:37 AM by smirnov
Apr 28, 2014 10:15 AM|joegreen2005|LINK
I’m using ASP.NET 2.0 and C#. I’ve a web form with username and password. Username is loaded automatically by grabbing the user id of the person who is currently logged on to the machine. All user has to do is type their AD password and click on Login button.
After the user succfully logs in, I write a session cookie having two values – username and full name (Given Name and Last Name).
This works on the development machine running IIS 7.5. I can login and write a cookie with both the values. But it doesn’t work on production server running IIS 6.0. I get error -
An operations error occurred.
Here is my code:
string AdPath = "LDAP://mydomain:389/OU=Users,DC=com ";
ActiveDirectoryValidator adAuth = new ActiveDirectoryValidator(AdPath);
if (true == adAuth.IsAuthenticated(domainName, userName, password))
HttpCookie cookie = Request.Cookies["whoyou"];
if (cookie == null)
cookie = new HttpCookie("whoyou");
cookie["Name"] = userName;
DirectorySearcher dssearch = new DirectorySearcher(AdPath);
dssearch.Filter = "(sAMAccountName=" + userName + ")";
SearchResult sresult = dssearch.FindOne();
DirectoryEntry dsresult = sresult.GetDirectoryEntry();
cookie["Full Name"] = dsresult.Properties["givenName"].ToString() + " " + dsresult.Properties["sn"].ToString();
I noticed that I get this error at the following line on IIS 6
SearchResult sresult = dssearch.FindOne();
If I comment out the above line, then I can login and write a session cookie with just the user id. It seems that for some reason on IIS 6 I cannot search directory.
Here is my web.config code:
<?xml version="1.0" encoding="UTF-8"?>
<compilation debug="true" defaultLanguage="c#">
<add assembly="System.DirectoryServices, Version=18.104.22.168, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
<deny users="?" />
<allow users="*" />
<identity impersonate="true" />
<customErrors mode="Off" />
On IIS 7.5, I’ve ASP.Impersonation and Windows Authentication is enabled.
On IIS 6.0, Integrated Windows Authentication is enabled and
Anonymous Access is disabled.
I Googled for An operations error occurred. Nothing was helpful to fix the issue so far.
Any ideas as how to get this working on IIS 6.0?
Please Help. Thanks for your help.
Apr 28, 2014 11:13 AM|smirnov|LINK
What account is set for the app pool in IIS?
If it is default IIS APPPOOL, then try to change it to the NetworkService
if you use the Network Service identity on the IIS AppPool, the application pool will use the machine account of the IIS server when accessing network resources. In that case, you can confer the necessary permissions to the computer account (domain\computername$)
in Active Directory.
Apr 28, 2014 12:58 PM|joegreen2005|LINK
Application Pool Identity is set to Network Service built-in account.
May 01, 2014 07:28 AM|joegreen2005|LINK
This forum and ASP.NET really sucks. Thought there may be quite a few ASP.NET gurus around in Advanced ASP.NET section but I guess not.
May 01, 2014 10:49 AM|smirnov|LINK
I do not understand your problem very well but it looks like the pool identity does not have the access to search the directory. You should debug the identity (User.Identity.Name) before/after impersonation and compare the result on both servers.
In my understanding the impersonation is not required to get the name of the user but it might depend on your AD setup. If you are running on Windows Server 2003 with IIS 6.0 configured to run in worker isolation mode (the default), you can avoid impersonation
by configuring your ASP.NET application to run in a custom application pool that runs under a specific domain identity.
Also try basic authentication
May 02, 2014 11:05 AM|joegreen2005|LINK
Can you explain me how to debug the identity (User.Identity.Name) before/after impersonation as I'ven't doen this before.
On IIS 6.0 running Windows Server 2003, with just Basic Authentication set on IIS and Windows authentication and impersonation set in web.config, I'm able to log in and get users First and Last Name from AD.
The moment I take off basic authentication from IIS, it fails to get First and Last Name from AD.
May 15, 2014 02:37 AM|smirnov|LINK
I'd suggest to check values of
and compare on both servers. That should help to identify the problem
See more at http://msdn.microsoft.com/en-us/library/aa302377.aspx
Example of the code: http://forums.asp.net/t/1102996.aspx