I've been pulling my hair out at this issue, been all over stack overflow but still haven't been able to fix it.
The Goal
I am trying to create accounts on demand on Windows Server 2019 Azure VM. The VM is not joined to a domain, just a standalone server in that lonely workgroup. The application is an ASP.NET Framework v4.6.1 Web API application running as an App Service in Azure.
using (var context = new PrincipalContext(ContextType.Machine, vmData["ip"].ToString(), null, ContextOptions.Negotiate, $@"{vmData["name"]}\{vmData["username"]}", vmData["password"].ToString()))
{
using (var user = new UserPrincipal(context))
{
user.DisplayName = username;
user.SamAccountName = username;
user.SetPassword(password);
user.PasswordNeverExpires = true;
user.Save();
using (var group = GroupPrincipal.FindByIdentity(context, "Administrators"))
{
group.Members.Add(user);
group.Save();
}
}
}
The Issue
When running this code locally everything works out fine, the connection to the Azure VM is a success, the user is created and added to the local admin group on the server.
When this code is published to the App Service in Azure it will always throw a System.Runtime.InteropServices.COMException: Access is denied. at line user.DisplayName = username;. I am assuming that when trying to set user.Displayname the server is queried in a way but that property of a user is not required to be unique and I know from previous projects that the real check for unique properties happens when you Save() the user.
Research & Attempted fixes
- I disabled the firewall rules which allowed inbound traffic from de App Service IP's to the Azure VM just to see if I would get a different exception => Timeout / Server could not be reached. Firewall rules seem to be correct
- I disabled all firewalls completely to make sure that the firewall rules did not miss any ports or protocols required => Access is denied!
- I attached Visual Studio to remotely debug the App Service hoping to get more details from the exception => Access is denied, nothing more.
- Tried fixes from PSEXEC, access denied errors
- Found there were bugs using .NET 4.5 .NET 4.5 Bug in UserPrincipal.FindByIdentity (System.DirectoryServices.AccountManagement) => using 4.6.1
- Checked the remote server to verify the account being created did not already exist
- Checked the remote server event logs for any logs that could be related to this issue, failed login, audits, anything. Nothing to be found.
Last resort
At this point I am about to enable OpenSSH on those VM's and start trying to create local accounts that way.
Would anyone have any idea where to look, other things to try?
Thanks in advance!
UPDATE 1:
I've changed the project from .NET Framework v4.6.1 to v4.7.2 since Azure App Service runs either .NET v3.5 or .NET v4.7.
Screenshot of Azure App Service configuration displaying .NET v4.7 setting
Hoping this could produce the same Exception on my local machine I gave the test another go and it does indeed throw a COMException on the same line. However it is not the same COMException.
System.Runtime.InteropServices.COMException: Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
Since I just made the change to v4.7.2 I am still researching this new exception, just figured this extra information could be important to add to the original issue.
