ASP.NET Adding a User to Active Directory

Discussion in 'ASP .Net' started by Mick Walker, Oct 26, 2007.

  1. Mick Walker

    Mick Walker Guest

    Hi All,

    I have an asp.net app, which is supposed to add a user to the AD Users
    group.
    I am using the ASP Memberhsip provider for this and have configured it
    in the web.config file. All works Well, I can login, list users, etc etc.

    However when it comes to creating a user, I get the following error:

    Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    Description: An unhandled exception occurred during the execution of the
    current web request. Please review the stack trace for more information
    about the error and where it originated in the code.
    Exception Details: System.UnauthorizedAccessException: Access is denied.
    (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

    ASP.NET is not authorized to access the requested resource. Consider
    granting access rights to the resource to the ASP.NET request identity.
    ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5
    or Network Service on IIS 6) that is used if the application is not
    impersonating. If the application is impersonating via <identity
    impersonate="true"/>, the identity will be the anonymous user (typically
    IUSR_MACHINENAME) or the authenticated request user.
    To grant ASP.NET access to a file, right-click the file in Explorer,
    choose "Properties" and select the Security tab. Click "Add" to add the
    appropriate user or group. Highlight the ASP.NET account, and check the
    boxes for the desired access.


    In my webconfig I have set the following:

    <identity impersonate="true" userName="domain\Administrator"
    password="SomePass"/> (I know this isnt secure, but it is a test
    enviroment setup especially for my learning.

    So I am lost to why I cant create a new user in the AD Domain.

    Does anyone have any ideas? The code I am using is:

    string username = "SwedishChef";
    string password = "bj#kbj$k";


    Membership.CreateUser(
    username, password);



    And here is my Provider setup from my web.config:

    <membership defaultProvider="MyADMembershipProvider">
    <providers>
    <remove name="AspNetSqlMembershipProvider" />
    <add
    name="MyAdMembershipProvider"

    type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
    Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    connectionStringName="ADConn"
    connectionUsername="domain\Administrator"
    connectionPassword="SomePass"
    applicationName="/ControlPanel"
    enableSearchMethods="true"
    />
    </providers>

    </membership>
     
    Mick Walker, Oct 26, 2007
    #1
    1. Advertising

  2. Save this code to a file named "identity.aspx",
    within the app in question, and run it.

    identity.aspx:
    -------------------
    <%@ Page Language="VB" %>
    <%@ Import NameSpace = System.Security.Principal %>
    <script runat="server">
    Sub Page_Load()
    Dim tmp As String = WindowsIdentity.GetCurrent.Name()
    Label1.Text = "ASP.NET is running as the account : " & tmp
    End Sub
    </script>
    <html>
    <head>
    <title>What account is ASP.NET running as ?</title>
    </head>
    <body>
    <form id="form1" runat="server">
    <div>
    <asp:Label ID="Label1" Runat="server" Text="Label"></asp:Label>
    </div>
    </form>
    </body>
    </html>
    ----------------

    Whichever account is returned by the page is the account which needs AD access permissions.

    Silly question : are you running a web server on your domain controller ?
    That, generally, is considered to be a no-no for security reasons.

    Active Directory runs on Windows Server 2008, Windows Server 2003,
    and Windows 2000 Server domain controllers.

    If you're not running one of those servers, or AD hasn't been installed on your OS,
    you will not be able to add a user to a non-existent AD.




    Juan T. Llibre, asp.net MVP
    asp.net faq : http://asp.net.do/faq/
    foros de asp.net, en español : http://asp.net.do/foros/
    ======================================
    "Mick Walker" <> wrote in message news:...
    > Hi All,
    >
    > I have an asp.net app, which is supposed to add a user to the AD Users group.
    > I am using the ASP Memberhsip provider for this and have configured it in the web.config file. All works Well, I can
    > login, list users, etc etc.
    >
    > However when it comes to creating a user, I get the following error:
    >
    > Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    > Description: An unhandled exception occurred during the execution of the current web request. Please review the stack
    > trace for more information about the error and where it originated in the code.
    > Exception Details: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005
    > (E_ACCESSDENIED))
    >
    > ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the
    > ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service
    > on IIS 6) that is used if the application is not impersonating. If the application is impersonating via <identity
    > impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated
    > request user.
    > To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab.
    > Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired
    > access.
    >
    >
    > In my webconfig I have set the following:
    >
    > <identity impersonate="true" userName="domain\Administrator" password="SomePass"/> (I know this isnt secure, but it is
    > a test enviroment setup especially for my learning.
    >
    > So I am lost to why I cant create a new user in the AD Domain.
    >
    > Does anyone have any ideas? The code I am using is:
    >
    > string username = "SwedishChef";
    > string password = "bj#kbj$k";
    >
    >
    > Membership.CreateUser(
    > username, password);
    >
    >
    >
    > And here is my Provider setup from my web.config:
    >
    > <membership defaultProvider="MyADMembershipProvider">
    > <providers>
    > <remove name="AspNetSqlMembershipProvider" />
    > <add
    > name="MyAdMembershipProvider"
    >
    > type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral,
    > PublicKeyToken=b03f5f7f11d50a3a"
    > connectionStringName="ADConn"
    > connectionUsername="domain\Administrator"
    > connectionPassword="SomePass"
    > applicationName="/ControlPanel"
    > enableSearchMethods="true"
    > />
    > </providers>
    >
    > </membership>
     
    Juan T. Llibre, Oct 26, 2007
    #2
    1. Advertising

  3. Mick Walker

    Mick Walker Guest

    Juan T. Llibre wrote:
    > Save this code to a file named "identity.aspx",
    > within the app in question, and run it.
    >
    > identity.aspx:
    > -------------------
    > <%@ Page Language="VB" %>
    > <%@ Import NameSpace = System.Security.Principal %>
    > <script runat="server">
    > Sub Page_Load()
    > Dim tmp As String = WindowsIdentity.GetCurrent.Name()
    > Label1.Text = "ASP.NET is running as the account : " & tmp
    > End Sub
    > </script>
    > <html>
    > <head>
    > <title>What account is ASP.NET running as ?</title>
    > </head>
    > <body>
    > <form id="form1" runat="server">
    > <div>
    > <asp:Label ID="Label1" Runat="server" Text="Label"></asp:Label>
    > </div>
    > </form>
    > </body>
    > </html>
    > ----------------
    >
    > Whichever account is returned by the page is the account which needs AD access permissions.
    >
    > Silly question : are you running a web server on your domain controller ?
    > That, generally, is considered to be a no-no for security reasons.
    >
    > Active Directory runs on Windows Server 2008, Windows Server 2003,
    > and Windows 2000 Server domain controllers.
    >
    > If you're not running one of those servers, or AD hasn't been installed on your OS,
    > you will not be able to add a user to a non-existent AD.
    >
    >
    >
    >
    > Juan T. Llibre, asp.net MVP
    > asp.net faq : http://asp.net.do/faq/
    > foros de asp.net, en español : http://asp.net.do/foros/
    > ======================================


    No were not runing IIS on our domain controller. We have 2 windows 2008
    Domain controllers, and 3 webservers setup.

    When I run that page I get:
    ASP.NET is running as the account : domain\Administrator

    Now I am really lost....
     
    Mick Walker, Oct 26, 2007
    #3
  4. Mick Walker

    Mick Walker Guest

    Re: ASP.NET Adding a User to Active Directory [FIXED]

    Mick Walker wrote:
    > Hi All,
    >
    > I have an asp.net app, which is supposed to add a user to the AD Users
    > group.
    > I am using the ASP Memberhsip provider for this and have configured it
    > in the web.config file. All works Well, I can login, list users, etc etc.
    >
    > However when it comes to creating a user, I get the following error:
    >
    > Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    > Description: An unhandled exception occurred during the execution of the
    > current web request. Please review the stack trace for more information
    > about the error and where it originated in the code.
    > Exception Details: System.UnauthorizedAccessException: Access is denied.
    > (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    >
    > ASP.NET is not authorized to access the requested resource. Consider
    > granting access rights to the resource to the ASP.NET request identity.
    > ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5
    > or Network Service on IIS 6) that is used if the application is not
    > impersonating. If the application is impersonating via <identity
    > impersonate="true"/>, the identity will be the anonymous user (typically
    > IUSR_MACHINENAME) or the authenticated request user.
    > To grant ASP.NET access to a file, right-click the file in Explorer,
    > choose "Properties" and select the Security tab. Click "Add" to add the
    > appropriate user or group. Highlight the ASP.NET account, and check the
    > boxes for the desired access.
    >
    >
    > In my webconfig I have set the following:
    >
    > <identity impersonate="true" userName="domain\Administrator"
    > password="SomePass"/> (I know this isnt secure, but it is a test
    > enviroment setup especially for my learning.
    >
    > So I am lost to why I cant create a new user in the AD Domain.
    >
    > Does anyone have any ideas? The code I am using is:
    >
    > string username = "SwedishChef";
    > string password = "bj#kbj$k";
    >
    >
    > Membership.CreateUser(
    > username, password);
    >
    >
    >
    > And here is my Provider setup from my web.config:
    >
    > <membership defaultProvider="MyADMembershipProvider">
    > <providers>
    > <remove name="AspNetSqlMembershipProvider" />
    > <add
    > name="MyAdMembershipProvider"
    >
    > type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
    > Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    > connectionStringName="ADConn"
    > connectionUsername="domain\Administrator"
    > connectionPassword="SomePass"
    > applicationName="/ControlPanel"
    > enableSearchMethods="true"
    > />
    > </providers>
    >
    > </membership>
    >
    >


    I got it:

    MembershipCreateStatus status;
    MembershipProvider mp =
    Membership.Providers["MyAdMembershipProvider"];
    mp.CreateUser("Test2user@domain", "pa344ss123word!*&",
    "me@here", null, null, true, null, out status);

    Thanks
     
    Mick Walker, Oct 26, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TGVvX1N1cmY=?=

    adding user in active directory

    =?Utf-8?B?TGVvX1N1cmY=?=, Jun 21, 2005, in forum: ASP .Net
    Replies:
    6
    Views:
    4,701
    Juan T. Llibre
    Jun 22, 2005
  2. Replies:
    4
    Views:
    7,342
  3. Andy
    Replies:
    3
    Views:
    726
    Charles
    Nov 29, 2005
  4. BA
    Replies:
    0
    Views:
    327
  5. L Magarian
    Replies:
    3
    Views:
    231
    Joe Kaplan \(MVP - ADSI\)
    Sep 28, 2004
Loading...

Share This Page