IIS 7 and Above
asp.net LDAP query NOT Running as Logged on User with Impersonation a...
Last post Mar 07, 2018 06:56 PM by David Lehmann
Jan 14, 2015 11:34 AM|MollyPebble|LINK
I'm really hoping that someone can help me with this as it's driving me crazy. I have a .net 4.5 "asp.net Web Application" which uses Windows Authentication and Impersonation and allows search for a computers extended attributes in an LDAP query when specifying
the computer name.
It works fine in IIS Express/debug but not when loaded into IIS 7.5 on Sever 2008 R2. I do not see an error but the attribute I require is not returned from the LDAP query. If I grant the servers SYSTEM account (servername$) full control of the Computer
object in active directory it works so I know it is because the LDAP query is using this account and not the windows identity as (I believe) it should.
I have also proven this outside of ISS by running the same query using DSQuery on a command line impersonating the server's local system account using PSEXEC and the results are the same.
The web.config has...
<identity impersonate="true" />
<authentication mode="Windows" />
<allow users="*" />
...and the application pool is set to...
.net Framework: v4.0
Managed Pipleine: Classic
I have also added some code the the page to retrieve the running user context information from lots of properties and the following all return the logged on user identity (Domain\Username)...
I'd really appreciate any help or advice anyone can give. I just can't seem to get the impersonation running all the way through the app.
Thanks in advance,
Jan 15, 2015 02:56 AM|Pengzhen Song - MSFT|LINK
In my opinion, it seems that we have to grant permission for servername$ account. And please refer to the document:
#access network resources
#Check ASP.NET Authentication Scheme
Jan 15, 2015 03:47 AM|MollyPebble|LINK
Thanks for the reply Pengzhen and you're correct I can do that but the Computer attribute I am retrieving needs to read by the logged on user account for object access audit purposes.
If it helps, This is a web front end for Jiri Farmacek's Local Admin Password Management Solution on MSDN and the Computer attributes are ms-Mcs-AdmPwd
Your second link tells me what I think should happen...
<authentication mode=”Windows” /><identity impersonate=”true” />
(With Windows authentication and impersonation, ASP.NET runs as the IIS-authenticated caller and needs read and write access, depending on the application. –> Check IIS Anonymous Authentication Identity
but as well needs the Application Pool Identity read access –> Check IIS Application Pool Identity )
...but unfortunately that's not what I am seeing in practice. Sadly I can prove that the LDAP query is running under the server account and not the 'IIS-authenticated caller'.
Jan 26, 2015 02:08 PM|MollyPebble|LINK
Can anyone assist with this problem please?
Thanks for taking the time to read.
Jan 27, 2015 06:41 AM|Pengzhen Song - MSFT|LINK
In my experience, it is difficult to tell which resources needs to use serveraccount(application pool identity) or authenticated user. Maybe you can try setting impersonation with the username and password. So that we can use the special user to access all
May 06, 2016 08:02 PM|DV47|LINK
Am not sure do you still need the solution but I have already implemented the impersonation of logging into LDAP AD as Logon User.
You web.config is correct.
Make sure the anonymous access is disabled in IIS and has Windows auth enabled.
Also use the authentication type in DE
= new DirectoryEntry("ldappath",Nothing,
Mar 07, 2018 06:56 PM|David Lehmann|LINK
We have the same issue here. Has someone a solution to this problem by now?