locked
Changing VM Active Directory password from Azure Web site RRS feed

  • Question

  • To this question I count on the following scenario:

    - Azure Web site developed in asp.net. C# - MVC 4

    - Active Directory on a virtual machine in the same environment of Windows Azure.

    the Active Directory is dedicated exclusively to grant access to roles and functions of the website, so, It won't represent a risk for the company Directory structure.

    I am using a code similar to the following:

        

    directoryEntry.Invoke("SetPassword", new object[] { "NewPassword" });           

    directoryEntry.Properties["LockOutTime"].Value = 0;           

    directoryEntry.Close();


    I am not using the identity impersonate, it's a web site that is published in the azure windows service access credentials, which are valid in the current directory of a virtual machine the same Azure.

    The authentication against Active Directory works good from the published site, also for changing password locally on the development environment according that the System.Security.Principal.WindowsIdentity User is the user's session from the running the code and it has sufficient permissions to make changes to the AD. Whereas, when the site is published, can not change the password, and the User Identity changes to "IIS APPPOOL \ SiteUser" returning the following error:

    Error: The server is not operational.

    Trace: at Integration.Portal.wFRestPass.GetDirectoryEntryByUserName (String userName) at Integration.Portal.wFRestPass.ResetUserPassword (Object sender, EventArgs e)

    Thursday, June 4, 2015 8:56 PM

Answers

  • Hello Jay_villarreal,

    The error message indicates to me that the Virtual Machine on which you have hosted the Active directory is not accessible from web application when trying to save the changed password.

    To keep the connection active, I would suggest you to use Connection pooling. You can refer to the link below that will give you infomration on this:

    https://dirteam.com/tomek/2007/08/09/system-directoryservices-and-connection-pooling/

    Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    You might also want to consider using Windows Azure Active directory if that fits your solution:

    http://blogs.technet.com/b/keithmayer/archive/2013/04/09/step-by-step-provisioning-windows-azure-active-directory-free-for-production-use.aspx

    Implementation on this with Azure Webapps is fairly simple. You can refer to the link below that will help you understand the integration with Webapps:

    http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/

    Thanks,
    Syed Irfan Hussain

    Friday, June 5, 2015 6:27 AM
  • Actually looks like when the site is published in Azure platform, becomes isolated from the AD machine, the solution is to use the Azure AD to avoid AD vulnerabilities and security failures.

    Jay_villarreal

    Monday, July 6, 2015 9:48 PM

All replies

  • Hello Jay_villarreal,

    The error message indicates to me that the Virtual Machine on which you have hosted the Active directory is not accessible from web application when trying to save the changed password.

    To keep the connection active, I would suggest you to use Connection pooling. You can refer to the link below that will give you infomration on this:

    https://dirteam.com/tomek/2007/08/09/system-directoryservices-and-connection-pooling/

    Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    You might also want to consider using Windows Azure Active directory if that fits your solution:

    http://blogs.technet.com/b/keithmayer/archive/2013/04/09/step-by-step-provisioning-windows-azure-active-directory-free-for-production-use.aspx

    Implementation on this with Azure Webapps is fairly simple. You can refer to the link below that will help you understand the integration with Webapps:

    http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/

    Thanks,
    Syed Irfan Hussain

    Friday, June 5, 2015 6:27 AM
  • Actually looks like when the site is published in Azure platform, becomes isolated from the AD machine, the solution is to use the Azure AD to avoid AD vulnerabilities and security failures.

    Jay_villarreal

    Monday, July 6, 2015 9:48 PM