Impersonation to Update user AD info in an ASP.NET Forms Authenticated Site

Question

We have a Forms Authenticated intranet which querys AD for the login and stores a copy of the windows identity in the session in order to impersonate the user later when updating their AD entry. We can't use windows auth for impersonation (long story).

So the login code is:

[DllImport("advapi32.dll")]
        public static extern bool LogonUser(String
            lpszUsername, String lpszDomain,
            String lpszPassword, int dwLogonType, int
                dwLogonProvider, out int phToken);

        public bool LoginWindowsUser(String domain, String username, String pwd, HttpSessionStateBase session)
        {

            int ret = 0;
            int l_token1;
            bool loggedOn = LogonUser(username,
                domain, pwd,
                // Logon type=LOGON32_LOGON_NETWORK_CLEARTEXT.
            3,
                // Logon provider=LOGON32_PROVIDER_DEFAULT.
            0,
                // User token for specified user is returned 
                //here.
            out l_token1);

            if (loggedOn)
            {
                IntPtr token2 = new IntPtr(l_token1);
                var l_Wid = new WindowsIdentity(token2);


                session["WindowsIdentity"] = l_Wid;
            }
            return loggedOn;
        }

And then later when we need to update the user's AD info we do this:

public void UpdateUserProperty(string username, string propertyName, string propertyValue)
        {
            // Obtain the authenticated user's identity.
            var winId = (WindowsIdentity) ControllerContext.HttpContext.Session["WindowsIdentity"];
             // Start impersonating.
            using (WindowsImpersonationContext ctx = winId.Impersonate())
            {
                try
                {
                    var ds = new DirectorySearcher();
                    int ind = username.IndexOf("\\") + 1;
                    username = username.Substring(ind, username.Length - ind);

                    var filter = "(&(objectCategory=Person)(objectClass=user)";

                    if (!username.IsNullOrEmpty())
                    {
                        filter += "(samaccountname=*{0}*)".F(username);
                    }

                    filter += ")";

                    ds.Filter = filter;

                    foreach (var property in ADUserDetailsDisplay.LoadProperties())
                    {
                        ds.PropertiesToLoad.Add(property);
                    }

          ///////////// ERROR OCCURS AFTER NEXT LINE /////////////

                    var searchResult = ds.FindOne();

                    var userDirectoryEntry = searchResult.GetDirectoryEntry();

                    if (propertyValue.IsNullOrEmpty())
                    {
                        if (userDirectoryEntry.Properties[propertyName].Count > 0) userDirectoryEntry.Properties[propertyName].RemoveAt(0);
                    }
                    else if (userDirectoryEntry.Properties[propertyName].Count == 0)
                    {
                        userDirectoryEntry.Properties[propertyName].Add(propertyValue);
                    }
                    else
                    {
                        userDirectoryEntry.Properties[propertyName][0] = propertyValue;
                    }
                    userDirectoryEntry.CommitChanges();


                }
                catch (Exception ex)
                {
                    TempData.AddErrorMessage("Unable to update user: " + ex.Message);
                }
                finally
                {
                    // Revert impersonation.
                    if (ctx != null)
                        ctx.Undo();
                }
            }
            // Back to running under the default ASP.NET process identity.

        }

The problem is that we are getting the following error:

Unable to update user: An operations error occurred.

If anyone can guide me to a solution I would be very grateful.

Using IIS 7.5 Win2008 R2 ASP.NET MVC2

Thanks.

Steve Morgan · Answer 1 · 2011-07-29T13:18:34.670

0

Our own @dunnry has addressed the steps to get System.DirectoryServices running with impersonation under ASP.NET:

Ryann Dunn can help you here.

edited Jul 29 '11 at 13:18

answered Jul 29 '11 at 13:11

Steve Morgan

12,978
2
40
49

score 0 · Answer 2 · answered Jul 29 '11 at 13:20

0

Dealing with AD sometimes is a PIA.

Anyway, make sure that the account set in the Application Pool running your application has administrative rights on the active directory to perform changes in an user account.

answered Jul 29 '11 at 13:20

Paulo Santos

11,285
4
39
65

It does not, but this is the point. I am impersonating the logged in user (who has privileges to change their own AD info - selected fields such as phone and address) – Richard Jul 29 '11 at 13:34

score 0 · Accepted Answer · answered Jul 29 '11 at 13:31

0

Where is your context/searchroot that tells it who you are trying to connect to/where you are trying to search?

Ex.

// Bind to the users container.
DirectoryEntry entry = new DirectoryEntry("LDAP://CN=users,DC=fabrikam,DC=com");
// Create a DirectorySearcher object.
DirectorySearcher mySearcher = new DirectorySearcher(entry);

If you don't have this then according to MSDN the default value for SearchRoot is null... MSDN Link: http://msdn.microsoft.com/en-us/library/h9zyssd8.aspx

answered Jul 29 '11 at 13:31

Peter

9,643
6
61
108

This was not the complete answer but lead to my finding one. What I ended up doing was to create a directory entry based on the user's account and bind my searcher to that. I scrapped using the impersonation windows context. – Richard Aug 02 '11 at 08:18

Impersonation to Update user AD info in an ASP.NET Forms Authenticated Site

3 Answers3