DirectoryServices.AccountManagement

[David Jenkins Toppan]

I'm really having a hard time using DirectoryServices.AccountManagement. I
seem to be able to get it to work fine in Visual Web Developer 2008 but when
I deploy to a IIS Server I get cast issues.

I have a screenshot here:
http://forums.asp.net/p/1210311/2131427.aspx#2131427

Unable to cast object of type
'System.DirectoryServices.AccountManagement.GroupPrincipal' to type
'System.DirectoryServices.AccountManagement.UserPrincipal'.

 

[Willy Denoyette [MVP]]

I'm really having a hard time using DirectoryServices.AccountManagement.
I
seem to be able to get it to work fine in Visual Web Developer 2008 but
when
I deploy to a IIS Server I get cast issues.

I have a screenshot here:
http://forums.asp.net/p/1210311/2131427.aspx#2131427

Unable to cast object of type
'System.DirectoryServices.AccountManagement.GroupPrincipal' to type
'System.DirectoryServices.AccountManagement.UserPrincipal'.

You are running in the context of a group SID, not a user account SID.
If ASP.NET is running as NT_AUTHORITY\NETWORK SERVICE or NT_AUTHORITY\LOCAL
SERVICE, then the current user SID is a group SID and the cast to a
UserPrincipal will fail (this is normal). So, you need to make sure that you
run in the context of a user account, or you need to catch this exception
and take the appropriate action.

Willy.

 

[David Jenkins Toppan]

Are there any articles I could read that you know of that explains what I
need to do?

 

[Willy Denoyette [MVP]]

Are there any articles I could read that you know of that explains what I
need to do?

First, you will have to tell us what and why you "need to do" it. The
DirectoryServices.AccountManagement namespace is meant to be used for
account management, that is, to manage user, group, service, system, machine
etc.... accounts, stored in several possible identity stores (SAM, AD, ADAM
etc..).
Now, it looks like you are only trying to identify the current user in an
ASP.NET application, if that is true, you should use the
System.Security.Principal namespace in order to get the WindowsIdentity of
the current user.
For instance:
WindowsIdentity wi = WindowsIdentity.GetCurrent(false);
wi.Name

will return the Logon name of the current user, this will be the
impersonated user identity, if the current thread is impersonating, else, it
will hold the process identity.
In case of IIS and ASP.NET, this will be the user identity of the "base"
client , when authentication and impersonation is enabled and configured
correctly, else it will be the identity of the ASP.NET worker process
depending on the version of IIS and how it is configured.
All this is well documented in MSDN, all you need to do is search for
Patterns and Practices
http://msdn2.microsoft.com/en-us/library/ms998572.aspx and start with
"Authentication and Authorization"
http://msdn2.microsoft.com/en-us/library/aa302383.aspx and have a look at
the numerous "How To's" here...
http://msdn2.microsoft.com/en-us/library/ms978512.aspx



Willy.

 

[David Jenkins Toppan]

I was trying to pull attributes like name and phone number of the current
user. This is an Intranet application I'm creating.

 

[Willy Denoyette [MVP]]

I was trying to pull attributes like name and phone number of the current
user. This is an Intranet application I'm creating.

I see, in that case you need to make sure that "Windows Authentication" is
enabled and that you are "impersonating", and that your clients are using
IE.

Willy.

 

[David Jenkins Toppan]

I'll read up on it. I've got the web.config already setup for Windows and
disabled Anonymous access. In IIS I've uncheck anonymous logon and selected
Integrated Windows Authentication.

I appreciate the help. If you know of a good example on the net on how to
do Impersonation that would be great. I'm still a Novice. I'm an MCSE so I
really only know AD other MS Applications.

 

[Willy Denoyette [MVP]]

If you want to impersonate the authenticated client, you'll have to set the
"identity impersonate" to true, like this:

<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
....

You don't have to impersonate in code, the above will automatically set the
client token to the thread handling the request.

Willy.

Note that asp.net related questions should be posted to the aspnet NG's
<Microsoft.public.dotnet.framework.aspnet> and
<microsoft.public.dotnet.framework.aspnet.security>

 

[David Jenkins Toppan]

Alright I'm going nuts now. You've been a big help. Hopefully you can help
with one last thing. I don't seem to be able impersonate a domain user and
allow them to lookup their own information.

All I want to do is capture the Name, Phone, and email of the user logged
in. I thought the DirectoryServices.AccountManagement would be the best
route but I can't get it to work in IIS. The simplest page is driving me
absolutley mad.

This works on my PC but not in IIS.

using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Security.Principal;
using System.DirectoryServices.AccountManagement;

public partial class Test : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
Label1.Text = UserPrincipal.Current.DisplayName.ToString();
}

}

Now that I'm impersonating the user I would think this works. I get errors
like this:

An operations error occurred.

Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.

Exception Details: System.Runtime.InteropServices.COMException: An
operations error occurred.


Source Error:


Line 18: protected void Page_Load(object sender, EventArgs e)
Line 19: {
Line 20: Label1.Text = UserPrincipal.Current.DisplayName.ToString();
Line 21:
Line 22: }


Source File: d:\WebApps\userprovisioning\Test.aspx.cs Line: 20

Stack Trace:


[COMException (0x80072020): An operations error occurred.
]
System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +451
System.DirectoryServices.DirectoryEntry.Bind() +36
System.DirectoryServices.DirectoryEntry.get_AdsObject() +31
System.DirectoryServices.PropertyValueCollection.PopulateList() +25
System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry
entry, String propertyName) +92
System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
+131

System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() +1091

System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() +37
System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
+104

System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() +31

System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext
context, Type principalType, Nullable`1 identityType, String identityValue,
DateTime refDate) +19

System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext
context, Type principalType, IdentityType identityType, String identityValue)
+111

System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue) +29
System.DirectoryServices.AccountManagement.UserPrincipal.get_Current() +213
Test.Page_Load(Object sender, EventArgs e) in
d:\WebApps\userprovisioning\Test.aspx.cs:20
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o,
Object t, EventArgs e) +15
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender,
EventArgs e) +33
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +47
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436