I have a web/IIS server (Win2012R2) in which users authenticate against Active Directory (DC = Win2016). I cannot unlock an AD account via C# from this web server. How can I do it?
Things I have tried or proven:
Creating a domain admin account and explicitly using those credentials when instantiating the PrincipalContext
. Also logging into the domain controller with this admin account and unlocking the account successfully (manually). Whether I pass in a PrincipalContext
with hard-coded credentials or not, I can confirm that the credentials are valid in either case (ex. ctx.ValidateCredentials("my_user", "my_pwd")
). I can confirm that my UserPrincipal
is not null and that I am able to read the correct value of the user's locked status via IsAccountLockedOut()
.
I can successfully unlock the account using PowerShell from the web server using any domain admin account.
Code:
string usr = HttpContext.Current.Session["CurrentUsername"].ToString();
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, usr);
if(user != null && user.IsAccountLockedOut()) {
user.UnlockAccount();
}
Error:
System.UnauthorizedAccessException: Access is denied.
at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at System.DirectoryServices.AccountManagement.SDSUtils.WriteAttribute(String dePath, String attribute, Int32 value, NetCred credentials, AuthenticationTypes authTypes)
at System.DirectoryServices.AccountManagement.ADStoreCtx.WriteAttribute(Principal p, String attribute, Int32 value)
at System.DirectoryServices.AccountManagement.ADStoreCtx.UnlockAccount(AuthenticablePrincipal p)
at System.DirectoryServices.AccountManagement.AccountInfo.UnlockAccount()
at ASP.en_us_forgot_aspx.btnPassword_OnClick(Object sender, EventArgs e)
The context is not relevant here. The account running the web site process in IIS needs to have permission to do the unlock.
I have a site that does this, and I had to set the site in IIS to run using a special domain account created for that purpose that only has the exact specific permissions it needs. You don't need or want a full domain admin account exposed via a web site this way.
The issue in my code was related to not defining the PrincipalContext correctly. Once I followed the documentation example precisely for UserPrincipal Constructors , and discovered the OU path of the admin account I was using for the unlock, I solved the problem.
PrincipalContext ctx = new PrincipalContext(ContextType.Domain,
"ad.domainname.com",
"OU=SomeOU,DC=ad,DC=domainname,DC=com",
"myadminuser",
"MyPa$sW0rd");
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.