MVC3 WebRole access is denied when connecting to AD in Azure

Question

Hi,

I've been developing a MVC3 Web Application that is used to query active directory. The application runs fine when I run it from the built-in Visual Studio 2010 web server.

I will eventually need this application to run on the cloud. So I decided to try to run this application from Azure. I right-clicked on the MVC3 project and selected 'Add Windows Azure Deployment Project'. I ran the Azure project that was created using the Azure emulator.

The web application loaded fine but it throws the following exception when it tries to get the schema from my local AD server:

[COMException (0x80070005): Access is denied.
]
   System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +439513
   System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType) +760

[UnauthorizedAccessException: Access is denied.
]
   System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType) +846
   System.DirectoryServices.ActiveDirectory.DirectoryContext.isServer() +150
   System.DirectoryServices.ActiveDirectory.ActiveDirectorySchema.GetSchema(DirectoryContext context) +155

Here's the snippet of the code that connects to active directory:

DirectoryContext dc = new DirectoryContext(DirectoryContextType.DirectoryServer, contextName, userName, password);

//I get the error when it tries to execute this line
ActiveDirectorySchema schema  = ActiveDirectorySchema.GetSchema(dc);

Keep in mind that I can run this exact application without azure using the VS2010 built-in server without encountering any problems.

Do you guys have any ideas what the issue might be?


Thanks in Advance

 

Answer 1

Correct me if I'm wrong - but wouldn't you require Active Directory Federation Services to connect to an Active Directory from Windows Azure? The problem may be related to the fact that you're a member of your active directory when you're running your MVC3 application locally - but Windows Azure doesn't have the permissions or ability to do this without Federating?

---

-Ira Bell

Answer 2

When you run your application using VS2010 web server, it uses your identity. Whereas, the Azure Emulator uses IIS and the default app pool identity which is generally the Network Service.

What is the context in which AD is accessed? Is it for Authenticating users? If so you should consider using ADFS, ACS (optional) and Windows Identity Foundation.

---

Srini

Answer 3

Alternately, you can bring your azure hosted application in your on-premise domain so that above lines of code will work. In this case you would actually bring the Azure allocated VM on which your MVC web role hosted; in your on-premise domain. So the Azure web role VM would act as if it is part of your domain network.

 For the same you can use Windows Azure connect for your MVC web role and create group on Azure management Portal. Also install connect endpoint on your on-premise AD and add it in the same Azure Connect group.

There are few values to required to be entered in service configuration file. For details refer - http://blogs.msdn.com/b/windows_azure_connect_team_blog/archive/2010/12/10/domain-joining-windows-azure-roles.aspx

Hope it helps.

---

Mark As Answer if it helps you | My Blog

Answer 4

Workaround: After running the Cloud Project on emulator open IIS and find out the AppPool which is being used by your emulator. Change the identity from Network Service to your domain account. Recycle the pool and refresh the local host azure emulator web site page, it should work.

You will not be able to make it run on Windows Azure as there is no directory Service (AD) available on Azure. Long term you might want to use ADFS and ACS Federated identity solution to use your domain users getting authenticated on Windows Azure.