I have been building an internal tool to help manage on-prem AD enviroment for our techs. One of the functions is a "password reset" function that can be used to generate and set a password for a user.
When I run this in my local DEV enviroment, it works as expected and resets the user password but when I run it via my Azure Web App, it fails with the error:
Password reset failed: Exception has been thrown by the target of aninvocation.. Inner Exception: Access is denied. (0x80070005(E_ACCESSDENIED))
Debugging the code within azure gives me
Exception thrown: 'System.Reflection.TargetInvocationException' inSystem.DirectoryServices.dll Exception thrown:'System.Reflection.TargetInvocationException' inSystem.DirectoryServices.dll
I know that my app has access to my on-prem AD from Azure via the VNET as I'm able to query AD to get the user, their details and mobile number but as soon as I run the Invoke on the following code.
It seems to be something within executing this query against AD from the web app that is different than when using IIS.
public async Task<AdPasswordResetResult> ResetPasswordAsync(string distinguishedName) { using var scope = _provider.CreateScope(); var siteSettingRepo = scope.ServiceProvider.GetRequiredService<SiteSettingRepository>(); var ldapServerSetting = await siteSettingRepo.GetByNameAsync("LDAPServer"); if (ldapServerSetting == null || string.IsNullOrWhiteSpace(ldapServerSetting.SettingValue)) return new AdPasswordResetResult { Success = false, ErrorMessage = "LDAPServer setting not found." }; var ldapServer = ldapServerSetting.SettingValue.Trim(); return await Task.Run(() => { try { using (DirectoryEntry rootEntry = new DirectoryEntry($"LDAP://{ldapServer}", _settings.Username, _decryptedPassword, AuthenticationTypes.Secure)) using (DirectorySearcher searcher = new DirectorySearcher(rootEntry)) { searcher.Filter = $"(distinguishedName={distinguishedName})"; searcher.PropertiesToLoad.Add("mobile"); SearchResult result = searcher.FindOne(); if (result == null) { return new AdPasswordResetResult { Success = false, ErrorMessage = $"User with distinguishedName '{distinguishedName}' not found." }; } DirectoryEntry entry = result.GetDirectoryEntry(); // Check for mobile string? mobile = null; if (entry.Properties["mobile"]?.Count > 0) mobile = entry.Properties["mobile"][0]?.ToString(); // Generate new password var newPassword = PasswordGenerator.GeneratePassphrase(); // Reset password in AD entry.Invoke("SetPassword", newPassword); entry.CommitChanges(); return new AdPasswordResetResult { Success = true, MobileNumber = mobile, NewPassword = newPassword }; } } catch (COMException ex) { return new AdPasswordResetResult { Success = false, ErrorMessage = $"COM Exception: {ex.Message} (0x{ex.ErrorCode:X})" }; } catch (Exception ex) { var innerException = ex.InnerException != null ? ex.InnerException.Message : "No inner exception"; return new AdPasswordResetResult { Success = false, ErrorMessage = $"Password reset failed: {ex.Message}. Inner Exception: {innerException}" }; } }); }I'm sure it's something on how Azure is connection but for the life of me I can't seem to find any clear direction. Research tells me I't potentiall a LDAP vs LDAPS, but not sure where else to go with this one and would appreciate any guideance (I'm tryin to avoid writing a service that I call to do the actual work)
S