none
IIS forces explicit credentials for DirectoryEntry

    General discussion

  • Hi guys. I didn't find a DirectoryServices section so I just put this one here. I may have missed it so feel free to transfer this post.

     

    We have a web application with strong integration to AD. When running the application in the IIS, the following constructor throws a COM exception Logon failure: unknown user name or bad password

     

    DirectoryEntry entry = DirectoryEntry("LDAP://mynetwork.com/DC=mynetwork,DC=com", null,null,AuthenticationTypesSecure)

     

    We have to supply explicitly an existing credential in order to make it work. The line then becomes

     

    DirectoryEntry entry = DirectoryEntry("LDAP://mynetwork.com/DC=mynetwork,DC=com", "mynetwork\johndoe","password",AuthenticationTypesSecure)

     

    The virtual folder in the IIS disallows annonymous user and uses integrated security.

     

    We don't like the idea of putting any credential anywhere in the application. Web config is now capable of encryption but we still want the first constructor to work. What's happening here?

     

     

    Sunday, April 22, 2007 2:46 AM

Answers

  •  Joe2 wrote:

    You could try running your app in an application pool whose identity is a domain account if you're on W2003.

     

     The application pool feature exists in IIS6.0 not in II5.0, please install IIS 6.0 Resource Kit Tools.

     

     The identity application pool settings allow you to specify the account that the worker process uses. By default, the worker process uses the Network Service account. However, you can override this and specify a different Windows identity.

     

    How to set the identity application pool settings

    1. Open the IIS management console and expand the local computer by clicking the plus sign.
    2. Expand the Application Pools folder by clicking the plus sign.
    3. Right-click the appropriate application pool and then click Properties. The application pool's properties dialog box appears.
    4. Click the Identity tab, and then set the appropriate application pool settings.

     As for your question, you can get suggestions from this thread. 

    e.g. Add the tag to your web.config
    <identity impersonate="true" userName="userToImpersonate" password="thepassword" />
    <authentication mode="Windows" />
    ...
    </system.web>

     

    I believe http://forums.asp.net is more appropriate for your issue.

    Tuesday, April 24, 2007 6:46 AM

All replies

  • Is your application running under the Network Service account (W2003) or the ASPNET account (XP)?

    These accounts presumably don't have permission to access AD.

    You could try running your app in an an application pool whose identity is a domain account if you're on W2003.

    Sunday, April 22, 2007 5:20 PM
  • Hi. Thanks for the reply. My application runs using AD account. The site only allows integrated security. A friend of mine told me it has something to do  with IIS 6.0. We'll invistigate this. Please elaborate the last sentence.
    Tuesday, April 24, 2007 3:35 AM
  •  Joe2 wrote:

    You could try running your app in an application pool whose identity is a domain account if you're on W2003.

     

     The application pool feature exists in IIS6.0 not in II5.0, please install IIS 6.0 Resource Kit Tools.

     

     The identity application pool settings allow you to specify the account that the worker process uses. By default, the worker process uses the Network Service account. However, you can override this and specify a different Windows identity.

     

    How to set the identity application pool settings

    1. Open the IIS management console and expand the local computer by clicking the plus sign.
    2. Expand the Application Pools folder by clicking the plus sign.
    3. Right-click the appropriate application pool and then click Properties. The application pool's properties dialog box appears.
    4. Click the Identity tab, and then set the appropriate application pool settings.

     As for your question, you can get suggestions from this thread. 

    e.g. Add the tag to your web.config
    <identity impersonate="true" userName="userToImpersonate" password="thepassword" />
    <authentication mode="Windows" />
    ...
    </system.web>

     

    I believe http://forums.asp.net is more appropriate for your issue.

    Tuesday, April 24, 2007 6:46 AM
  • Thank you so much for the reply sir. I've changed to the "configurable" security account specifying a domain account with access to the database. This time, the service stops after the first hit of the site. I always get the message "Service Unavailable". The reason is that the service is stopped by the system. After restarting, same thing. When I looked at the Event Viewer, I got the following message which is not helpful at all.

     

    A failure was encountered while launching the process serving application pool 'SamplePool''. The application pool has been disabled.

     

    Btw, I created another pool because the other sites are affected by the problem.

    Thursday, April 26, 2007 5:44 AM
  • Hi,

     

    Rather than changing the identity running the w3wp process, you should be able to enable Impersonation so that the code will run with a specified account or the token passed in from IIS.

    For how, please read this KB article http://support.microsoft.com/kb/306158/en-us

     

    But impersonating the authenticated user with Integrated Windows Authentication can have problem accessing network resources (e.g. database, file share, or Active Directory). This is commonly referred as “double-hop” issue. Be aware of that.

     

    It is not a big problem that you configure the AppPool identity here. You also need to ensure that the identity account is in the IIS_WPG group, so that the AppPool can be started. 

    http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/12a3d96c-65ea-4210-96ad-86a801f6a88c.mspx?mfr=true

     

    Thanks!

    Friday, April 27, 2007 6:23 AM
  • Thanks for the reply Martin. I've already added the worker account to the IIS_WPG group. We still get the "Service Unavailble" and the service is indeed stopped by the systenm. I also tried granting IIS_WPG to the database but still no luck. I never thought deploying a web app utilizing Integrated Security and SQL SErver would this be complicated.
    Friday, April 27, 2007 10:16 AM
  • You'll need to post this question to http://forums.asp.net where the ASP.NET experts live, and link to this thread.

    Hope you can get satisfying answers there.

    Thank you!

    Monday, April 30, 2007 7:33 AM
  • I already did! And you've been so helpful. I'm swarm. Thanks. Click here.

    Wednesday, May 9, 2007 4:31 PM