Querying Active Directory from ASP.NET

[Z D]

Hello,

I have an ASP.NET application from which I'd like to query active directory
for some information on a given user account (for example, the description
field, or e-mail field, etc).

When I try this code in a windows app things work fine. I'm assuming this
is because I'm running the program while being logged in as a domain user.

When I run the same code in ASP.NET (IIS v5), I get a
"System.Runtime.InteropServices.COMException: The specified domain either
does not exist or could not be contacted".

I'm assuming this is because ASP.NET is running the code under the I_USR
account which does not have domain access? SO, I specified a domain account
under "Anonymous Access" in the hopes that everything would be running under
this account.

The same error still continues... so, I was wondering if anybody could
please explain to me what the problem is and how to resolve it??

All I need to do is to be able to query AD from my ASP.NET application.

Thanks!
-ZD

 

[Scott Allen]

Hi Z D:

You'll want to change the identity of the ASP.NET worker process, or
use impersonation to get this to work.

See:

INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/default.aspx?scid=kb;EN-US;306158

Be aware you can't just use:

identity impersonate="true" />

Because that impersonation is only good on the local machine, unless
additional configuration take place.



Also:

Configuring ASP.NET Process Identity
http://msdn.microsoft.com/library/d...tml/cpconConfiguringASPNETProcessIdentity.asp


HTH,

 

[Gerry Hickman]

Hi Scott,

Changing topic slightly, is there any way to use the

identity impersonate="true" />

concept to get local IIS debugging to work for a user who does not have
Admin rights? What does the impersonate key actually do? Is it basically
telling ASPNET_WP.EXE to run as the user as opposed to under it's own
special account?

 

[Chris Malone]

Have you configured the web.config file for impersonation?

"Under the <System.web> section, add the following
element for impersonation:"

<identity impersonate="true" />


810572 How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/?id=810572



Chris Malone
Microsoft Directory Services

 

[Scott Allen]

Hi Gerry:


Debugging is not possible with just an identity setting. There is some
information in the following document on how to debug as non-admin:

Developing Software in Visual Studio .NET with Non-Administrative
Privileges
http://msdn.microsoft.com/library/d...studionetwithnon-administrativeprivileges.asp

See the section "debugging ASP.NET applications". Basically you have
to change the identity of the worker process, which is unfortunate, I
feel.

With identity impersonate="true", the thread that is processing a web
request will impersonate the client for the duration of the request.
So any resources the thread tries to access on the local machine it
access with the security credentials of the client instead of the
ASPNET user. Once the thread finished processing it reverts back to
the identity of the process.

 

[Gerry Hickman]

Hi Scott,

Debugging is not possible with just an identity setting.

See the section "debugging ASP.NET applications". Basically you have
to change the identity of the worker process, which is unfortunate, I
feel.

Yes, this is the problem I ran into. I had to put the username and
password of the lead developer into the machine.config file. Not good!

What I don't understand is why it's not possible to elevate the
privileges of the aspnet_wp.exe process such that it's suddenly allowed
to debug? I tried to do this on a test box, but no joy...

Am I right in thinking this is fixed in VS.NET 2005 by using the new
embedded web server?

 

[Scott Allen]

Hi Gerry:

It works the other way, actually. You have to elevate the privileges
of the user, who is a non-administrator, to allow the debugger to
break into the ASPNET worker process when it runs under a different
security context. I'm not sure if there is another way around this,
but the embedded web browser in 2005 will make this pain and a lot of
others go away!

What you could do to improve the situation is to use setreg.exe to
encrypt the lead dev's password:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

I'm not sure if you know about using runas, which is an alternate
solution only if you allow temporary admin privs:
http://www.microsoft.com/windowsxp/.../windowsxp/home/using/productdoc/en/runas.asp

 

[Gerry Hickman]

It works the other way, actually. You have to elevate the privileges
of the user, who is a non-administrator, to allow the debugger to
break into the ASPNET worker process

Aha! Suddenly it makes more sense, but this user is already in the "VS
Developers" group and the "Debugger Users" group, so what privilege are
they missing?

The thing is, I don't mind elevating their privilege for this, but I
don't really want to put them in the Administrators group because if I
do, the machine is more open to hack attack and also they can mess up
all the software and system files.

Regarding RunAS, I'm not sure how this would work. Do you mean run the
whole of Visual Studio.NET "As", or do you mean run the ASPNET worker
process "As"?

 

[Scott Allen]

Hi Gerry:

With runas the developer could run VS.NET "as" an administrator.

Attaching a debugger requires a certain level of priviledge. Putting
somone in the "Debugger User" group gives them priviledges to debug
thier own processes, but the ASP.NET worker processes runs under a
different account, and it requires admin privs to attach a debugger to
someone else's process. Thus the quandry!

 

[Gerry Hickman]

Attaching a debugger requires a certain level of priviledge. Putting
somone in the "Debugger User" group gives them priviledges to debug
thier own processes, but the ASP.NET worker processes runs under a
different account, and it requires admin privs to attach a debugger to
someone else's process. Thus the quandry!

Thanks again for explaining this in a clear way. Let's look at the
ability to attach to someone else's process:

Presumably there is some kind of priviledge assigned to the
Administrators group by default, that allows this to happen? If so,
would it not be possible to simply assign this priviledge to the lead
developer (or their local security group) using the Local Security
Administrative tool in Control Panel?

 

[Scott Allen]

Hi Gerry:

I apologize. Now that I RE-read some of the documentation, it appears
the Debugger User group does give you the priviledge to debug a
process in a different security context (SeDebugPrivilege). It that
not working for you?

It seems the strong suggestion is to go with setreg and running the
worker process under the same credentials as the user:
http://radio.weblogs.com/0118356/2003/05/17.html#a101

 

[Gerry Hickman]

Hi Z D,

I have an ASP.NET application from which I'd like to query active directory
for some information on a given user account (for example, the description
field, or e-mail field, etc).
Yes.

When I try this code in a windows app things work fine. I'm assuming this
is because I'm running the program while being logged in as a domain user.
Yes.

When I run the same code in ASP.NET (IIS v5), I get a
"System.Runtime.InteropServices.COMException: The specified domain either
does not exist or could not be contacted".

I'm assuming this is because ASP.NET is running the code under the I_USR
account which does not have domain access? SO, I specified a domain account
under "Anonymous Access" in the hopes that everything would be running under
this account.

This impllies you have designed this application for world-wide
anonymous access? So if you've enabled Anonymous in IIS you're correct
in assuming changing the account would suddenly allow it to start
working. However, if (like me) you have DISABLED anonymous access in IIS
and only allow "Integrated" then the problem is perhaps different, and
changing the anonymous account will not help...

As I understand it, with integrated enabled, but without Kerberos
delegation (NTLM in other words), it won't work, because although IIS
logs me into the web application as a domain admiin (for example) the
first GetObject call to the Active Directory server will fail because it
can't "pass through" my credentials to the second hop server. I'm not
actually sure which account IIS is uing at that point, but I don't see
how enabling "impersonation" can help??

It seems to me, the only way it would ever work is to send a plain text
username and password - horrible!

What I tried today was setting up a limited account called
mydom\adaccess, and then I use IADsOpenDSObject::OpenDSObject
in the code supplying the plain text credentials. This worked, but there
must be a better way??

 

[Gerry Hickman]

Hi Scott,

I apologize. Now that I RE-read some of the documentation, it appears
the Debugger User group does give you the priviledge to debug a
process in a different security context (SeDebugPrivilege). It that
not working for you?

No this doesn't work for me. On my test system (Win2k IISv5) I have
given this privilege to the Debugger Users group and my test user is in
that group. My guess is that this only applies to debugging windows
programs as opposed to programs running on IIS? If this is the case,
what on earth can the other "secret" privilege be, that Administrators
seem to have?!

Hmmmm, I even enabled security auditing and setting a break point on a
web app running on the local IIS with the config above shows NO audit
failures! Even though VS.NET give the "Access Denied" error as soon as
the debugger starts up...

It seems the strong suggestion is to go with setreg and running the
worker process under the same credentials as the user:
http://radio.weblogs.com/0118356/2003/05/17.html#a101

Thanks I read the article, but it just seems to repeat the suggestion of
changing machine.config, which for me does not seem like a good solution.

 

[Bob Qin [MSFT]]

Hi ZD,

Thank your for posting here.

To better address this problem, I would like to suggest that you contact
our Developer newsgroups. I have provided the link below:

<<http://msdn.microsoft.com/newsgroups/default.asp>>

Or you may ask for developer support:
http://support.microsoft.com/directory/directory/phonepro.asp?sd=msdn

I believe that you can get more informative answers there.

Thank you again for using our newsgroup.

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "Z D" <[email protected]>
Subject: Querying Active Directory from ASP.NET
Date: Mon, 20 Sep 2004 10:46:54 -0400
Newsgroups:
microsoft.public.active.directory.interfaces,microsoft.public.dotnet.framewo
rk.aspnet,microsoft.public.win2000.active_directory

Hello,

I have an ASP.NET application from which I'd like to query active
directory
for some information on a given user account (for example, the
description
field, or e-mail field, etc).

When I try this code in a windows app things work fine. I'm assuming
this
is because I'm running the program while being logged in as a domain
user.

When I run the same code in ASP.NET (IIS v5), I get a
"System.Runtime.InteropServices.COMException: The specified domain
either
does not exist or could not be contacted".

I'm assuming this is because ASP.NET is running the code under the
I_USR
account which does not have domain access? SO, I specified a domain
account
under "Anonymous Access" in the hopes that everything would be
running under
this account.

The same error still continues... so, I was wondering if anybody
could
please explain to me what the problem is and how to resolve it??

All I need to do is to be able to query AD from my ASP.NET
application.

Thanks!
-ZD