Fog Creek Software
Discussion Board

Welcome! and rules

Joel on Software

DirectoryServices in ASP.Net

I wrote a simple dll in C# that grabs a person's Exchange 5.5 profile through LDAP.  Using that, I wrote a console app to verify the library works fine.

I wrote an ASP.Net webform to use the library, but now I'm getting a COMException at DirectoryEntry.Bind().  I tried the console app on the web server, and it runs just fine.  I have Windows Authentication and Impersonation turned on, and I'm logged into the ASPX page as the same account that ran the console app.  Here's a snippet of my code:

DirectoryEntry root = new DirectoryEntry("LDAP://"+srv);
DirectorySearcher ds = new DirectorySearcher(root);
ds.Filter = "(&(sn="+lastname+")(givenName="+firstname+"))";
SearchResultCollection results = ds.FindAll();

It's very basic, and works like a charm running in the console.  Is there some security setting or policy that applies to ASP.Net that I don't know about? 

Any insight would be greatly appreciated.  Thanks.

Wednesday, April 30, 2003

Well, I think I found it. (and I feel like an idiot for posting a solution two minutes after I made this post...)

Even with impersonation turned on (I checked the current WindowsIdentity to be sure), it still wasn't making the Bind() call as the user I was logged in as.  Odd.  I even created an impersonationcontext for that user, and still I got the error.

So, I manually entered the username/password into the DirectoryEntry constructor, and the call went without a hitch.  Can anyone explain why?  If ASP.Net is impersonating my user account, why did I have to manually enter the login info anyway?

Wednesday, April 30, 2003

If you don't explicitly disallow anonymous user acces to your web, ASP.Net does not impersonate..

Try adding to your web.config:

<deny users="?" />

I don't know if this is what you need, but might be related.

Wednesday, April 30, 2003

" Even with impersonation turned on (I checked the current WindowsIdentity to be sure) "

Sorry, I promise to read after posting the next time =].

If you checked the current WindowsIdentity then ASP _is_ impersonating.

Wednesday, April 30, 2003

When you use impersonation in ASP.NET (and COM+,etc.) your token is a LOGON32_LOGON_NETWORK  type token. This type of logon only has credentials for local resources. If you try to access something over the network like a file share, SQL Server, etc. you are doing so as an ANONYMOUS user.

If you want access to resources over the network you must use LogonUser to acquire a primary token and then impersonate using that token (this is what is happening when you provide the UserId/Password to the constructor).

You can also use delegation rather than impersonation but I don't think that is supported by ASP.NET and it has its own set of caveats and peculiarities.

Stephen Martin
Thursday, May 1, 2003

Ah, that makes perfect sense.  Thanks.

Thursday, May 1, 2003

*  Recent Topics

*  Fog Creek Home