2/29/2012

Error 0x8000500c When Using UserPrincipal.Current

Problem

I was getting the following error on one of my ASP.NET sites:

Message: Unknown error (0x8000500c)
Source: System.DirectoryServices
Stack: at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.UserPrincipal.get_Current()





Sometimes, the error read slightly differently as




Message: The specified directory service attribute or value does not exist.

Source: System.DirectoryServices
Stack: at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()
at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)
at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)
at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.UserPrincipal.get_Current()





This happened in a call to UserPrincipal.Current.



Root Cause



This seems to be due to a double-hop problem: the browser connects to IIS, then IIS tries to connect to AD. I am using Integrated Authentication and Impersonation, which means that IIS will use the current user’s credentials to connect to AD, but it doesn’t have the user’s password (it would have, and it would work if I enable basic authentication), nor does it seem to have a Kerberos ticket, which would be forward-able.



Solution



I found out that the reason no Kerberos ticket was being used was due to IE thinking my site was an Internet site. As soon as I had marked it as an Intranet site, everything worked fine.



If you have the same problem, you can quickly verify whether you are facing the same double-hop issue: turn off integrated auth, and turn on basic, then try again. Or access you web site from the same machine that runs IIS, which also avoids the double hop.



I am not sure, which particular security setting comes into my way, but simply “moving” the site to Local Intranet for IE solves the issue.

adaxas Web Directory