DirectoryEntry access using Impersonation

Posted on 2005-03-30
Medium Priority
Last Modified: 2008-01-09
Hi all,

I am trying to use the DirectoryEntry class to access the default AD on the local domain through ASP.NET. I have managed to successfully access the directory using a predefined username and password combination, but I need to be able to pass in the current user's credentials when accessing the directory.

The problem is that I have created a separate VB.NET class that holds all of the AD functionality that is in turn called from the relevant ASP.NET page, rather than creating the directory objects directly from the ASP.NET page. I understand that in order to get this working I need to use impersonation/delegation but this is where my knowledge starts to dry up...

In my constructor code in the called VB.NET class I am passing in the current user's System.Security.Principal.WindowsIdentity 'loIdentity' which I then attempt to impersonate using

  Dim context As WindowsImpersonationContext = WindowsIdentity.Impersonate(loIdentity.Token)

. The new DirectoryEntry is then created using the parameters:

  New DirectoryEntry([LDAP path], Nothing, Nothing, AuthenticationTypes.Signing Or AuthenticationTypes.Sealing Or  AuthenticationTypes.Secure)

, but as soon as a method is attempted on the new object, the following error occurs:

  System.Runtime.InteropServices.COMException: The specified directory service attribute or value does not exist

I have looked into this error and have been directed to a number of MS articles, such as http://support.microsoft.com/default.aspx?scid=kb;en-us;329986 (which seemed to point to a Kerberos delegation issue due to an invalid Primary Token, as the problem does not occur on the local server itself) and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT05.asp (which led to the server being configured as Trusted for Delegation, but to no avail). I have also tried playing around with the Web and Machine .config files to to configure the impersonation correctly but I am still having no joy.

Does anyone have any ideas what I could try next?
Question by:WolfyUK
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 20

Expert Comment

ID: 13660572
Are you sure the impersonation worked? you can check whether the impersonation is working correctly by printing out the current security context after impersonation.

And can you post part of your code where the exception gets thrown? and also the exception trace would be more helpful.

Author Comment

ID: 13660782
Displaying the WindowsIdentity.GetCurrent.Name immediately after the impersonation correctly returns the current user domain and username.

The Exception occurs at any method called on the new DirectoryEntry instance. For example, if I try obtaining the DirectoryEntry.Name property, the following is displayed:

[COMException (0x8007200a): The specified directory service attribute or value does not exist]
   System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +705
   System.DirectoryServices.DirectoryEntry.Bind() +10
   System.DirectoryServices.DirectoryEntry.get_Name() +10
   ClassLibrary.ActiveDirectory.ActiveDirectory..ctor(String loADContainer, WindowsIdentity loIdentity) in \\testserver\intranet\Prototype\ClassLibrary\ActiveDirectory\ActiveDirectory.vb:22
   ClassLibrary.User.User.GetUserResult(IPrincipal loUser) in \\testserver\intranet\Prototype\ClassLibrary\User\User.vb:22
   WebControlLibrary.InheritedPage.BasePage.PrepareVariables() in \\testserver\intranet\Prototype\WebControlLibrary\InheritedPage.vb:172
   WebControlLibrary.InheritedPage.BasePage.CreateChildControls() in \\testserver\intranet\Prototype\WebControlLibrary\InheritedPage.vb:123
   System.Web.UI.Control.EnsureChildControls() +100
   System.Web.UI.Control.PreRenderRecursiveInternal() +38
   System.Web.UI.Page.ProcessRequestMain() +1499
LVL 20

Accepted Solution

ihenry earned 1064 total points
ID: 13661852
Well, first thing I'd check is if I have configured all the necessary settings for delegation scenario.

and some more checklist:
1. "Account is sensitive and cannot be delegated" option for the user account is unselected
2. "Enable computer and user accounts to be trusted for delegation" in Local Security Policty
(or Domain Security Policty) is not accidentally disabled
3. All computers participating in delegation must have the same time settings. Then Time
Zone and "Automatically adjust clock for daylight saving changes" settings have the same
value on all computers where you are going to use Kerberos delegation.

Secondly, I'd check whether the loIdentity.Token has network credentials (primary token)
in the first place. For that, I have one question back to you, how do you create the token?

How To Install Bash on Windows 10

Windows’ budding partnership with Canonical has certainly led to some great improvements. One of them being the ability to use Bash on your Windows machine without third party applications! This might be one of the greatest things a cloud engineer in a Windows environment can do!

LVL 20

Expert Comment

ID: 13669365
Another question, are you running on any of this: XP2 or Windows 2000 sp4 or Windows 2003?

Author Comment

ID: 13669762
The server is 2K SP4.

I will have a look at your suggestions shortly. Unfortunately I only get two half-days a week to work on this...
LVL 20

Expert Comment

ID: 13669824
>> The server is 2K SP4.
Ok, another suggestion for you would be to check whether the impersonation caller has "Impersonate a client after authentication" user right. Because WinXP sp2, W2K sp4 or W2k3 requires that privilege to impersonate at "Impersonation" or "Delegation" level. Otherwise, the impersonation will be successful only at "Identify" level, which is lack of ability to access network resources.

Author Comment

ID: 13680879
Thanks very much for your earlier post. That article had two parts of the solution: setting impersonation to true in the web.config file and setting up the browser for delegation.

I found a good article on the correct settings for cross-browser access too: http://blogs.sun.com/roller/page/wyllys/Weblog/kerberos_web_authentiation_with_apache?catname=. At last: FireFox can be used on our Intranet! All I need to do now is convince the SysAdmin to get everyone's browsers configured centrally...

Thanks again!

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Summary Displaying images in RichTextBox is a common requirement with limited solutions available. Pasting through clipboard or embedding into RTF content only support static images.  This article describes how to insert Windows control objects int…
This document covers how to connect to SQL Server and browse its contents.  It is meant for those new to Visual Studio and/or working with Microsoft SQL Server.  It is not a guide to building SQL Server database connections in your code.  This is mo…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question