Is it possible to retrieve data from Active Directory by impersonating a Windows authenticated user in ASP.NET?

Question

I've been trying to solve this problem all day, and I've read some conflicting information within the standard google message board answers.

What I'm trying to do is retrieve a domain user's (that is, the currently logged in user's) email address from active directory. My ASP.NET 4 website is setup for Windows Authentication and everything works fine until the active directory calls.

When I do the following, I get a COMException on the search.findAll() line. The exception message is "An operations error occured" (Very helpful message eh?) (Stripped down code for readability)

WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext wic = null;

wic = winId.Impersonate();
using (DirectoryEntry root = new DirectoryEntry(rootQuery))
{
      String userQuery = GetUserQuery();
      DirectorySearcher searcher = new DirectorySearcher(root);
      searcher.SearchScope = SearchScope.Subtree;
      searcher.Filter = userQuery;

      SearchResultCollection results = searcher.FindAll();
      return (results[0].Properties["proxyaddresses"][0]).ToString();
}

So basically I want to impersonate the logged in user to make the call. Note this code works as expected if I pass in my credentials directly to the DirectoryEntry constructor. Also, I receive the same error if I get rid of the impersonation code and set application wide impersonation in the web config.

So I guess my question, before I waste any more time on this, is this even possible? Or do you have to specify a username and password to access AD?

BTW on my dev box I'm running IIS5, but will probably deploy to IIS6.

edit:

as requested:

rootQuery = @"LDAP://{0}.com/DC={0}, DC=com";
userQuery = @"(&(samAccountName={0})(objectCategory=person)(objectClass=user))";

with the proper domain and user specified.

Answer 1

You are trying to impersonate a user to access an external resource (external meaning not on the same server). You CAN do this, but you will need to setup delegation in active directory so that the IIS server (or your WindowsXP box for now) is trusted for delegation. Check out some of these resources to get started if this is the direction you want to go.

• http://support.microsoft.com/kb/810572
• http://msdn.microsoft.com/en-us/library/ff647404.aspx#paght000023_delegation

Alternatively, to avoid the hastle of setting up and configuring delegation properly I just create a service account in active directory and use it instead. You can either use the credentials in your code, like you said worked earlier, or use the Impersonation element in web.config to impersonate this service account: <identity impersonate="true" userName="DOMAIN\ServiceAccount" password="password"/>.