ASP.NET Adding a User to Active Directory

[Mick Walker]

Hi All,

I have an asp.net app, which is supposed to add a user to the AD Users
group.
I am using the ASP Memberhsip provider for this and have configured it
in the web.config file. All works Well, I can login, list users, etc etc.

However when it comes to creating a user, I get the following error:

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access is denied.
(Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5
or Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the
boxes for the desired access.


In my webconfig I have set the following:

<identity impersonate="true" userName="domain\Administrator"
password="SomePass"/> (I know this isnt secure, but it is a test
enviroment setup especially for my learning.

So I am lost to why I cant create a new user in the AD Domain.

Does anyone have any ideas? The code I am using is:

string username = "SwedishChef";
string password = "bj#kbj$k";


Membership.CreateUser(
username, password);



And here is my Provider setup from my web.config:

<membership defaultProvider="MyADMembershipProvider">
<providers>
<remove name="AspNetSqlMembershipProvider" />
<add
name="MyAdMembershipProvider"

type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConn"
connectionUsername="domain\Administrator"
connectionPassword="SomePass"
applicationName="/ControlPanel"
enableSearchMethods="true"
/>
</providers>

</membership>

 

[Juan T. Llibre]

Save this code to a file named "identity.aspx",
within the app in question, and run it.

identity.aspx:
-------------------
<%@ Page Language="VB" %>
<%@ Import NameSpace = System.Security.Principal %>
<script runat="server">
Sub Page_Load()
Dim tmp As String = WindowsIdentity.GetCurrent.Name()
Label1.Text = "ASP.NET is running as the account : " & tmp
End Sub
</script>
<html>
<head>
<title>What account is ASP.NET running as ?</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Label ID="Label1" Runat="server" Text="Label"></asp:Label>
</div>
</form>
</body>
</html>
----------------

Whichever account is returned by the page is the account which needs AD access permissions.

Silly question : are you running a web server on your domain controller ?
That, generally, is considered to be a no-no for security reasons.

Active Directory runs on Windows Server 2008, Windows Server 2003,
and Windows 2000 Server domain controllers.

If you're not running one of those servers, or AD hasn't been installed on your OS,
you will not be able to add a user to a non-existent AD.

 

[Mick Walker]

Save this code to a file named "identity.aspx",
within the app in question, and run it.

identity.aspx:
-------------------
<%@ Page Language="VB" %>
<%@ Import NameSpace = System.Security.Principal %>
<script runat="server">
Sub Page_Load()
Dim tmp As String = WindowsIdentity.GetCurrent.Name()
Label1.Text = "ASP.NET is running as the account : " & tmp
End Sub
</script>
<html>
<head>
<title>What account is ASP.NET running as ?</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Label ID="Label1" Runat="server" Text="Label"></asp:Label>
</div>
</form>
</body>
</html>
----------------

Whichever account is returned by the page is the account which needs AD access permissions.

Silly question : are you running a web server on your domain controller ?
That, generally, is considered to be a no-no for security reasons.

Active Directory runs on Windows Server 2008, Windows Server 2003,
and Windows 2000 Server domain controllers.

If you're not running one of those servers, or AD hasn't been installed on your OS,
you will not be able to add a user to a non-existent AD.

No were not runing IIS on our domain controller. We have 2 windows 2008
Domain controllers, and 3 webservers setup.

When I run that page I get:
ASP.NET is running as the account : domain\Administrator

Now I am really lost....

 

[Mick Walker]

Hi All,

I have an asp.net app, which is supposed to add a user to the AD Users
group.
I am using the ASP Memberhsip provider for this and have configured it
in the web.config file. All works Well, I can login, list users, etc etc.

However when it comes to creating a user, I get the following error:

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access is denied.
(Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5
or Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the
boxes for the desired access.


In my webconfig I have set the following:

<identity impersonate="true" userName="domain\Administrator"
password="SomePass"/> (I know this isnt secure, but it is a test
enviroment setup especially for my learning.

So I am lost to why I cant create a new user in the AD Domain.

Does anyone have any ideas? The code I am using is:

string username = "SwedishChef";
string password = "bj#kbj$k";


Membership.CreateUser(
username, password);



And here is my Provider setup from my web.config:

<membership defaultProvider="MyADMembershipProvider">
<providers>
<remove name="AspNetSqlMembershipProvider" />
<add
name="MyAdMembershipProvider"

type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConn"
connectionUsername="domain\Administrator"
connectionPassword="SomePass"
applicationName="/ControlPanel"
enableSearchMethods="true"
/>
</providers>

</membership>

I got it:

MembershipCreateStatus status;
MembershipProvider mp =
Membership.Providers["MyAdMembershipProvider"];
mp.CreateUser("Test2user@domain", "pa344ss123word!*&",
"me@here", null, null, true, null, out status);

Thanks