I am working on a C# Asp.net site that adds users to Active Directory and assigns them to security groups.
The whole script works great except for one issue. I can add users to groups, but I get an "Access Denied" exception when trying to add the user to a group that the Application Pool's Identity is a member of.
I think it's a windows permissions issue, but I'm not sure what permission is required. We had the same issue in the past when using an older VB script.
Any ideas?
I had this kind of issue with a website designed for active directory management. The execution environment was not allowed to manage AD so far. So, through IIS, we changed the default account to local system, who has full permission (almost, he can't reboot the system for example) and cannot be logged (security first). This works for you are impersonating your website.
If not, You will need an advanced group and user management. AD permissions are very touchy.
Edit:
In your case, using a specific account is not a problem. Check the identity when your admin logs, and use impersonation with Local System. Your application environment will be alright, and only your admin will have an access.
Related
I'm trying to use Microsoft AD Azure to log into my web app. I'm using OWIN and have managed to get to the login page - type in the credentials (including an Azure admin credentials) and I get this lovely message:
AADSTS90093: This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I'm not sure what else I can do as it's a very specific error but I've already given it full admin.
Edit - Solved! Although it might be a bit different than for others as it's a bit of a rare case. I was pointing at the wrong version of AD where only the CEO of the business had global admin permissions. Once I had pointed it to a different version of AD (the dev AD - not the corporate AD) everything worked.
Your application requires Admin consent. Try the Grant Permissions button in Azure new portal. Wait a few minutes for it to take effect.
picture
Based on the error message, your app have assigned the application permission to the app which requires the Azure Active Directory admin to give the consent.
You can check the permission like figure below and remove all unnecessary permissions if your app doesn't use.
You can also refer the code sample here to integrate Azure AD with web app.
In addition, if we are developing a single tenant app and register the app from Azure classic portal or new portal, there is no need to grant the permission from the web app. The permission already be granted when we register the app.
Please let me know if it helps.
I'm trying to delete a user profile folder suing C# and ASP.net, when i do this through windows UI i get a UAC prompt which is fine.
I wish to this programmatically using ASP.net & C# .
The objective is for admin users to launch a webform and do this remotely on workstation but i'm currently getting permission errors.
(im running visual studio as admin in my debugging environment to delete local users)
{"Access to the path 'C:\Users\nzsp2013admin\AppData\Local\Microsoft\Windows\Application ..... is denied."}
code:
var dir = new DirectoryInfo("C:\Users\nzsp2013admin");
dir.Attributes = dir.Attributes & ~FileAttributes.ReadOnly;
dir.Delete(true); // true => recursive delete
This has to do with the permissions which are configured in IIS.
Every ASP.NET application that you run in IIS will be run using an identity that can be managed in the Application Pools section in IIS Manager.
By default, each Application Pool that is created (including the default one) will have permissions within a limited scope.
If I'm honest, the phrase Application Pool makes things sound more complicated than what they actually are. An application pool is just an identity exactly like the one that you use to sign on to your PC, and in your case an identity with normal user permissions is attempting to perform an action that requires a set of higher permissions.
To resolve this, open up IIS.
Click on Application Pools
Select the Application Pool that your web application is running under
Click on Advanced Settings
Click on identity and select Custom identity
Enter the credentials of an account that has administrative privileges.
However, I do have to warn you that you could be opening yourself up to a wide range of security concerns and that there are alternatives such as adding explicit permissions to specific directories that include the identity which the ASP.NET application is running from.
I used this approach and it works very well. With this approach you dont use an account with high level privileges all the time just when required and not for the application execution.
Try to use a domain account and add privileges to the folder or lacation you required. And share the folder so you can use an unc path.
Accessing a Shared File (UNC) From a Remote, Non-Trusted Domain With Credentials
You could use code impersonation:
http://csharptuning.blogspot.com/2007/06/impersonation-in-c.html
http://www.codeproject.com/Articles/14358/User-Impersonation-in-NET
regardless, whomever you use as the impersonation must be able to read/write to the location. We use this method in applications for delete/create folder across network but in theory, you should be able to wrap this around any piece of code, check to see if the user is an admin, and if so use the impersonated user to delete the folder, or however you prefer to do it.
Also, I noticed you mention that you are wanting to do it remotely, but your examples have the local path.
You may also find this useful: Deleting Windows user accounts remotely WCF and C#
I am new to Active Directory and was given a task to fix a bug where a app on one of our servers could not access active directory on another server. The user we are using to bind to active directory is a "Domain Admin" and we are using this user's credentials in a C# application to access active directory with the System.DirectoryServices.AccountManagent classes of .net 3.5.
The server is in the same domain as the active directory server.
After struggling to make the app work, the network administrator set up trust (as a last resort) to the server computer (where the app is installed) and that allowed the app to work.
The network admin said :
"If I open the computer account in AD and click on Delegation (and then select 'Trust this computer for delegation to any service (Kerberos only)' it works!! I can't see why I should need to enable delegation for the server as it's already on the domain anyhow - but it works"
My question is why was this necessary?
It sounds like a programming error where PrincipalContext isn't taking effect. None of these samples change the default service context... If he looks at the event logs he probably sees MachineName$ (dollar sign) logging in.
Try this - Set the service account name from LocalService to the account you want to use with LDAP. It should work, even without domain admin rights.
I have a local Intranet application that does some file validation using Directory.Exists and File.Exists. Unfortunately, the checks fail due to the fact that the application is running as "ApplicationPoolIdentity" and that account doesn't have access to the UNC paths the Directory.Exists and File.Exists are checking.
Should I give that ApplicationPoolIdentity account permissions to read those directories? (All of the directories appear under a top level folder of a single server.) If so, how?
Or, should I run the Application Pool under a domain account and grant that account permissions? (If I do need to create a new account, what permissions should I give it?)
Thanks for any input!
As a rule I normally create a custom account, but if you want to grant additional rights to shares etc. I would say that it is the best option.
Create a new AppPool with a custom identity with the relevant access to the shares. Then have the application run under this new AppPool. That way you can have other applications that do not require access to the shares in AppPools that do not have this access.
If you are using Windows 7 or Window 2008 R2 you might want to look at Virtual Accounts.
Here is a good article on the topic of Application Pool Identities
You need to set read ACLs for the following identity: IIS AppPool\. You can do it either from the folder properties dialog (if your computer is on the domain, make sure Locations is set to the local machine in the "Select Users or Groups" dialog) or using icacls from the command line.
I have created a sample ASP.NET website and hosted it in IIS 6.0 . It is working fine , if the identity of the defalut app pool is "local system". But when i changed the identity with some other configurable user id then it is showing as "Service Unavailable".
The following message is found in the event viewver.
"The identity of application pool 'DefaultAppPool' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled."
Either the credentials provided for the user is not valid, or the user does not have the needed permissions.
I believe there is a security group on the machine called IIS_WPG that is created when Asp.net is installed, add the user to this group, it should give them the needed permissions.
Message is self-explanatory. The selected user id isn't valid - probably due to insufficient privaledges to run the service.
The user identity you use needs to have fairly significant rights to operate. At a minimum the user needs to have read/execute permission on the root directory of the folder. This user should also have read/write/execute permission on the Temporary Asp.Net Files folder located within the %SystemRoot%/Microsoft.Net/Framework/ folder.
FYI,
In a development environment you can use the default app pool to create your web applications.
In production environment you want to use lusrmgr.msc (Server 2008/R2/7 Ultimate and Pro) to create new users (and their credentials) on the machine and assign the users to the right group (IIS_IUSRS).
Also once you have created the user, you will want to give it access to your data source back-end (if sql is running on the same machine and using windows authentication to access SQL).
Check Application Pools which assign Site on IIS, probably it is stopped.