Error: "An operations error occurred" in System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity

Question

I have the following code to retrieve AD groups of a given user name in my MVC3 web application:

PrincipalContext userDomain = new PrincipalContext(ContextType.Domain, username.Split('\\')[0]);
UserPrincipal user = UserPrincipal.FindByIdentity(userDomain, username);
PrincipalSearchResult<Principal> memberOfGroups = user.GetGroups();
IEnumerator<Principal> memberOfGroupsEnumerator = memberOfGroups.GetEnumerator();
List<string> userADGroups = new List<string>();

try
{
    while (memberOfGroupsEnumerator.MoveNext())
    {
        userADGroups.Add(memberOfGroupsEnumerator.Current.ToString());
    }
}
catch
{
    // When trying to access AD groups of a different domain, issues can arise at the end of the enumerator. These may be ignored.

}

This works fine locally but when deployed onto another machine on the network errors out with the following error:

An operations error occurred.

The stack trace for the error:

System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue)
at MvcSFIWebSite.Models.User..ctor(String username)

The error message is rather ambiguous and I am unable to figure out what is happening as it works fine locally.

The IIS on the machine used for deployment uses a custom account instead of the AppPool identity. Should this account be granted any permissions to access the AD group directory? Are any other settings explicitly required in IIS for this to work?

Any suggestions would be very helpful. Thanks in advance.

Answer 1

The issue was because identity_impersonate was set to true in web.config so the user token which was being passed was a secondary token and hence could not access the Active Directory.

This answer solved my issue.