DirectoryEntry access using Impersonation

Hi all,

I am trying to use the DirectoryEntry class to access the default AD on the local domain through ASP.NET. I have managed to successfully access the directory using a predefined username and password combination, but I need to be able to pass in the current user's credentials when accessing the directory.

The problem is that I have created a separate VB.NET class that holds all of the AD functionality that is in turn called from the relevant ASP.NET page, rather than creating the directory objects directly from the ASP.NET page. I understand that in order to get this working I need to use impersonation/delegation but this is where my knowledge starts to dry up...

In my constructor code in the called VB.NET class I am passing in the current user's System.Security.Principal.WindowsIdentity 'loIdentity' which I then attempt to impersonate using

  Dim context As WindowsImpersonationContext = WindowsIdentity.Impersonate(loIdentity.Token)

. The new DirectoryEntry is then created using the parameters:

  New DirectoryEntry([LDAP path], Nothing, Nothing, AuthenticationTypes.Signing Or AuthenticationTypes.Sealing Or  AuthenticationTypes.Secure)

, but as soon as a method is attempted on the new object, the following error occurs:

  System.Runtime.InteropServices.COMException: The specified directory service attribute or value does not exist

I have looked into this error and have been directed to a number of MS articles, such as;en-us;329986 (which seemed to point to a Kerberos delegation issue due to an invalid Primary Token, as the problem does not occur on the local server itself) and (which led to the server being configured as Trusted for Delegation, but to no avail). I have also tried playing around with the Web and Machine .config files to to configure the impersonation correctly but I am still having no joy.

Does anyone have any ideas what I could try next?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you sure the impersonation worked? you can check whether the impersonation is working correctly by printing out the current security context after impersonation.

And can you post part of your code where the exception gets thrown? and also the exception trace would be more helpful.
WolfyUKAuthor Commented:
Displaying the WindowsIdentity.GetCurrent.Name immediately after the impersonation correctly returns the current user domain and username.

The Exception occurs at any method called on the new DirectoryEntry instance. For example, if I try obtaining the DirectoryEntry.Name property, the following is displayed:

[COMException (0x8007200a): The specified directory service attribute or value does not exist]
   System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +705
   System.DirectoryServices.DirectoryEntry.Bind() +10
   System.DirectoryServices.DirectoryEntry.get_Name() +10
   ClassLibrary.ActiveDirectory.ActiveDirectory..ctor(String loADContainer, WindowsIdentity loIdentity) in \\testserver\intranet\Prototype\ClassLibrary\ActiveDirectory\ActiveDirectory.vb:22
   ClassLibrary.User.User.GetUserResult(IPrincipal loUser) in \\testserver\intranet\Prototype\ClassLibrary\User\User.vb:22
   WebControlLibrary.InheritedPage.BasePage.PrepareVariables() in \\testserver\intranet\Prototype\WebControlLibrary\InheritedPage.vb:172
   WebControlLibrary.InheritedPage.BasePage.CreateChildControls() in \\testserver\intranet\Prototype\WebControlLibrary\InheritedPage.vb:123
   System.Web.UI.Control.EnsureChildControls() +100
   System.Web.UI.Control.PreRenderRecursiveInternal() +38
   System.Web.UI.Page.ProcessRequestMain() +1499
Well, first thing I'd check is if I have configured all the necessary settings for delegation scenario.;en-us;810572

and some more checklist:
1. "Account is sensitive and cannot be delegated" option for the user account is unselected
2. "Enable computer and user accounts to be trusted for delegation" in Local Security Policty
(or Domain Security Policty) is not accidentally disabled
3. All computers participating in delegation must have the same time settings. Then Time
Zone and "Automatically adjust clock for daylight saving changes" settings have the same
value on all computers where you are going to use Kerberos delegation.

Secondly, I'd check whether the loIdentity.Token has network credentials (primary token)
in the first place. For that, I have one question back to you, how do you create the token?


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Another question, are you running on any of this: XP2 or Windows 2000 sp4 or Windows 2003?
WolfyUKAuthor Commented:
The server is 2K SP4.

I will have a look at your suggestions shortly. Unfortunately I only get two half-days a week to work on this...
>> The server is 2K SP4.
Ok, another suggestion for you would be to check whether the impersonation caller has "Impersonate a client after authentication" user right. Because WinXP sp2, W2K sp4 or W2k3 requires that privilege to impersonate at "Impersonation" or "Delegation" level. Otherwise, the impersonation will be successful only at "Identify" level, which is lack of ability to access network resources.
WolfyUKAuthor Commented:
Thanks very much for your earlier post. That article had two parts of the solution: setting impersonation to true in the web.config file and setting up the browser for delegation.

I found a good article on the correct settings for cross-browser access too: At last: FireFox can be used on our Intranet! All I need to do now is convince the SysAdmin to get everyone's browsers configured centrally...

Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.