Update Active Directory without hardcoding username/password

Currently, users log into a web application with their AD (active directory) credentials which are validated against the AD. Once inside the application, certain users will need to update the AD. When I hardcode a username/password, I am able to update the AD, however when I try to force the object to use the logon credentials or if I don't specify the username/password, it throws an error. Obviously due to security concerns, I do not want to hardcode credentials. Is there a solution for this?

Error - System.DirectoryServices.DirectoryServicesCOMException: An operations err开发者_JAVA技巧or occurred.

    Public Shared Sub SetProperty(ByVal de As DirectoryEntry, ByVal propName As String, ByVal propValue As String)
        If Not propValue Is Nothing Then
            If de.Properties.Contains(propName) Then
                de.Properties(propName)(0) = propValue
            Else
                de.Properties(propName).Add(propValue)
            End If
        End If
    End Sub

    Public Shared Function GetDirectoryEntry(ByVal path As String) As DirectoryEntry
        Dim de As New DirectoryEntry()
        de.Path = path
        de.Username = "<username>"
        de.Password = "<password>"
        'Not setting the username or password or setting both to Nothing throws the error
        de.AuthenticationType = AuthenticationTypes.Secure
        Return de
    End Function

    Dim de As DirectoryEntry = GetDirectoryEntry("<path>")
    Dim searcher As DirectorySearcher = New DirectorySearcher(de)
    searcher.Filter = "(&(objectCategory=person)(objectClass=user)(cn=" & fullName & "))"
    searcher.SearchScope = SearchScope.SubTree
    Dim result As SearchResult = searcher.FindOne()

    If Not result Is Nothing Then
        Dim deResult As New DirectoryEntry(result.Path)
        SetProperty(deResult, "accountExpires", toAccountExpirationDate)
        deResult.CommitChanges()
        deResult.Close()
    End If

    de.Close()

In order to not have to specify any credentials before doing the operation, either the user IIS is running under needs to have AD editing privileges (which by default it most certainly does not), or you need to set Impersonation and use Windows authentication so that it runs as the user viewing the page.

The second case has an extra difficulty due to impersonation not being able to "double hop", that is the webserver would also have to be a domain controller or you'd have to set some extra AD delegation privileges on the server that your domain admins might not want to give you.

The solution for your problem in this case is to change the user account your application is running under to one that already has the permissions you need. The danger in that is that any security hole will give the attacker those same privileges.

Alternately, you can encrypt some credentials and decrypt to use them, which is slightly better then hard coding. I guess having the users supply credentials manually and then using them the same way you're currently using hard coded ones would also work.