ASP.NET with Active Directory: User Credentials

Question

I am an ASP.NET newbie and creating an inhouse application (will be used by 10 users inside group). One of the objective is to add users to Active Directory group. For audit purpose, the app-users should do the AD change with there own credentials (and not with common id created for this sole purpose).The website is hosted on Windows Server 2008 R2/IIS 7.0 and everything is in enterprise domain.

IIS Settings:
Application Pool Name: UserAppMapping, Integrated, ApplicationPoolIdentity

Authentication: ASP.NET Impersonation and Windows Authentication only are Enabled.

VB.NET Code (i have removed all error checking so I can see the actual error):

Public Sub AddUserToGroup(userId As String, groupName As String, Optional GroupDN As String = "")

        Using (HostingEnvironment.Impersonate())

            Dim domainName As String = "DOM"

            Dim ou = [String].Format(CultureInfo.InvariantCulture, "dc={0},dc=myorg,dc=com", domainName)

            Dim domain = [String].Format(CultureInfo.InvariantCulture, "{0}.myorg.com", domainName)

            Using insPrincipalContext = New PrincipalContext(ContextType.Domain, domain, ou)
                If insPrincipalContext IsNot Nothing Then
                    Dim insGroupPrincipal As GroupPrincipal = GroupPrincipal.FindByIdentity(insPrincipalContext, System.DirectoryServices.AccountManagement.IdentityType.Name, groupName)

                    Dim user As UserPrincipal = UserPrincipal.FindByIdentity(insPrincipalContext, userId)

                    If insGroupPrincipal IsNot Nothing Then
                        'add user to group
                        If user.IsMemberOf(insGroupPrincipal) Then
                            LabelErr.Text = userId + " is already part of " + groupName
                        Else
                            insGroupPrincipal.Members.Add(user)
                            insGroupPrincipal.Save()
                            Label1.Text = "User added successfully"
                        End If
                    Else
                        Label1.Text = "Cannot retrieve information about " + groupName + " from Active Directory"
                    End If
                Else
                    Label1.Text = "Principal Context is Null"
                End If
                insPrincipalContext.Dispose()
            End Using
        End Using
    End Sub

`

Problem :

Everything works fine but when following lines are encountered in the code:

insGroupPrincipal.Members.Add(user)
insGroupPrincipal.Save()

The application prompts for user credentials. While I understand the code in this function is running under the context of Windows Identity “IIS APPPOOL\\UserAppMapping”, it will prompt for credentials which has access to Active Directory. Is there a way for app user to modify the AD groups (I am assuming the user can modify the groups directly in AD) without typing extra credentials?

If I remove "Using (HostingEnvironment.Impersonate())" from the code, it fails right away when GroupPrincipal.FindByIdentity is encountered.

The web.config is set with:

authentication mode="Windows"
identity impersonate="true"

Thanks in advance.

Answer 1

Do the following.

1. Make sure that IIS Authentication is set to Windows Auth=enabled, Anonymous=false. This is required in addition to the web.config.

Step 2: You need an account has higher rights in AD than ApplicationPoolIndentity.

2. You need a Network Account to perform the AD work. Create a new network account and then in your application pool in IIS change it from ApplicationPoolIndentity to Custom Account. Then enter your new AD Account and password. (I would suggest making that AD Account password never expires)