Last post May 02, 2011 12:46 AM by Joker_Joker
Apr 20, 2011 01:00 AM|Joker_Joker|LINK
Setup: IIS 7 with Windows Authentication and application pool is under integrated mode, using .NET 4.0 framework and Windows Server 08.
Function: To create an active directory account.
Error: System.UnauthorizedAccessException @ line with code: CommitChanges
My code works as i have delegated permissions to Network Service (application pool runs under this) and can create the AD account. I believe there's security concerns with assigning Network Service, so i remove this and hope windows authentication would
pass the authenticated user to Active Directory.
I searched around for a couple of hours give or take 6 hours and most talk about Impersonate = true which i have done but doesn't work and doesn't feel right since i don't like swithing application pools to classic mode. Another thread mentioned changing
windows auth provider to negotiate:kerberos and turn off kernel mode.
All in all, i tried everything from searching this forum for that error and bing/google.
What i understood from all the searching is that ASP.NET under Windows Authentication doesn't send the credentials to Active Directory. I started searching for things like 'passing windows credentials to active directory' and that took me around the world.
I would appreciate any help and thanks in advance.
Apr 21, 2011 09:30 AM|gww|LINK
When you declare you directory entry to create the user account you will need to pass a user name and password along that has access to active directory to create the account. Typically an admin service account.
Dim DirEntry as New DirectoryEntry(NewUserOU, ADuser, ADpass)
Apr 25, 2011 10:38 AM|Joker_Joker|LINK
Thanks for your reply.
This method i read before and skipped. (should have mentioned that)
Assuming the page has zero security on the application level, then any user logged in would be able to execute the functionality and create an account because their impersonating an admin user.
If this is the only method then i'll try it but i prefer to pass the logged in user to AD.
So as far as my research goes, there's really only two methods:
1. Declare an admin account in directory entry
2. Change the application mode to classic and fiddle with a fair amount of things on the back end.
So what we're saying is, under an IIS 7+ with Integrated mode for the application pool and running ASP.NET, that there's no way to simply pass the authenticated user to Active Directory?
Apr 25, 2011 06:27 PM|gww|LINK
Active Directory will require you to pass creditials of someone with permissions to create and modify objects. If you gave everyone on your network administrative access to your AD then the authenticated user would be able to run the code and create the
account. Not advisable. Typically AD allows just about anyone read access, but you need administrative permissions to create objects.
The two options you mentioned are probably your only options. Impersonate a user with admin rights, or pass the user/password in code of an account with permissions to AD. Which ever option you choose you may want to setup a service account on your network
and use that instead of an account that belongs to a network admin.
Apr 26, 2011 10:27 PM|Joker_Joker|LINK
I have accepted your answer, since it's the method im going for. I prefer delegating through AD but i'll just have to make do setting permissions on the aspx page itself to prevent access.
There's another method i found which wasn't directed to AD but it was basically impersonating the user in the code using WindowsIdentity
I did get through but returned an impersonation level issue which has low results over in google/bing so i dropped this.
Thanks for the help though.
May 02, 2011 12:46 AM|Joker_Joker|LINK
Dim impersonationContext As System.Security.Principal.WindowsImpersonationContext
Dim currentWindowsIdentity As System.Security.Principal.WindowsIdentity
currentWindowsIdentity = CType(User.Identity, System.Security.Principal.WindowsIdentity)
impersonationContext = currentWindowsIdentity.Impersonate()
'Insert your code that runs under the security context of the authenticating user here.
Found this while searching for a way to impersonate in code, i stuck by thinking microsoft won't leave us in the dark with a potentially unsecure option. What i found was this and it's wonderful, i have added my code inbetween and works like a charm (creating
AD and managing users + creating drives)
Thanks for the help, looks like it just took a bit of time for me to find the right resource =D