Adding computer to an AD group via asp.net (c#) in a cross forest

Question

Adding computer to an AD group via asp.net (c#) in a cross forest

Following problem: i'm trying to add a computer to an Active Directory group via ASP.NET & C# for a little rollout tool.

But as soon as i upload it on my server (IIS 8.5) the trouble starts. Everything like search for computers and groups works perfectly fine, but adding new computers to a group doesn't work

Here is my code for adding a computer to a group:

protected void add_Click(object sender, EventArgs e)
{

    if (string.IsNullOrWhiteSpace(destination_pc.Text))
        error_messages.Text = "Empty Field";
    else
    {
        PrincipalContext Domain = new PrincipalContext(ContextType.Domain, "domain.local");
        GroupPrincipal group;
        ComputerPrincipal MyComputer = ComputerPrincipal.FindByIdentity(Domain, destination_pc.Text);

        if (ComputerPrincipal.FindByIdentity(Domain, destination_pc.Text) != null)
        {
            for (int i = 0; i < destination_packages.Items.Count; i++)
            {
                group = GroupPrincipal.FindByIdentity(Domain, destination_packages.Items[i].ToString());
                if (!MyComputer.IsMemberOf(group))
                {
                    group.Members.Add(Domain, IdentityType.Name, destination_pc.Text);
                    group.Save();
                }
            }
            destination_packages.Items.Clear();
        }
        else
        {
            error_messages.Text = "Computer doesn't exist in AD";
        }

    }

}

This is giving us following error:

Exception Details: System.UnauthorizedAccessException: Access is denied.

ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET access to a file, right-click the file in File Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.

Source Error:

Line 159: { Line 160:
group.Members.Add(Domain, IdentityType.Name, destination_pc.Text); Line 161: group.Save(); Line 162:
} Line 163: }

Source File: c:\Websites\ManageSoftware\Default.aspx.cs Line: 161

Stack Trace:

[UnauthorizedAccessException: Access is denied. ]
System.DirectoryServices.Interop.IAds.SetInfo() +0
System.DirectoryServices.DirectoryEntry.CommitChanges() +177
System.DirectoryServices.AccountManagement.ADStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes) +1295
System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes) +175
System.DirectoryServices.AccountManagement.ADStoreCtx.Update(Principal p) +113 _Default.add_Click(Object sender, EventArgs e) in c:\Websites\ManageSoftware\Default.aspx.cs:161
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +11750641
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +150 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6016

So i thought through impersonation i could solve this, and tried many solutions like:

IIdentity WinId= HttpContext.Current.User.Identity;
WindowsIdentity wi = (WindowsIdentity)WinId;
WindowsImpersonationContext wic = wi.Impersonate();
try
{
  // Access resources while impersonating.
  group.Save()
}
catch
{
  // Prevent exceptions propagating.
}
finally
{
  // Revert impersonation.
  wic.Undo();
}

or

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = 
    ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

group.Save();

impersonationContext.Undo();

But everything i try, i get following exception:

Exception Details: System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred.

Source Error:

Line 168: WindowsImpersonationContext wic = wi.Impersonate(); Line 169: Line 170: group.Save(); Line 171: Line 172: wic.Undo();

Source File: c:\Websites\ManageSoftware\Default.aspx.cs Line: 170

Stack Trace:

[DirectoryServicesCOMException (0x80072020): An operations error occurred. ] System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +576673 System.DirectoryServices.DirectoryEntry.Bind() +45 System.DirectoryServices.DirectoryEntry.get_AdsObject() +40 System.DirectoryServices.PropertyValueCollection.PopulateList() +27
System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) +122
System.DirectoryServices.PropertyCollection.get_Item(String propertyName) +162
System.DirectoryServices.AccountManagement.ADStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes) +1089

[PrincipalOperationException: An operations error occurred. ]
System.DirectoryServices.AccountManagement.ADStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes) +1917
System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes) +175
System.DirectoryServices.AccountManagement.ADStoreCtx.Update(Principal p) +113 _Default.add_Click(Object sender, EventArgs e) in c:\Websites\ManageSoftware\Default.aspx.cs:170
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +11750641
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +150 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6016

my webconfig look like this at the moment:

<configuration>
  <system.web>
    <customErrors mode="Off" />
    <authentication mode="Windows" />
    <identity impersonate="false" />
    <authorization>
      <allow roles="domainname.local\group1" />
      <allow roles="domainname.local\group2r" />
      <deny users="*" />
      <deny users="?" />
    </authorization>
    <compilation debug="true" targetFramework="4.5.2">
      <assemblies>
        <add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
        <add assembly="System.DirectoryServices.AccountManagement, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
      </assemblies>
    </compilation>
    <httpRuntime targetFramework="4.5.2" />
  </system.web>
</configuration>

Changing the application pool identity to for example to Network Service, doesn't changed anything. Adding a account with enough permissions manually, isn't a solution because of security reasons.

Another Info: The IIS is in another forest than the Active Directory.

Thanks in advance

c#

asp.net

.net

iis

asked on Stack Overflow Apr 12, 2017 by

THEFLOOOW

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0