The Problem:
An AD Site aware web application must obtain information from an AD controller within the same AD site as the the web application.
We have this working in a development environment using IIS 7.5 and a production environment using IIS 7.5 BUT ONLY if the Application Pool is using NetworkServices account; when using ApplicationPoolIdentity, the application ceases to function properly as it is unable to obtain information about the AD site in which the web server resides. Specifically:
System.DirectoryServices.ActiveDirectory.DirectoryServices.GetComputerSite().Name
fails when using ApplicationPoolIdentity with error ActiveDirectoryObjectNotFoundException.
Using NetworkServices account is not the preferred direction given changes in IIS7.0 and 7.5 having the ApplicationPool be setup to use ApplicationPoolIdentity; so we're looking for what needs to be done to allow us to use ApplicationPoolIdentity vs NetworkServices.
Environment
Webapplication using IIS 7.5 in an AD Domain within a specific AD site using ASP.net
There are three sites within the domain, lets call them: A, B, C. The server hosting the web application is in Site A. We use GetcomputerSite().Name to return the site and use that name to limit the list of controllers which information is requested from.
Research:
We verified our web server was in the AD site expected by checking the registry keys mentioned in this stackoverflow article
More research lead us to a technet article describing a similar issue. We utilized the powershell script mentioned to see what would happen from our web server:
[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()
It returned servers and the list of 8 controllers we expected to find; along with the proper site name; same as in the registry key.
So this led us to permissions (and that's why it's posted here) differences between the default application pool NetworkServices vs ApplicationPoolIdentity. As we knew at this point the web server could see the site and servers... so why couldn't the web application?
We switched the Application Pool from ApplicationPoolIdentity to NetworkServices and everything started working. We switched it back to ApplicationPoolIdentity and it stopped working. This appears to conflict with the statement made in this article that,"application pool identities also use the machine account to access network resources. No changes are required."
Expected Results:
We expected using an application pool set to use ApplicationPoolIdentity that the GetcomputerSite().Name would return the AD site of the web server on which the application was hosted. Instead it threw an error that so far we've not been able to work around. So...
The Question(s):
Is there a better method to get a handle to an active/responsive controller within the servers' site and gain access to the user department information?
What permissions would need to be added to ApplicationPoolIdentity to allow this application access to AD Services?
This question also proposed: http://stackoverflow.com/questions/26384891/activevdirectory-activedirectorysite-getcomputersite-name-returns-error-act