ASP.Net (IIS 7.5) Querying Active Directory without User Credentials

Question

I have multiple web applications that I've built for our intranet. I wanted to allow users to not worry about logging in, so these apps pull the currently logged on user when they hit the site. I used this code for this to happen:

Dim userName As String = User.Identity.Name
CurrentUser = userName.Substring(userName.IndexOf("\") + 1)

This works like a charm, no issues here. The next step is to query Active Directory for that logged in user to pull various information. How I currently have it coded, it works like a charm on the devleopment side (typical because I'm not running IIS).

The problem becomes when I publish it to my IIS server (Windows Server 2008 R2 running IIS 7.5), I get error messages that point to the specific line in my code that queries Active Directory. The interesting part is these apps were working great last week. They broke after my server admin did the latest batch of Windows Updates (please note, I am running them using .Net Framework 4.0)

Before I had each app setup so that Windows Authentication was Enabled, the other Authentication types were disabled. For providers, Negotiate is #1, NTLM is #2. For Advanced Settings, Extended Protection = Off, and Enable Kernel-mode authentication is checked.

My web.config has the following set:

<customErrors mode="Off"/>
<authentication mode="Windows" />
<authorization>
  <deny users="?"/>
</authorization>

These were the settings I had, and everything worked like a charm. Now to get it to somewhat work I need to swap the providers around so NTLM is #1 and Negotiate is #2. Because of this, the user's credentials are not properly passed in and the AD query fails. This is the coding I'm using for the query:

Dim adSearchRoot As New DirectoryEntry("LDAP://DC=[DOMAIN],DC=com")
Dim adSearch As New DirectorySearcher(adSearchRoot)

adSearch.Filter = "(&(ObjectClass=User)(sAMAccountName=" & CurrentUser & "))"
Dim searchResult As SearchResult = adSearch.FindOne()

Ever since the updates, when loading the site with Negotiate in front, it fails on that bottom line because I don't have a username/password set for the DirectoryEntry. Even when I set a username/password, it still does not 100% work like it used to.

So my question becomes, what do I need to do so that the user accesses the site, I can know their username, and can query active directory without requiring the use of a username/password in the DirectoryEntry??

Is it a setting in IIS? Or do I need to recode? web.config setting perhaps? Do I need to revert server updates and figure out which one causes the break to occur?

Thanks for the advice in advance. If you have any questions to help answer the question, let me know.

UPDATE

I tried as Matt suggested by adding the following clip to my web.config file:

<security>
  <authorization>
    <add accessType="Deny" users="?" />
  </authorization>
</security>

This did not work. I did some reading, and then altered this section further:

<location path="Default Web Site/NameOfApp">
  <system.webServer>
    <security>
      <authentication>
        <anonymousAuthentication enabled="false"/>
        <windowsAuthentication enabled="true">
          <providers>
            <add value="Negotiate" />
            <add value="NTLM" />
          </providers>
        </windowsAuthentication>
      </authentication>
      <authorization>
        <add accessType="Deny" users="?" />
      </authorization>
    </security>
  </system.webServer>
  </location>

In doing this I also removed the string that was higher up in my web.config section. This did not work either (fyi, this was a great reference http://www.iis.net/ConfigReference/system.webServer/security/authentication )

I then tripped across this article: http://social.technet.microsoft.com/Forums/en/winserverDS/thread/7deba16b-295a-4887-98f9-9f291ed49871 which seemed to be a similar situation. This article eventually referenced "Double Hops", after looking into this and trying a few things, this didn't solve my issue either.

Next Step

I am going to try a new IIS 7.5 implementation on a different Server 2008 R2 system and essentially start from scratch, to see if the problem recreates or not.

ANY new suggestions would be of great help.

Answer 1

I was able to make the code execute without any problems on a Windows 2008 Server. I created a new .NET 4.0 application pool and assigned it to the web application. I changed the web.config to deny anonymous access and use Windows authentication. The code executed without exception.

Looking at your web.config clip, I wonder if this might be what you're missing:

  <system.webServer>
    <security>
      <authorization>
        <add accessType="Deny" users="?" />
      </authorization>
    </security>
  </system.webServer>

It's important that you have this authorization section within the system.webServer section. IIS 7 uses the system.webServer section to store some settings that were part of the metabase in IIS 6.

Answer 2

I had this same problem. Here's how I solved it:

Use overload 4 of 5 for the DirectoryEntry constructor which allows for not only a path, but a username, and a password as well. So, your AD connection should look like this:

DirectoryEntry adSearchRoot = new DirectoryEntry("LDAP://DC=[DOMAIN],DC=com", "DOMAIN\Username", "Password");
DirectorySearcher adSearch = new DirectorySearcher(entry);

Now, instead of "DOMAIN\\Username", use a service account and then for the password, obviously, use the password for the service account.

I think as long as the service account is a member of the "Domain Users" group, then you should be able to query AD no problem.