PrincipalContext.ValidateCredentials stops validating after IIS deployment works fine in cassini

Question

I have the following code snippet to test a plain-text username/password against the AD, which works fine if I hit F5 in visual studio and try it via the WCFTestClient, but once I deploy to IIS and try the same function, it will never return true for ValidCredentials; is there something security wise that needs to be set for the Identity that the Application Pool runs under?

I tried setting the App Pool identity to my own account (domain admin) just to test if this was the problem, but that didn't help either, so I'm a bit lost as to how to fix this.

The site (Custom API) has anonymous access set up.

try
{
    // create a "principal context" - e.g. your domain (could be machine, too) 
    using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, DomainName))
    {
        // validate the credentials
        if (pc.ValidateCredentials(UserName, Password))
        {
            IsValid = true;
            break;
        }
    }
}
catch (Exception)
{
    LoggingControler.LogWarning(null, "Unreachable Domain: " + Domain);
}

I've gone over things again, and it's all due to Rights in Windows. Network Service somehow doesn't have enough rights to execute PrincipalContext.ValidateCredentials . If I change the Application Pool Identity to the identity of a Domain Administrator, the code works.

If someone can tell me how to set up a Limited User account with the proper rights to execute PrincipalContext.ValidateCredentials , I can finish this.

Answer 1

您是否在IIS中启用Windows身份验证

Answer 2

Ok, I've finally found my own answer via https://stackoverflow.com/questions/5140377/query-activedirectory-sometimes-not-working-asp-net-c and https://elgg.leeds.ac.uk/webteam/weblog/15385.html

As I've discovered, "Network Service" application pool identity holds the key to this problem...

Adding the read rights didn't work; so there's still something else wrong.