how to get windows authenticated user guid from internal asp web application?

2
votes

Ok, so this was working in my VS test server (naturally), but as soon as I publish to IIS, it breaks. What I need for this to work is to be able to get ahold of the GUID (not the SID, please) of the user currenctly logged into the machine. Using DirectoryServices, this was my original implementation:

var guid = UserPrincipal.Current.Guid.ToString();

This is giving me an error that I cannot cast from GroupPrincipal to UserPrincipal. So it sounds like the application is trying to run as a some authenticated group or something. I realize, the normal approach would be something like HttpContext.Current.User.Identity, but I'm not sure what to do with that as it has no Guid property and when I try to convert it to a SID and run an LDAP query, it throws an exception. Can someone help me with the necessary steps to achieve this?

Thanks

UPDATE: Okay here's my most current attempt:

protected string GetUserGuid()
    {
        var pc = new PrincipalContext(ContextType.Domain);
        var windowsID = HttpContext.Current.User.Identity;
        var up = UserPrincipal.FindByIdentity(pc, windowsID.Name);
        return up.Guid.ToString();
    }

And the exception I get:

[COMException (0x8007054b): The specified domain either does not exist or could not be contacted. ]
System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +788 System.DirectoryServices.DirectoryEntry.Bind() +44
System.DirectoryServices.DirectoryEntry.get_AdsObject() +42
System.DirectoryServices.PropertyValueCollection.PopulateList() +29
System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) +63
System.DirectoryServices.PropertyCollection.get_Item(String propertyName) +163
System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() +436 System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() +51 System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() +141 System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() +42 System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) +29
System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue) +95 TicketsToMe.GetUserGuid() +123
TicketsToMe.Page_Load(Object sender, EventArgs e) +38
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25 System.Web.UI.Control.LoadRecursive() +71 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3048

1
c#asp.netiis-7active-directorywindows-authentication
Can you elaborate on "sounds like the application is trying to run as some authenticated group". Without knowing your IIS application settings it will be difficult. What identity is the app pool running as?Ta01
It is running as an admin accountSinaesthetic
It looks to me that user under which IIS app runs (app pool user) does not have access to your domain. Is the admin account local?Maciej
local user (including admin) will not be able to contact domain controllerMaciej
@MaciejDopieralski is correct, you need to run the App Pool with a domain account that has privsTa01

1 Answers

1
votes

If something runs locally but not on IIS it can be a permission thing. Have you checked trust level on your IIS? Local VS test server runs on Full trust but IIS (especially 7) website may be set to Medium or lower. This has caused me problems before with similar results i.e. something running locally but not on IIS.

Also it is worth checking permissions for app pool user.