Delegation not working on some computers

Question

I have an asp.net application that uses delegation to perform actions on the Active Directory as the authenticating user. The application works perfectly on some computers and doesn't work at all on other computers, on these other computers they receive a COMexception error code 0x80072020 the stack trace is:

System.Runtime.InteropServices.COMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FineOne()
at ResetUnlockAccount.ResetUnlockAccount.ExecuteImpersonation(String username)

The code that is throwing the error is:

WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;            
WindowsImpersonationContext ctx = null;
try
{
    ctx=winId.Impersonate();
    using (DirectoryEntry directoryObject = new DirectoryEntry(ROOT))
    {
        using (DirectorySearcher search = new DirectorySearcher(directoryObject))
        {                        
            search.Filter = "(&(objectClass=user)(SAMAccountName=username))";
            search.SearchScope = SearchScope.Subtree; 
 ///////////////////////////////////////////////////////////////////
 This line is causing the issue.               
 ---------->SearchResult result = search.FindOne();

            using (DirectoryEntry user = result.GetDirectoryEntry())
            {
                user.Invoke("SetPassword", new object[] { password });
                user.Properties["pwdLastSet"][0] = 0;
                user.CommitChanges();
                lblOutput.Text = "It worked";
            }
        }
    }

}
catch (Exception ex)
{
    lblOutput.Text += ex.ToString();
}
finally
{
    if (ctx != null)
        ctx.Undo();
}

At first I thought it was a User permission issue, so I tested it by trying my credentials on one of the computers that was having issues, I encountered the same issues. To confirm it wasn't User permission issues I tried it on my workstation with the other persons credentials and it worked perfectly.

I wrote a quick test program that would show me the impersonation level of the users, when working correctly it should be Delegation. When I ran it on my machine the output was:

Authentication Type: Negotiate
Token: 9999
Name: domain\username
Is Authenticated: True
Impersonation level: Delegation

When I ran it on the other Workstation:

Authentication Type: Negotiate
Token: 9999
Name: domain\username
Is Authenticated: True
Impersonation level: Impersonation

Server: IIS 7.0 Browser: IE 8

I don't know what is causing the issue with only certain computers, if anyone knows of a specific setting that should be changed for delegation to work properly I would be grateful. Below I have posted two other links that will help give more insight into my problem.

.GetDirectoryEntry throws COM exception, code:0x800720720 when attempting to bind to object

asp.net application userprincipal.findbyidentity works with browser on server, throws exception from my machine

You should add some information. There's none in your question. — John Saunders, Jun 20 '14 at 18:34
What kind of information? I don't really have any code that is bugging out on me, because it works for some computers and doesn't for others. The most I can give you is that it breaks when binding to a directory entry object and give the `0x80072020' COMexception error, which pretty much just means any security issue with Active Directory — Tory Hill, Jun 20 '14 at 18:39
Yeah, sorry, I can't see how anyone could possibly help you, unless they happened to be able to remember the same thing happening to them. You do not give any information on the what is going on when "delegation fails", how your machines are set up, or anything else that would help to diagnose the problem. And, BTW, paragraphs are good to use. — John Saunders, Jun 20 '14 at 18:41
You're right John, just give me a few minutes and I'll fill in some blanks for you, provide some code and a call stack trace, and as much information as I can about the setup. — Tory Hill, Jun 20 '14 at 18:44
Much better. I retracted my close vote and +1. Please note the difference between the "before" and "after" and take it into consideration on future questions. — John Saunders, Jun 20 '14 at 19:07
Will do, Thank you for that, also any idea what might be causing this rather confusing a frustrating behaviour? — Tory Hill, Jun 20 '14 at 19:09
Sounds like a client config issue, bordering on something more suited for ServerFault. But for starters, Open IE, Settings, Advanced, Security, [x] Enable Integrated Auth. — H H, Jun 20 '14 at 19:10
@HenkHolterman that was the first thing I checked, all machines have Enable Integrated Authentication checked off. — Tory Hill, Jun 20 '14 at 19:12
Weren't you meant to do something with the [WindowsImpersonationContext](http://msdn.microsoft.com/en-us/library/system.security.principal.windowsimpersonationcontext.aspx)? — John Saunders, Jun 20 '14 at 19:13
@JohnSaunders I was I just missed it when copying the code over somehow, added it in there just inside the Try block — Tory Hill, Jun 20 '14 at 19:17
That is something else to mention in the question, as are Server version, Browser version(s) etc. Check how the computers are configured in the AD. After that: examine Eventlogs (C & S), and then look at Fiddler or similar tool. — H H, Jun 20 '14 at 19:17
Ok, but I suggest using a `using` block, as in the link I posted. — John Saunders, Jun 20 '14 at 19:19
I will try that, and see if it makes a difference, but since I need to get a different machine to test it, it may take a while. — Tory Hill, Jun 20 '14 at 19:24

Delegation not working on some computers

0 Answers0