C# PrincipalContext 在 IIS 上没有用户名和密码

Question

I have a C# .NET framework backend API. I am implementing AD login, but have a problem, where the PrincipalContext constructor does not work without the username and password, which should not be the case.

The line in question is:

 var principalContext = new PrincipalContext(
   ContextType.Domain, 
   System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName
 );

It works fine on a different computer with the current web.config file, so I am guessing my IIS is not set up correctly or the permissions are incorrect.

I am running the API in VS2022 in debug mode, local IIS, and the website is inside Default Web Site in IIS.

My application pool identity is set to ApplicationPoolIdentity , in authentication I have only anonymous authentication enabled (I have also tried only Windows authentication and both).

I have also noticed, that the line

System.Security.Principal.WindowsIdentity.GetCurrent().Name;

returns domain\\username on the computer where it works, and returns iis apppool\\app pool name on my computer.

Also, this is my web.config file for reference:

<system.web>
  <compilation debug="true" targetFramework="4.5.2" />
  <httpRuntime targetFramework="4.5.2" />
</system.web>
<!-- so only the Tokens controller uses Windows authentication and all others can use JWT tokens -->
<location path="Tokens"> 
  <system.webServer>
      <security>
          <authentication>
              <windowsAuthentication enabled="true" />
              <anonymousAuthentication enabled="false" />
          </authentication>
      </security>
  </system.webServer>
</location>
<system.webServer>
  <security>
    <authentication>
      <windowsAuthentication enabled="false" />
      <anonymousAuthentication enabled="true" />
    </authentication>
  </security>
  ...
</system.webServer>

Answer 1

the problem on your localhost should be caused because your application pool uses a local system identity, you can change it with a domain user that has the permission to retrieve the information to the domain controller

Let me now if you need more information how to change the app pool identity.

Regards

Jerry

Answer 2

If you don't pass in a username and password, the PrincipalContext constructor will use the credentials of the account running the application pool to host the asp.net application in IIS to connect to Active Directory. ApplicationPoolIdentity is a dedicated pseudo-user account for the application pool worker process, it is recommended that you change the application pool identity.

LocalSystem - The Local System account has all user rights and is part of the Administrators group on the Web server. Avoid using the Local System account if possible, as it can pose a serious security risk to your web server.

NetworkService - By default, the Network Service account is selected. It is a member of the Users group and has the user rights required to run the application. It can interact in Active Directory-based.networks by using computer account credentials. This account provides maximum security against attacks that might attempt to take over the web server.

LocalService - The Local Service account is a member of the Users group and has the same user rights as the Network Service account, but only on the local computer. Use this account when the worker processes in your application pool do not need access outside the web server they are running on.

It is recommended that you set up a domain service account dedicated to the IIS application pool.

You need to create a domain service account firstly.

• Under Administrative Tools, open the Active Directory Users and Computers.
• Right-click the directory where you want to assign this account (ie testlab.com > Service Accounts) and select New > User.
• Add a name and login for the service account.
• Click Next and enter a password. Clear User must change password at next logon.
• Choose between a password that never expires or an account that locks you out of the secret server.
• Click Next, then Finish.

Assign the identity of the application pool in IIS.

• Select the corresponding application pool, right-click and select Advanced Settings.
• In the Process Model section, select Identity and click the ellipsis.
• Select Custom Account, click Set, enter your service account name and password, and click OK.

Grant folder permissions

• Give the service account Modify and Access to the folder where the application files reside.