Is it possible to retrieve data from Active Directory by impersonating a Windows authenticated user in ASP.NET?

Question

I've been trying to solve this problem all day, and I've read some conflicting information within the standard google message board answers.

What I'm trying to do is retrieve a domain user's (that is, the currently logged in user's) email address from active directory. My ASP.NET 4 website is setup for Windows Authentication and everything works fine until the active directory calls.

When I do the following, I get a COMException on the search.findAll() line. The exception message is "An operations error occured" (Very helpful message eh?) (Stripped down code for readability)

WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext wic = null;

wic = winId.Impersonate();
using (DirectoryEntry root = new DirectoryEntry(rootQuery))
{
      String userQuery = GetUserQuery();
      DirectorySearcher searcher = new DirectorySearcher(root);
      searcher.SearchScope = SearchScope.Subtree;
      searcher.Filter = userQuery;

      SearchResultCollection results = searcher.FindAll();
      return (results[0].Properties["proxyaddresses"][0]).ToString();
}

So basically I want to impersonate the logged in user to make the call. Note this code works as expected if I pass in my credentials directly to the DirectoryEntry constructor. Also, I receive the same error if I get rid of the impersonation code and set application wide impersonation in the web config.

So I guess my question, before I waste any more time on this, is this even possible? Or do you have to specify a username and password to access AD?

BTW on my dev box I'm running IIS5, but will probably deploy to IIS6.

edit:

as requested:

rootQuery = @"LDAP://{0}.com/DC={0}, DC=com";
userQuery = @"(&(samAccountName={0})(objectCategory=person)(objectClass=user))";

with the proper domain and user specified.

@Charles Just set the asp.net version to 4 in the asp.net tab of your website properties — Erix, Jul 18 '11 at 13:47
@Charles Boyung - I too wondered about doing that - http://stackoverflow.com/questions/3194866/running-asp-net-4-0-with-iis-5-1 — Peter, Jul 18 '11 at 14:08

score 5 · Accepted Answer · answered Jul 18 '11 at 14:12

You are trying to impersonate a user to access an external resource (external meaning not on the same server). You CAN do this, but you will need to setup delegation in active directory so that the IIS server (or your WindowsXP box for now) is trusted for delegation. Check out some of these resources to get started if this is the direction you want to go.

Alternatively, to avoid the hastle of setting up and configuring delegation properly I just create a service account in active directory and use it instead. You can either use the credentials in your code, like you said worked earlier, or use the Impersonation element in web.config to impersonate this service account: <identity impersonate="true" userName="DOMAIN\ServiceAccount" password="password"/>.

Rather than impersonate the domain account, would it work to run the app pool under this service account in IIS 6? Putting the user/password in plain text in code/web.config bothers me. — Erix, Jul 19 '11 at 12:19
Given a change to IIS 6 I would think this would work fine. Additionally you can encrypt portions of your web.config file to avoid the plaintext issue: http://msdn.microsoft.com/en-us/library/ff647398.aspx. — Peter, Jul 20 '11 at 13:20

score 2 · Answer 2 · answered Jul 19 '11 at 08:48

As @Patricker mentions you have to enable delegation to support this scenario. Also make sure that you use an authentication mechanism that supports delegation. If you use Kerberos to authenticate the user to the web server, delegation is possible, but not with NTLM[1]. If you use basic authentication delegation is also possible (as the web server has access to username and password of the client).

score 1 · Answer 3 · answered Jul 17 '11 at 21:27

1

If I remember right, there were some challenges here if the app pool was running as Network Service vs a domain account. How is yours configured?

Also, can you post the value of rootQuery and the resultant value for userQuery?

answered Jul 17 '11 at 21:27

Brian Desmond

4,473
1
13
11

I'm running IIS 5.1 here so there is no app pool. – Erix Jul 18 '11 at 13:35

score 1 · Answer 4 · answered Jul 18 '11 at 14:08

1

Don't you think it has something to do with Troubleshooting Authentification problem on ASP pages

answered Jul 18 '11 at 14:08

JPBlanc

70,406
17
130
175

score 0 · Answer 5 · edited May 23 '17 at 11:50

0

Also noticed the way in the code to search LDAP looks very performance cost expensive. You might want to query LDAP using sid search, which can be found in attached link

edited May 23 '17 at 11:50

Community

1
1

answered Dec 06 '12 at 06:28

anIBMer

1,159
2
12
20

Is it possible to retrieve data from Active Directory by impersonating a Windows authenticated user in ASP.NET?

5 Answers5

Linked