We have a web app that we are transitioning from a Azure classic cloud service to an App Service web app. The classic cloud service was on a vnet that contained our domain controllers (regular AD, NOT Azure AD). The App service uses VNET Integration so it is connected to our vnet, and therefore DCs,(essentially via a client vpn).
When we run the code that creates a new AD in the web app, the user is created successfully, but as soon as we try to change anything - set the password, add to a group etc, we get
"Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"
The user we're using to create and edit the account works fine from the cloud service, so its not an AD permissions problem.
To try to simplify debugging, I wrote some Powershell that I could run in the Kudu console to see if I could trap the error:
$DomainControllerIpAddress = "< domain controller IP>"
$domain = "<domain name>"
$BaseDN= "LDAP://$($DomainControllerIpAddress)"
$domAdmin = "domain\adminaccount"
$domPass = "<password>"
$userdn = "CN=TestUser,OU=TestOU,OU=ParentOU,DC=domain,DC=local"
$pass = "<newuserpassword>"
$userobj = New-Object System.DirectoryServices.DirectoryEntry($basedn + "/" + $userdn), $domAdmin, $domPass
$userobj.AuthenticationType = @("Secure","Sealing") # adding this to try to force kerberos makes no difference
$userobj.Invoke("SetPassword",$pass) # this fails in the App service but works fine everywhere else
This code runs fine from my local machine connecting to the same DC as the App Service, and it runs fine from a powershell console on one the the cloud service role instances, but errors from the App service.
The fact we can create the user successfully proves ldap connectivity works, but its beyond me why setting the password gives an access denied error.