tags:

views:

209

answers:

2
+1  Q: 

Domain.GetDomain(...) fails when called from a web service

I have the following code in a class that is called from a web service:

NetworkCredential credentials = new NetworkCredential("user", "password");

connection = new LdapConnection("domain");
connection.Bind(credentials);

DirectoryContext directoryContext = 
    new DirectoryContext(DirectoryContextType.Domain, "domain");

//  This call returns a domain object with unreadable properties
Domain domain = Domain.GetDomain(directoryContext);

If I instantiate the class directly, all is well, I have a valid domain object that I can work with. If I go through the web service, the domain object is created, but most of the properties throw exceptions, e.g.:

'domain.Children' threw an exception of type ActiveDirectoryOperationException

I have impersonation enabled and am explicitly setting the credentials before calling the web service. Examining Thread.CurrentPrincipal.Identity.Name on the web service side shows the username of the credentials I've explicitly set.

If I look at Request.LogonUserIdentity, I have the following properties:

Name:  "domain\\username"  (is correct)
ImpersonationLevel:  Impersonation
IsAnonymous:  false
IsAuthenticated:  true
AuthenticationType:  NTLM

Anonymous access is disabled (enabling it makes no difference), and 'Basic Authentication' and 'Integrated Windows Authentication' are both checked. The web service is running under IIS 5.1 on my development box.

The code that calls the web service, resulting in a failed call to Domain.GetDomain():

MyServiceProxy proxy = new MyServiceProxy ();

CredentialCache credCache = new CredentialCache();
NetworkCredential netCred = new NetworkCredential(user, password, domain);
credCache.Add(new Uri(proxy.Url), "Ntlm", netCred);
proxy.Credentials = credCache;

proxy.MethodCall();

The code that calls directly and succeeds:

MyService myService = new MyService();
myService.MethodCall();

Any ideas why calls to Active Directory would fail when made in the context of a web service? And again, the call doesn't fail per se... it returns a domain object with unreadable properties.

Thanks in advance!

A: 

When you do...

NetworkCredential credentials = new NetworkCredential("user", "password"); 

connection = new LdapConnection("domain"); 
connection.Bind(credentials); 

DirectoryContext directoryContext =  
    new DirectoryContext(DirectoryContextType.Domain, "domain"); 

//  This call returns a domain object with unreadable properties 
Domain domain = Domain.GetDomain(directoryContext);

...you're in fact just creating a (System.DirectoryServices.Protocols).LdapConnection with specific NetworkCredentials and you validate your "user" and "password" credentials against that. But then you don't use the connection-object anymore; instead you create a new entirely unrelated (System.DirectoryServices.ActiveDirectory).DirectoryContext-object.

And because you're not using a constructor where you're explicitly specifying a username and a password the DirectoryContext-object will get using the credentials of the user running the Application Pool (in IIS 6+, in IIS 5.1 the application will, if memory serves me right, always be a/the local system account - IUSR_XXX - which won't be able to access Active Directory because it's not a domain account).

The different credentials that are used when you're running your code in an IIS-environment versus just testing using a console application (where you're running code as the logged in/interactive user) is a common cause of problems in programming Directory Services.

Try using the constructor where you specify a username and password for the DirectoryContext-object.

As far as impersonation is concerned you might have better luck by using this code-snippet...

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = 
    ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

//Insert your code that runs under the security context of the authenticating user here.

impersonationContext.Undo();

...taken from KB306158: How to implement impersonation in an ASP.NET application.

Per Noalt  2009-12-29 23:40:20
You're right about not using the connection in the domain call... that connection is used elsewhere in the code and wasn't relevant to the current problem, sorry for including it!It's the `CredentialCache` set on the proxy from the calling code that determines what identity the call to `GetDomain()` is made under.Because this is a web service, it may not be called from a web page, so I don't believe I can impersonate from User.Identity, correct me if I'm wrong.I've also tried setting Thread.CurrentPrincipal to a generic principal for my impersonation, but no luck.Thanks for the input!
James B  2009-12-30 20:27:29
It's difficult to help you more based on the code you've provided. How is the link between the proxy-object and the call to Domain.GetDomain made? Is it the netCred user/pass that you want to use when connecting to AD? Is it the end-user's credentials you want to use? Are the proxy-object on a seperate tier? Because then it could be a NTLM vs Kerberos double-hop issue. Can you debug and see the credentials used to call Domain.GetDomain? Can you set the credentials explicitly like I suggested and see if it works that way? When does it work and when does it not work?
Per Noalt  2009-12-31 08:35:51
A call is made through the proxy object to a method that calls Domain.GetDomain.The NetworkCredential I'm setting is a user account that has permissions to query Active Directory. When I check the credentials from inside the web service, they are being set correctly.The proxy and object are separate app domains, but are running on the same machine.I don't have have a handle to the `User` object from the caller (the caller isn't a web page), so I can't use the impersonation you suggested.<more>
James B  2010-01-05 20:14:58
In the end, I converted this to a WCF service hosted in IIS, and the impersonation is fine. I'd love to know what the problem was, but I had to move forward, and a WCF service is a better solution overall, anyway.Thanks for the help, though!
James B  2010-01-05 20:17:04
A: 

In the end, I converted this to a WCF service hosted in IIS, and the impersonation is fine. I'd love to know what the problem was, but I had to move forward, and a WCF service is a better solution overall, anyway. Thanks for the help, though!

James B  2010-08-10 16:34:44

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?