ASP.NET Core IIS Express AD Services Permissions Error

1

I had to create a new Dev environment for my asp.net project. It required an AD server, so I created it on the same host as my IIS server and IDE.

I transferred it over and set all the new environmental variables, but I came across an interesting problem.

When asking it to create a new AD user account I get the error:

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   --- End of inner exception stack trace ---
   at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args)
   at System.DirectoryServices.AccountManagement.SDSUtils.SetPassword(DirectoryEntry de, String newPassword)
   at System.DirectoryServices.AccountManagement.ADStoreCtx.SetPassword(AuthenticablePrincipal p, String newPassword)
   at System.DirectoryServices.AccountManagement.SDSUtils.InsertPrincipal(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes, Boolean needToSetPassword)
   at System.DirectoryServices.AccountManagement.ADStoreCtx.Insert(Principal p)
   at System.DirectoryServices.AccountManagement.Principal.Save()

Method (which worked until now) creates the user, however it appears as disabled in AD:

        PrincipalContext ctx = new PrincipalContext(ContextType.Domain,
            Environment.GetEnvironmentVariable("DOMAIN"),
            Environment.GetEnvironmentVariable("USER_OU"),
            Environment.GetEnvironmentVariable("SERVICE_USERNAME"),
            Environment.GetEnvironmentVariable("SERVICE_PASSWORD"));

        UserPrincipalEx usr = new UserPrincipalEx(ctx);

        usr.Name = Account.FirstName + " " + ticket.Account.LastName;
        usr.SamAccountName = Account.Username;
        usr.GivenName = Account.FirstName;
        usr.Surname = Account.LastName;
        usr.DisplayName = Account.FirstName + " " + ticket.Account.LastName;
        usr.UserPrincipalName = Account.Username + "@" + Environment.GetEnvironmentVariable("DOMAIN");
        usr.Company = Account.Company;
        usr.Department = Account.Department;
        usr.Description = Account.Description;
        usr.SetPassword(temppwd);
        usr.ExpirePasswordNow();
        usr.Enabled = enabled;


         try
        {
            usr.Save();
        }

        catch (Exception e)
        {
            Console.WriteLine(e.ToString());               
        }

I use the same piece of code in production and it works just fine. I can't see why it would behave like this in my new dev environment - or what permissions would allow it to create the account, but not enable it.

c#
asp.net-core
active-directory
asked on Stack Overflow Aug 30, 2019 by Hawke • edited Sep 1, 2019 by Hawke

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0