I am trying to use the DirectoryEntry class to access the default AD on the local domain through ASP.NET. I have managed to successfully access the directory using a predefined username and password combination, but I need to be able to pass in the current user's credentials when accessing the directory.
The problem is that I have created a separate VB.NET class that holds all of the AD functionality that is in turn called from the relevant ASP.NET page, rather than creating the directory objects directly from the ASP.NET page. I understand that in order to get this working I need to use impersonation/delegation but this is where my knowledge starts to dry up...
In my constructor code in the called VB.NET class I am passing in the current user's System.Security.Principal.
ntity 'loIdentity' which I then attempt to impersonate using
Dim context As WindowsImpersonationContex
t = WindowsIdentity.Impersonat
. The new DirectoryEntry is then created using the parameters:
New DirectoryEntry([LDAP path], Nothing, Nothing, AuthenticationTypes.Signin
g Or AuthenticationTypes.Sealin
g Or AuthenticationTypes.Secure
, but as soon as a method is attempted on the new object, the following error occurs:
ception: The specified directory service attribute or value does not exist
I have looked into this error and have been directed to a number of MS articles, such as http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
(which seemed to point to a Kerberos delegation issue due to an invalid Primary Token, as the problem does not occur on the local server itself) and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT05.asp
(which led to the server being configured as Trusted for Delegation, but to no avail). I have also tried playing around with the Web and Machine .config files to to configure the impersonation correctly but I am still having no joy.
Does anyone have any ideas what I could try next?