locked
Authentication to update AD - access denied RRS feed

  • Question

  • User982203039 posted

    I have created a view that unlocks user accounts. When testing using the local IIS this works fine. I have now published to the intranet IIS (Windows 2012) and get an access denied. I know it's a windows authorization issue but not sure where.

    I have authentication mode="Windows" in the Web.config file and have IIS setup for windows authentications. How can I get my controller to pass the domain users credentials to IIS so I can run my code?

    Thanks!

     public ActionResult Unlock(string user)
            {
                // set up domain context
                PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
                // find a user
                UserPrincipal usr = UserPrincipal.FindByIdentity(ctx, user);
                if (usr != null)
                {
                    // unlock user
                    usr.UnlockAccount();
                }
                return RedirectToAction("Index");
            }



    Wednesday, July 10, 2019 8:27 PM

All replies

  • User475983607 posted

    I assume the application pool identity (the web application) does not have authority to perform the task.  Add a service account to application pool identity that has proper authority to perform the task.

    If this is not the issue, then post the actual error message so we're not guessing.

    Wednesday, July 10, 2019 8:35 PM
  • User982203039 posted

    That is not really what I want to do. I did get it to work like this:

    PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "domain.local", "username", "password");

    But I only want users that are domain admins  to be able to perform this. Is there a way to use the above code but use the User.Identity.Name; instead?

    Thanks!

    Wednesday, July 10, 2019 8:56 PM
  • User475983607 posted

    Use the [Authorize] attribute to restrict access to roles.

    https://squarewidget.com/authorizationattribute-with-windows-authentication-in-mvc-4/

    You can also craft a custom role provider.

    Wednesday, July 10, 2019 9:08 PM
  • User982203039 posted

    I now get a message Your Connection to this site is not private - and prompts me for a username and password. I am a member of the group I specified. Even when I enter the domain admin and password it just keeps prompting me.

    Side question:
    OK - that would work. Is it safe to have a password in the controller?

    Wednesday, July 10, 2019 9:46 PM
  • User475983607 posted

    Prompting for credentials means the box is not in the same (expected) domain or you are using browser other than IE or the site is not in the trusted zone.
    Wednesday, July 10, 2019 10:49 PM
  • User982203039 posted

    Here is the strange thing. Using  [Authorize(Users works fine, bur roles does not??  When using roles  in the prompt it says: connecting to then my computer name.domain name.

    Thursday, July 11, 2019 12:57 PM
  • User1724605321 posted

    Hi Baze72,

    For authorization with Active Directory groups , you can add roleManager to your web config :

       <authentication mode="Windows" />
        <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
          <providers>
            <clear />
            <add
                name="AspNetWindowsTokenRoleProvider"
                type="System.Web.Security.WindowsTokenRoleProvider"
                applicationName="/" />
          </providers>
        </roleManager>

    Then using with authorize attribute :

    [Authorize(Roles = "Domain\\Group")]
    public ActionResult Contact()
    {
         ViewBag.Message = "Your contact page.";
    
         return View();
    }
            

    Best Regards,

    Nan Yu

    Friday, July 12, 2019 2:19 AM