Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2981
  • Last Modified:

DirectoryEntry access using Impersonation

Hi all,

I am trying to use the DirectoryEntry class to access the default AD on the local domain through ASP.NET. I have managed to successfully access the directory using a predefined username and password combination, but I need to be able to pass in the current user's credentials when accessing the directory.

The problem is that I have created a separate VB.NET class that holds all of the AD functionality that is in turn called from the relevant ASP.NET page, rather than creating the directory objects directly from the ASP.NET page. I understand that in order to get this working I need to use impersonation/delegation but this is where my knowledge starts to dry up...

In my constructor code in the called VB.NET class I am passing in the current user's System.Security.Principal.WindowsIdentity 'loIdentity' which I then attempt to impersonate using

  Dim context As WindowsImpersonationContext = WindowsIdentity.Impersonate(loIdentity.Token)

. The new DirectoryEntry is then created using the parameters:

  New DirectoryEntry([LDAP path], Nothing, Nothing, AuthenticationTypes.Signing Or AuthenticationTypes.Sealing Or  AuthenticationTypes.Secure)

, but as soon as a method is attempted on the new object, the following error occurs:

  System.Runtime.InteropServices.COMException: The specified directory service attribute or value does not exist

I have looked into this error and have been directed to a number of MS articles, such as http://support.microsoft.com/default.aspx?scid=kb;en-us;329986 (which seemed to point to a Kerberos delegation issue due to an invalid Primary Token, as the problem does not occur on the local server itself) and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT05.asp (which led to the server being configured as Trusted for Delegation, but to no avail). I have also tried playing around with the Web and Machine .config files to to configure the impersonation correctly but I am still having no joy.

Does anyone have any ideas what I could try next?
  • 4
  • 3
1 Solution
Are you sure the impersonation worked? you can check whether the impersonation is working correctly by printing out the current security context after impersonation.

And can you post part of your code where the exception gets thrown? and also the exception trace would be more helpful.
WolfyUKAuthor Commented:
Displaying the WindowsIdentity.GetCurrent.Name immediately after the impersonation correctly returns the current user domain and username.

The Exception occurs at any method called on the new DirectoryEntry instance. For example, if I try obtaining the DirectoryEntry.Name property, the following is displayed:

[COMException (0x8007200a): The specified directory service attribute or value does not exist]
   System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +705
   System.DirectoryServices.DirectoryEntry.Bind() +10
   System.DirectoryServices.DirectoryEntry.get_Name() +10
   ClassLibrary.ActiveDirectory.ActiveDirectory..ctor(String loADContainer, WindowsIdentity loIdentity) in \\testserver\intranet\Prototype\ClassLibrary\ActiveDirectory\ActiveDirectory.vb:22
   ClassLibrary.User.User.GetUserResult(IPrincipal loUser) in \\testserver\intranet\Prototype\ClassLibrary\User\User.vb:22
   WebControlLibrary.InheritedPage.BasePage.PrepareVariables() in \\testserver\intranet\Prototype\WebControlLibrary\InheritedPage.vb:172
   WebControlLibrary.InheritedPage.BasePage.CreateChildControls() in \\testserver\intranet\Prototype\WebControlLibrary\InheritedPage.vb:123
   System.Web.UI.Control.EnsureChildControls() +100
   System.Web.UI.Control.PreRenderRecursiveInternal() +38
   System.Web.UI.Page.ProcessRequestMain() +1499
Well, first thing I'd check is if I have configured all the necessary settings for delegation scenario.

and some more checklist:
1. "Account is sensitive and cannot be delegated" option for the user account is unselected
2. "Enable computer and user accounts to be trusted for delegation" in Local Security Policty
(or Domain Security Policty) is not accidentally disabled
3. All computers participating in delegation must have the same time settings. Then Time
Zone and "Automatically adjust clock for daylight saving changes" settings have the same
value on all computers where you are going to use Kerberos delegation.

Secondly, I'd check whether the loIdentity.Token has network credentials (primary token)
in the first place. For that, I have one question back to you, how do you create the token?

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Another question, are you running on any of this: XP2 or Windows 2000 sp4 or Windows 2003?
WolfyUKAuthor Commented:
The server is 2K SP4.

I will have a look at your suggestions shortly. Unfortunately I only get two half-days a week to work on this...
>> The server is 2K SP4.
Ok, another suggestion for you would be to check whether the impersonation caller has "Impersonate a client after authentication" user right. Because WinXP sp2, W2K sp4 or W2k3 requires that privilege to impersonate at "Impersonation" or "Delegation" level. Otherwise, the impersonation will be successful only at "Identify" level, which is lack of ability to access network resources.
WolfyUKAuthor Commented:
Thanks very much for your earlier post. That article had two parts of the solution: setting impersonation to true in the web.config file and setting up the browser for delegation.

I found a good article on the correct settings for cross-browser access too: http://blogs.sun.com/roller/page/wyllys/Weblog/kerberos_web_authentiation_with_apache?catname=. At last: FireFox can be used on our Intranet! All I need to do now is convince the SysAdmin to get everyone's browsers configured centrally...

Thanks again!

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now