I have created a view that unlocks user accounts. When testing using the local IIS this works fine. I have now published to the intranet IIS (Windows 2012) and get an access denied. I know it's a windows authorization issue but not sure where.
I have authentication mode="Windows" in the Web.config file and have IIS setup for windows authentications. How can I get my controller to pass the domain users credentials to IIS so I can run my code?
Thanks!
public ActionResult Unlock(string user)
{
// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
// find a user
UserPrincipal usr = UserPrincipal.FindByIdentity(ctx, user);
if (usr != null)
{
// unlock user
usr.UnlockAccount();
}
return RedirectToAction("Index");
}
I assume the application pool identity (the web application) does not have authority to perform the task. Add a service account to application pool identity that has proper authority to perform the task.
If this is not the issue, then post the actual error message so we're not guessing.
I now get a message Your Connection to this site is not private - and prompts me for a username and password. I am a member of the group I specified. Even when I enter the domain admin and password it just keeps prompting me.
Side question:
OK - that would work. Is it safe to have a password in the controller?
Prompting for credentials means the box is not in the same (expected) domain or you are using browser other than IE or the site is not in the trusted zone.
Here is the strange thing. Using [Authorize(Users works fine, bur roles does not?? When using roles in the prompt it says: connecting to then my computer name.domain name.
Member
29 Points
127 Posts
Authentication to update AD - access denied
Jul 10, 2019 08:27 PM|Baze72|LINK
I have created a view that unlocks user accounts. When testing using the local IIS this works fine. I have now published to the intranet IIS (Windows 2012) and get an access denied. I know it's a windows authorization issue but not sure where.
I have authentication mode="Windows" in the Web.config file and have IIS setup for windows authentications. How can I get my controller to pass the domain users credentials to IIS so I can run my code?
Thanks!
public ActionResult Unlock(string user) { // set up domain context PrincipalContext ctx = new PrincipalContext(ContextType.Domain); // find a user UserPrincipal usr = UserPrincipal.FindByIdentity(ctx, user); if (usr != null) { // unlock user usr.UnlockAccount(); } return RedirectToAction("Index"); }All-Star
53051 Points
23634 Posts
Re: Authentication to update AD - access denied
Jul 10, 2019 08:35 PM|mgebhard|LINK
I assume the application pool identity (the web application) does not have authority to perform the task. Add a service account to application pool identity that has proper authority to perform the task.
If this is not the issue, then post the actual error message so we're not guessing.
Member
29 Points
127 Posts
Re: Authentication to update AD - access denied
Jul 10, 2019 08:56 PM|Baze72|LINK
That is not really what I want to do. I did get it to work like this:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "domain.local", "username", "password");
But I only want users that are domain admins to be able to perform this. Is there a way to use the above code but use the User.Identity.Name; instead?
Thanks!
All-Star
53051 Points
23634 Posts
Re: Authentication to update AD - access denied
Jul 10, 2019 09:08 PM|mgebhard|LINK
Use the [Authorize] attribute to restrict access to roles.
https://squarewidget.com/authorizationattribute-with-windows-authentication-in-mvc-4/
You can also craft a custom role provider.
Member
29 Points
127 Posts
Re: Authentication to update AD - access denied
Jul 10, 2019 09:46 PM|Baze72|LINK
I now get a message Your Connection to this site is not private - and prompts me for a username and password. I am a member of the group I specified. Even when I enter the domain admin and password it just keeps prompting me.
Side question:
OK - that would work. Is it safe to have a password in the controller?
All-Star
53051 Points
23634 Posts
Re: Authentication to update AD - access denied
Jul 10, 2019 10:49 PM|mgebhard|LINK
Prompting for credentials means the box is not in the same (expected) domain or you are using browser other than IE or the site is not in the trusted zone.
Member
29 Points
127 Posts
Re: Authentication to update AD - access denied
Jul 11, 2019 12:57 PM|Baze72|LINK
Here is the strange thing. Using [Authorize(Users works fine, bur roles does not?? When using roles in the prompt it says: connecting to then my computer name.domain name.
All-Star
18815 Points
3831 Posts
Re: Authentication to update AD - access denied
Jul 12, 2019 02:19 AM|Nan Yu|LINK
Hi Baze72,
For authorization with Active Directory groups , you can add roleManager to your web config :
<authentication mode="Windows" /> <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"> <providers> <clear /> <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" /> </providers> </roleManager>Then using with authorize attribute :
[Authorize(Roles = "Domain\\Group")] public ActionResult Contact() { ViewBag.Message = "Your contact page."; return View(); }Best Regards,
Nan Yu