UserPrincipal.SetPassword Access Denied in Azure WebJob

0
votes

So I am attempting to change the password of a user within AD. I have a VM running server 2008 with an AD role (Which is just for testing purposes. When live this webapp will connect to an on-premise AD server), and an Azure WebApp with a webjob within the same Vnet.

When I run the webjob from visual studio on my machine, it works as intended. But when I run the webjob in Azure, it gets an Access is Denied exception.

So somehow, the identity given to the method isn't being used when it's run in Azure. It is probably using the default identity from the App Pool, but due to it being a WebApp, I am unable to change the identity in the App Pool, because WebApps run in a sandboxed environment.

I have also tried using impersonation, which doesn't work either, access is still denied.

Any ideas?

Thanks

Code:

//The credentials of an admin service account in AD which are retrieved from a config file
private static string strUsername;
private static string strPassword;
//The domain name of the AD server, also from config
private static string strDomain;

static void Main(string[] args)
{
    try
    {
        string mess;
        //Password here just for testing purposes
        SetUserPassword("[email protected]", "newP45sword", out mess);
    }
    catch (Exception ex)
    {
        Console.WriteLine("Error..." + ex);
    }
}

public static void SetUserPassword(string sUserName, string sNewPassword, out string sMessage)
{
    try
    {
        UserPrincipal oUserPrincipal = GetUser(sUserName);
        oUserPrincipal.SetPassword(sNewPassword);//This is where the exception occurs
        sMessage = "";
    }
    catch (Exception ex)
    {
        Console.WriteLine("Err." + ex);
    }
}

public static PrincipalContext GetPrincipalContext()
{
    //Here is where the admin credentials are passed to the app
    PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, strDomain, strUsername, strPassword);
    return oPrincipalContext;
}

public static UserPrincipal GetUser(string sUserName)
{
    PrincipalContext oPrincipalContext = GetPrincipalContext();
    UserPrincipal oUserPrincipal = UserPrincipal.FindByIdentity(oPrincipalContext, sUserName);
    return oUserPrincipal;
}
1
c#azureactive-directoryazure-webjobschange-password

1 Answers

0
votes

Yes this is most likely an Azure WebApp Sandbox issue. Details on sandbox restrictions can be found in the wiki here. That wiki doesn't explicitly call out the API you're attempting to use, but as indicated in another SO post for the same UserPrincipal.SetPassword API, that API results in a call stack that invokes a [SecurityCritical] method.

You're most likely going to have to find another way to accomplish your scenario I'm afraid.