0

i have code to create user directly in active directory for ADFS my sample code - 

            PrincipalContext principalContext = null;
            try
            {
                principalContext = new PrincipalContext(ContextType.Domain);


                UserPrincipal usr = UserPrincipal.FindByIdentity(principalContext, txt_username.Text);


                if (usr != null)
                {

                    MessageBox.Show(txt_username.Text + " already exists. Please use a different User Logon Name.");

                }
                else
                {
                   UserPrincipal userPrincipal = new UserPrincipal(principalContext);


                    userPrincipal.Surname = txt_lastname.Text;
                    userPrincipal.GivenName = txt_firstname.Text;


                    userPrincipal.EmailAddress = txt_email.Text;

                    userPrincipal.UserPrincipalName = txt_username.Text + "@ad.net";
                    userPrincipal.SamAccountName = txt_username.Text;

                    userPrincipal.DisplayName = txt_lastname.Text + "  " + txt_firstname.Text;
                    userPrincipal.SetPassword(txt_pwd.Text);

                    userPrincipal.Enabled = true;
                    userPrincipal.PasswordNeverExpires = true;


                    userPrincipal.Save();
                    MessageBox.Show("user Created Sucessfully");
              }
            }

            catch (Exception ex)
            {
                MessageBox.Show("Failed to create PrincipalContext. Exception: " + ex);

            }

its work fine with window application ,but if i am putting same application in asp.net its throw error -

userPrincipal Exception:Access is denied

any suggestion

Thanks

Improve this question
2
  • Which user is running the application pool ? Commented Jan 30, 2018 at 10:31
  • The MessageBox.Show() function wont' work in ASP.Net, either Commented Jan 30, 2018 at 14:19

2 Answers 2

Reset to default
1

It means that the account used to authenticate to Active Directory does not have permissions to create the account.

Unless you specify otherwise, the account used to run ASP.NET application is created by IIS, and doesn't have any permissions beyond the server it is running on. You have two options:

  1. Change the IIS application pool to run with a domain account that has permissions to create accounts, or
  2. Use a different contructor for PrincipalContext that accepts a username and password to authenticate, and use credentials that have permissions to create accounts:
principalContext = new PrincipalContext(ContextType.Domain, null, "DOMAIN\username", "password");
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

While you are constructing your PrincipalContext in this line principalContext = new PrincipalContext(ContextType.Domain); make sure to pass additional parameters such as AD server name, username, password, etc. It should iron out any permission issues. The username and password used should have rights to create the user in AD. For example: principalContext = new PrincipalContext(ContextType.Domain, ADSERVER, $"OU=New Users,DC=MYDOMAIN,DC=CO,DC=UK", USERNAME, PASSWORD);

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.