azureazure-web-app-servicewebmatrixactivedirectorymembership

ActiveDirectoryMembershipProvider on Azure App Service: Access Denied


One of the legacy applications running on IIS 7 was recently ported to Azure App Service.

The application uses WebMatrix (Simple Membership) and Active Directory as membership providers. Upon hosting it on Azure App Service, we are getting Access Denied error

web.config

<membership defaultProvider="simple">
   <providers>
     <clear />
     <add name="simple" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData" />
     <add name="AD1MembershipProvider" description="Active Directory"
               type="System.Web.Security.ActiveDirectoryMembershipProvider" 
               applicationName="appName" connectionStringName="AD1ConnectionString" 
               connectionUsername="..." connectionPassword="..." 
               connectionProtection="None" 
               enableSearchMethods="true" attributeMapUsername="sAMAccountName" /> 
   </providers>
</membership>
<roleManager enabled="true" defaultProvider="DefaultRoleProvider">
   <providers>
     <add name="DefaultRoleProvider" type="WebMatrix.WebData.SimpleRoleProvider, WebMatrix.WebData" />
   </providers>
</roleManager>


<connectionStrings>   
   <add name="AD1ConnectionString" connectionString="LDAP://something.DIR/DC=something,DC=something,DC=DIR" /> 
</connectionStrings>

The application upon start gives this error:

[COMException]: Access is denied.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType)
[UnauthorizedAccessException]: Access is denied.

   at System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType)
   at System.DirectoryServices.ActiveDirectory.DirectoryContext.isServer()
   at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
   at System.Web.Security.DirectoryInformation.InitializeDomainAndForestName()
   at System.Web.Security.ActiveDirectoryMembershipProvider.Initialize(String name, NameValueCollection config)
   at System.Web.Configuration.ProvidersHelper.InstantiateProvider(ProviderSettings providerSettings, Type providerType)
[ConfigurationErrorsException]: Access is denied.
 (D:\home\site\wwwroot\web.config line 106)
   at System.Web.Configuration.ProvidersHelper.InstantiateProvider(ProviderSettings providerSettings, Type providerType)
   at System.Web.Configuration.ProvidersHelper.InstantiateProviders(ProviderSettingsCollection configProviders, ProviderCollection providers, Type providerType)
   at System.Web.Security.Membership.InitializeSettings(Boolean initializeGeneralSettings, RuntimeConfig appConfig, MembershipSection settings)
   at System.Web.Security.Membership.Initialize()
   at System.Web.Security.Membership.get_Providers()
   at WebMatrix.WebData.WebSecurity.PreAppStartInit()
   at WebMatrix.WebData.PreApplicationStartCode.Start()
[InvalidOperationException]: The pre-application start initialization method Start on type WebMatrix.WebData.PreApplicationStartCode threw an exception with the following error message: Access is denied.
 (D:\home\site\wwwroot\web.config line 106).
   at System.Web.Compilation.BuildManager.InvokePreStartInitMethodsCore(ICollection`1 methods, Func`1 setHostingEnvironmentCultures)
   at System.Web.Compilation.BuildManager.InvokePreStartInitMethods(ICollection`1 methods)
   at System.Web.Compilation.BuildManager.CallPreStartInitMethods(String preStartInitListPath, Boolean& isRefAssemblyLoaded)
   at System.Web.Compilation.BuildManager.ExecutePreAppStart()
   at System.Web.Hosting.HostingEnvironment.Initialize(ApplicationManager appManager, IApplicationHost appHost, IConfigMapPathFactory configMapPathFactory, HostingEnvironmentParameters hostingParameters, PolicyLevel policyLevel, Exception appDomainCreationException)
[HttpException]: The pre-application start initialization method Start on type WebMatrix.WebData.PreApplicationStartCode threw an exception with the following error message: Access is denied.
 (D:\home\site\wwwroot\web.config line 106).
   at System.Web.HttpRuntime.FirstRequestInit(HttpContext context)
   at System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)

We tried disabling WebMatrix in both providers and roleManager but even ActiveDirectoryMembershipProvider gives same error.

Any suggestions?


Solution

  • Azure App Service runs in a sanbox so that's why it's failing. You won't be able to allow access since you don't have access to the host OS. There are a couple of options though.

    1. Deploy your app to an Azure VM and join it to your local domain.
    2. Migrate your local AD authentication for your app over to Azure Active Directory and enable AAD on your app.
    3. Migrate your existing active directory over to Azure Active Directory

    Option 2 will be your best option in my opinion. This doc is architectural overview of such a hybrid cloud solution. Option 1 will cost a bit more depending on the VM size and option 3 will require extensive planning.