Updating Active Directory from Web Application Error

Question

I am receiving an error a web based application that allows corporate intranet users to update their active directory details (phone numbers, etc).

The web application is hosted on IIS6 running Windows Server 2003 (SP1). The IIS website is using NTLM Authentication and the website has integrated security enabled. The IIS application pool runs using the “Network Service” account.

The web.config contains the following elements

<LdapConfigurations server="xxx.internal" root="OU=Staff Accounts,DC=xxx,DC=internal" domain="xxx" />
<identify impersonate=”true” />

Active Directory delegation is not needed as the following C# (.NET 3.5) code should pass on the correct impersonation details (including security token) onto Active Directory.

public void UpdateData(string bus, string bus2, string fax, string home, string home2, string mob, string pager, string notes)
{
 WindowsIdentity windId = (WindowsIdentity)HttpContext.Current.User.Identity;
 WindowsImpersonationContext ctx = null;

 try
 {
  ctx = windId.Impersonate();

  DirectorySearcher ds = new DirectorySearcher();
  DirectoryEntry de = new DirectoryEntry();

  ds.Filter = m_LdapUserFilter;

  // i think this is the line causing the error
  de.Path = ds.FindOne().Path;

  this.AssignPropertyValue(bus, ADProperties.Business, ref de);
  this.AssignPropertyValue(bus2, ADProperties.Business2, ref de);
  this.AssignPropertyValue(fax, ADProperties.Fax, ref de);
  this.AssignPropertyValue(home, ADProperties.Home, ref de);
  this.AssignPropertyValue(home2, ADProperties.Home2, ref de);
  this.AssignPropertyValue(mob, ADProperties.Mobile, ref de);
  this.AssignPropertyValue(pager, ADProperties.Pager, ref de);
  this.AssignPropertyValue(notes, ADProperties.Notes, ref de);

  // this may also be causing the error?
  de.CommitChanges();
 }
 finally
 {
  if (ctx != null) 
  {
   ctx.Undo();
  }
 }
}

private void AssignPropertyValue(string number, string propertyName, ref  DirectoryEntry de)
{
    if (number.Length == 0 && de.Properties[propertyName].Value != null)
    {
     de.Properties[propertyName].Remove(de.Properties[propertyName].Value);
    }
    else if (number.Length != 0)
    {
     de.Properties[propertyName].Value = number;
    }
}

User details can be retrieved from Active Directory without a problem however the issue arises when updating the users AD details. The following exception message is displayed.

 System.Runtime.InteropServices.COMException (0x80072020): An operations error occurred. 
       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) 
       at System.DirectoryServices.DirectoryEntry.Bind() 
       at System.DirectoryServices.DirectoryEntry.get_AdsObject() 
       at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) 
       at System.DirectoryServices.DirectorySearcher.FindOne()    
       at xxx.UpdateData(String bus, String bus2, String fax, String home, String home2, String mob, String pager, String notes) 
       at xxx._Default.btnUpdate_Click(Object sender, EventArgs e)

The code works fine in our development domain but not in our production domain. Can anyone please assist in helping resolving this problem?

Answer 1

This is more than likely a permissions problem - there are numerous articles regards impersonation and delegation and the vagaries thereof here: http://support.microsoft.com/default.aspx?scid=kb;en-us;329986 and here: http://support.microsoft.com/default.aspx?scid=kb;en-us;810572.

Answer 2

It sounds like you might have a duplicate SPN issue?

This is why I think it might be a problem:

1. It works in your dev enviroment (assuming it is also using network service, and on the same domain)
2. You have impersonate on, in your web config.
3. When there is a duplicate SPN, it invalidates the security token, so even though you have created it correctly in code, AD does not "trust" that server to impersonate, so the server that receives the request to make a change to AD (on of your DC's) receives the request but then discards it because Delagation permission has not been applied on the machine account in AD, or SPN issue (either duplicate or incorrect machine name / domain name)

Or at least in my expereince that is 9 out of 10 times the problem.

Answer 3

I guess the problem is that it works on the development environment because when you're launching your webapp there, you run it with your personal account which probably has the rights to write to AD.

On the production environment, you have to assure that the process running your webapp (Network Service Account) has also the rights to update the AD. It sounds to me like that could be the problem since I had a similar issue once.

Answer 4

The problem wasn't with the code but how the server was setup on the domain. For some reason the network administrator did not select the "Trust Computer for Delegation" option in active directory.

Happily the problem was not a "double-hop" issue :)