Hi,
but I am setting explicit the user in ImpersonateUser(..).
And this user has full access to the AD.
Otherwise I would not do that step.....
Here is how the Impersonate class looks like:
using System;
using System.Web;
using System.Security.Principal;
using System.Security.Permissions;
using System.Runtime.InteropServices;
using System.ComponentModel;
using System.Threading;
namespace EnterpriseUtilities
{
/// <summary>
/// used for connecting to other Logon Providers
/// </summary>
public enum LogonProvider
{
LOGON32_PROVIDER_DEFAULT = 0,
LOGON32_PROVIDER_WINNT40 = 2,
LOGON32_PROVIDER_WINNT50 = 3
}
/// <summary>
/// Used to change the level of impersonation on remote systems
/// </summary>
public enum ImpersonationLevel
{
SecurityAnonymous = 0,
SecurityIdentification,
SecurityImpersonation,
SecurityDelegation
}
public enum LogonTypes
{
//logon types
LOGON32_LOGON_INTERACTIVE = 2,
LOGON32_LOGON_NETWORK = 3,
LOGON32_LOGON_BATCH = 4,
// Windows2000
LOGON32_LOGON_NETWORK_CLEARPASSWORD = 8,
LOGON32_LOGON_NEW_CREDENTIALS = 9
}
/// <summary>
/// Impersonate a specific user in the domain.
/// Note that the user account on the calling process must have
/// the SE_TCB_NAME priviledge when running on W2k.
/// This can be given using Local Policy MMC and adding account to
/// "Act as Part of the Operationg System". For ASP.NET applications
the calling
/// user context is usually ASPNET user.
/// </summary>
public class Impersonate
{
#region Dll Imports
[DllImport("advapi32.dll", CharSet=CharSet.Auto,
SetLastError=true)]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, ref IntPtr
phToken);
[DllImport("advapi32.dll", CharSet=CharSet.Auto,
SetLastError=true)]
public extern static bool DuplicateToken(IntPtr hToken, int
impersonationLevel, ref IntPtr hNewToken);
[DllImport("kernel32.dll", CharSet=CharSet.Auto,
SetLastError=true)]
public static extern bool CloseHandle(IntPtr handle);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern int ImpersonateLoggedOnUser(IntPtr hToken);
[DllImport("advapi32.dll", SetLastError=true)]
static extern int RevertToSelf();
#endregion
#region MEMBER VARIABLES
private IntPtr token = IntPtr.Zero;
private IntPtr dupToken = IntPtr.Zero;
private LogonProvider _logonProvider;
private ImpersonationLevel _impersonationLevel;
private string _originalUser =
Thread.CurrentPrincipal.Identity.Name;
private LogonTypes _logonType;
private bool impersonated = false;
#endregion
#region CONTRUCTORS
public Impersonate(LogonProvider logonProvider,
ImpersonationLevel level, LogonTypes logonType)
{
this._logonProvider = logonProvider;
this._impersonationLevel = level;
this._logonType = logonType;
}
public Impersonate(LogonProvider logonProvider,
ImpersonationLevel level) : this (logonProvider, level,
LogonTypes.LOGON32_LOGON_NETWORK) {}
public Impersonate(LogonProvider logonProvider) : this
(logonProvider, ImpersonationLevel.SecurityImpersonation,
LogonTypes.LOGON32_LOGON_NETWORK) {}
public Impersonate() :
this(LogonProvider.LOGON32_PROVIDER_DEFAULT,
ImpersonationLevel.SecurityImpersonation, LogonTypes.LOGON32_LOGON_NETWORK) {}
#endregion
#region PUBLIC PROPERTIES
public ImpersonationLevel Level
{
get { return this._impersonationLevel; }
set { this._impersonationLevel = value; }
}
public LogonTypes LogonType
{
get { return this._logonType; }
set { this._logonType = value; }
}
public string CurrentIdentity
{
get
{
return Thread.CurrentPrincipal.Identity.Name;
}
}
/// <summary>
/// Property returns whether or not an impersonation is
occurring
/// </summary>
public bool Impersonating
{
get
{
return this.CurrentIdentity !=
this._originalUser;
}
}
#endregion
#region PUBLIC METHODS
/// <summary>
/// Impersonates a specific user in the domain. This changes
the process
/// identity to the impersonated user's security context.
/// </summary>
/// <param name="domain">Domain name</param>
/// <param name="username">Login ID</param>
/// <param name="password">Password</param>
public void ImpersonateUser(string domain, string username,
string password)
{
ImpersonateUser(domain, username, password, false);
}
/// <summary>
/// Impersonates a specific user in the domain. This changes
the process
/// identity to the impersonated user's security context.
/// </summary>
/// <param name="domain">Domain name</param>
/// <param name="username">Login ID</param>
/// <param name="password">Password</param>
/// <param name="justLogon">Do not process
impersonisation.</param>
public void ImpersonateUser(string domain, string username,
string password, bool justLogon)
{
if (Impersonating) throw new
System.Security.SecurityException("You are already impersonating " +
CurrentIdentity);
impersonated = LogonUser(username,
domain,
password,
(int)_logonType,
(int)_logonProvider,
ref token);
//check the error
if(!impersonated) throw new
Win32Exception(Marshal.GetLastWin32Error());
if (!justLogon) ImpersonateLoggedOnUser(token);
}
/// <summary>
/// Reverts back to the original process identity.
/// </summary>
public void UndoImpersonation()
{
if (impersonated) RevertToSelf();
if (token != IntPtr.Zero) CloseHandle(token);
if (dupToken != IntPtr.Zero) CloseHandle(dupToken);
}
#endregion
}
}
At the end of the Impersonate(...) method I would expect to have the privileged
user.
Dimitrios
>Dimitrios:
>
>> im.ImpersonateUser(User.DOMAIN, AD_ACCOUNT,
>AD_ACCOUNT_PASSWORD, true);
>
>In ASP.Net, it will be the IIS user, which perhaps has no privilege to the
>AD.
>
>HTH
>
>- Adwait
>
>--
>Adwait Ullal
>
>e: mailto:[EMAIL PROTECTED]
>w: http://www.adwait.com
>l: http://www.linkedin.com/in/adwait
>j: http://finance.groups.yahoo.com/group/AdwaitsDotNetJobs
>
>
>On 11/29/06, Toulakis, Dimitrios (RESC) <[EMAIL PROTECTED]>
>wrote:
>>
>> Hi all,
>>
>> got a strange behaviour with a piece of code which is creating user
>> accounts on the active directory.
>>
>> The code looks like this:
>>
>> public bool CreateUser(string userId, string
>> lookupDomain, ContactEntity contact)
>> {
>> string path = string.Format( "{0}://{1}",
>> PROVIDER_LDAP, lookupDomain);
>>
>> //the impersonate class wraps around the
>> "advapi32.dll"
>> //to get the impersonisation token
>> Impersonate im = new Impersonate();
>>
>> bool score = true;
>>
>> Hashtable hash = GetUsers(lookupDomain);
>>
>> int counter = 0;
>> string originalId = userId;
>>
>> while(hash.Contains(userId))
>> userId = originalId +
>> counter.ToString();
>>
>>
>> try
>> {
>> DirectoryEntry de = new
>> DirectoryEntry(path, AD_ACCOUNT, AD_ACCOUNT_PASSWORD,
>> AuthenticationTypes.Secure);
>>
>> im.ImpersonateUser(User.DOMAIN,
>> AD_ACCOUNT, AD_ACCOUNT_PASSWORD, true);
>>
>> DirectoryEntry user =
>> de.Children.Add("CN=" + userId, "user");
>>
>> user.Properties["sAMAccountName"].Value
>> = userId;
>>
>> user.Properties["userAccountControl"].Value =
>> ActiveDs.ADS_USER_FLAG.ADS_UF_NORMAL_ACCOUNT
>> |
>> ActiveDs.ADS_USER_FLAG.ADS_UF_PASSWD_NOTREQD
>> |
>> ActiveDs.ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD;
>>
>> user.CommitChanges();
>> user.Invoke("SetPassword", new object[]
>> {DEFAULT_AD_PASSWORD});
>>
>> hash.Add(userId, userId);
>>
>> UpdateUsers(lookupDomain, hash);
>> }
>> catch(Exception ex)
>> {
>> ex.GetHashCode();
>> score = false;
>> }
>> finally
>> {
>> im.UndoImpersonation();
>> }
>>
>> return score;
>>
>> }
>>
>>
>> Using this piece of code in an Windows Forms application works fine.
>> But when using it in an ASP.NET application it fails.
>>
>> The error message is:
>>
>> Logon failure: unknown user name or bad password
>>
>> This is strange to me because with the same credentials I am able to get
>> all the domain user accounts (within the ASP.NET application).
>>
>> So, I am currently running out of ideas...
>>
>> Any suggestions?
>>
>>
>>
>>
>> Met vriendelijke groet / With kind regards,
>>
>> Dimitrios Toulakis
>>
>> Postbus 1010
>> 3600 BA Maarssen/Amsterdam
>> The Netherlands
>>
>> Tel : +31(0) 346 583300
>> Fax: +31(0) 346 583399
>> URL: http://www.resourcesconnection.nl
>> <http://www.resourcesconnection.nl/>
>> E-mail disclaimer: http://www.resourcesconnection.nl/e-maildisclaimer
>> <http://www.resourcesconnection.nl/e-maildisclaimer>
>>
>> ===================================
>> This list is hosted by DevelopMentor(r) http://www.develop.com
>>
>> View archives and manage your subscription(s) at
>> http://discuss.develop.com
>>
>
>===================================
>This list is hosted by DevelopMentor® http://www.develop.com
>
>View archives and manage your subscription(s) at http://discuss.develop.com
===================================
This list is hosted by DevelopMentor� http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com
