Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Accessing Active Directory Records Via ASP.NET

Seems like my local machine does not have the required permissions to write data into the Active Directory. I can read data but can not change and update it. Upon calling the .save() command I receive the next message: "Access is denied".

I do not use any login details in order to log into the Active Directory and I wish not to use any as well. I know it has something to do with the application pools and IIS generally, but I can't seem to find a working solution other than trying and changing some minor options and features.

EDIT: This is the code I'm trying to execute:

using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "DOMAINANME"))
{
    GroupPrincipal group = new GroupPrincipal.FindByIdentity(pc, "GROUPNAME");
    group.Members.Remove(pc, IdentityType.SamAccountName, "USERNAME");
    group.Save();
}
like image 552
Tommy Naidich Avatar asked Feb 23 '14 09:02

Tommy Naidich


2 Answers

Your intuition is correct - you need proper permissions on the application pool account.

A simplest way would be:

  1. Create a new domain user account
  2. Add it to "Domain admins" group
  3. In your iis server, locate the pool your application uses and change the pool identity to the newly created user

This way all requests from users to iis are run in the context of the domain admin and thus all requests from iis to AD will succeed - domain admins can operate the AD.

Although the above solution would work, it is probably not recommended. This is because the application does many things other than just connecting to the AD and if there are places that can be misused, you risk running unwanted requests in the domain admin context.

Usually then, such application would have two layers, a front layer and a back layer. The front layer runs in a restricted context and is responsible for all user requests. This is your application. A back layer is another web application that is not accessible from internet, only from the local intranet. This application runs in the domain admin context and serves as the gateway to the AD. The front application uses the back application to talk to the AD.

like image 56
Wiktor Zychla Avatar answered Oct 20 '22 16:10

Wiktor Zychla


In order to execute code that needs specific permissions to your Active Directory, follow these steps:

  1. Require the user to log into the ASP.NET application.
  2. Have your code impersonate the currently-logged in user when executing the the Active Directory portion that needs that access.

There may be slight variations depending on the version of ASP.NET you are using, but basically...

Step 1

For the user login, just use the standard ASP.NET authentication configuration. Because it's the easiest to configure (and just works with AD) I'll document Windows Authentication here. This will prompt the user with a standard Windows login dialog box - where they will need to enter their domain credentials. To configure the application, make the following changes to the Web.config

<configuration>
  ...
  <system.web>
    ...
    <authentication mode="Windows" />
    ...
  </system.web>
  ...
</configuration>

By default, ASP.NET should already know how to talk to the Active Directory when configured for Windows Authentication, so nothing else should be required, but if you find you need a separate Role Provider, feel free to take the one we use. (We also have instructions.) But again, you shouldn't need it.

Edit: You also need to make sure IIS is configured - using inetmgr.exe - to not allow anonymous access for the application. Otherwise, it will never prompt the user to log in. We typically disable Anonymous access and enable Windows and Basic authentication - because we need to support browsers that don't support NTLM.

Step 2

Now that you have an authenticated user, you can programmatically impersonate them. The following is adapted from Impersonating the authenticating user in code:

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

try
{
    // Do your writing to the AD here
}
finally
{
    impersonationContext.Undo();
}

I also just discovered (while searching for reference links for this answer) that this is all pretty well documented in the MSDN article How To: Use Windows Authentication in ASP.NET 2.0

Let us know how it goes :-)

like image 34
Shawn South Avatar answered Oct 20 '22 17:10

Shawn South