Already made these things.... Problem solved...
It was an replication issue in the AD which prevented me to make changes there. ;-) Thank you all anyway. Cheers, Dimitrios -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Ernst Kuschke Sent: Thursday, November 30, 2006 12:52 PM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] AW: [ADVANCED-DOTNET] System.DirectoryServices - same code -- different behaviour Attach to the ASPNET app and break on this code to see which user you're running as. -- Ernst Kuschke MVP - C# (South Africa) http://www.ernstkuschke.com On 11/29/06, Dimitrios Toulakis <[EMAIL PROTECTED]> wrote: > > Hi, > > but I am setting explicit the user in ImpersonateUser(..). > And this user has full access to the AD. > > Otherwise I would not do that step..... > > Here is how the Impersonate class looks like: > > > using System; > using System.Web; > using System.Security.Principal; > using System.Security.Permissions; > using System.Runtime.InteropServices; > using System.ComponentModel; > using System.Threading; > > namespace EnterpriseUtilities > { > /// <summary> > /// used for connecting to other Logon Providers > /// </summary> > public enum LogonProvider > { > LOGON32_PROVIDER_DEFAULT = 0, > LOGON32_PROVIDER_WINNT40 = 2, > LOGON32_PROVIDER_WINNT50 = 3 > } > > /// <summary> > /// Used to change the level of impersonation on remote systems > /// </summary> > public enum ImpersonationLevel > { > SecurityAnonymous = 0, > SecurityIdentification, > SecurityImpersonation, > SecurityDelegation > } > > public enum LogonTypes > { > //logon types > LOGON32_LOGON_INTERACTIVE = 2, > LOGON32_LOGON_NETWORK = 3, > LOGON32_LOGON_BATCH = 4, > > // Windows2000 > LOGON32_LOGON_NETWORK_CLEARPASSWORD = 8, > LOGON32_LOGON_NEW_CREDENTIALS = 9 > } > > /// <summary> > /// Impersonate a specific user in the domain. > /// Note that the user account on the calling process must have > /// the SE_TCB_NAME priviledge when running on W2k. > /// This can be given using Local Policy MMC and adding account to > /// "Act as Part of the Operationg System". For ASP.NETapplications the calling > /// user context is usually ASPNET user. > /// </summary> > public class Impersonate > { > #region Dll Imports > [DllImport("advapi32.dll", CharSet=CharSet.Auto, > SetLastError=true)] > public static extern bool LogonUser(String > lpszUsername, String lpszDomain, String lpszPassword, > int dwLogonType, int dwLogonProvider, ref > IntPtr phToken); > > [DllImport("advapi32.dll", CharSet=CharSet.Auto, > SetLastError=true)] > public extern static bool DuplicateToken(IntPtr > hToken, int impersonationLevel, ref IntPtr hNewToken); > > [DllImport("kernel32.dll", CharSet=CharSet.Auto, > SetLastError=true)] > public static extern bool CloseHandle(IntPtr handle); > > [DllImport("advapi32.dll", SetLastError=true)] > public static extern int > ImpersonateLoggedOnUser(IntPtr hToken); > > [DllImport("advapi32.dll", SetLastError=true)] > static extern int RevertToSelf(); > #endregion > > #region MEMBER VARIABLES > private IntPtr token = IntPtr.Zero; > private IntPtr dupToken = IntPtr.Zero; > private LogonProvider _logonProvider; > private ImpersonationLevel _impersonationLevel; > private string _originalUser = > Thread.CurrentPrincipal.Identity.Name; > private LogonTypes _logonType; > private bool impersonated = false; > #endregion > > #region CONTRUCTORS > public Impersonate(LogonProvider logonProvider, > ImpersonationLevel level, LogonTypes logonType) > { > this._logonProvider = logonProvider; > this._impersonationLevel = level; > this._logonType = logonType; > } > > public Impersonate(LogonProvider logonProvider, > ImpersonationLevel level) : this (logonProvider, level, > LogonTypes.LOGON32_LOGON_NETWORK) {} > > public Impersonate(LogonProvider logonProvider) : this > (logonProvider, ImpersonationLevel.SecurityImpersonation, > LogonTypes.LOGON32_LOGON_NETWORK) {} > > public Impersonate() : this( > LogonProvider.LOGON32_PROVIDER_DEFAULT, > ImpersonationLevel.SecurityImpersonation, > LogonTypes.LOGON32_LOGON_NETWORK) {} > > #endregion > > #region PUBLIC PROPERTIES > > public ImpersonationLevel Level > { > get { return this._impersonationLevel; } > set { this._impersonationLevel = value; } > } > > public LogonTypes LogonType > { > get { return this._logonType; } > set { this._logonType = value; } > } > > public string CurrentIdentity > { > get > { > return > Thread.CurrentPrincipal.Identity.Name; > } > } > > /// <summary> > /// Property returns whether or not an impersonation > is occurring > /// </summary> > public bool Impersonating > { > get > { > return this.CurrentIdentity != > this._originalUser; > } > } > > #endregion > > #region PUBLIC METHODS > /// <summary> > /// Impersonates a specific user in the domain. This > changes the process > /// identity to the impersonated user's security context. > /// </summary> > /// <param name="domain">Domain name</param> > /// <param name="username">Login ID</param> > /// <param name="password">Password</param> > public void ImpersonateUser(string domain, string > username, string password) > { > ImpersonateUser(domain, username, password, > false); > } > /// <summary> > /// Impersonates a specific user in the domain. This > changes the process > /// identity to the impersonated user's security context. > /// </summary> > /// <param name="domain">Domain name</param> > /// <param name="username">Login ID</param> > /// <param name="password">Password</param> > /// <param name="justLogon">Do not process > impersonisation.</param> > public void ImpersonateUser(string domain, string > username, string password, bool justLogon) > { > if (Impersonating) throw new > System.Security.SecurityException("You are already impersonating " + > CurrentIdentity); > > impersonated = LogonUser(username, > domain, > password, > (int)_logonType, > (int)_logonProvider, > ref token); > > //check the error > if(!impersonated) throw new Win32Exception( > Marshal.GetLastWin32Error()); > > if (!justLogon) ImpersonateLoggedOnUser(token); > } > > /// <summary> > /// Reverts back to the original process identity. > /// </summary> > public void UndoImpersonation() > { > if (impersonated) RevertToSelf(); > if (token != IntPtr.Zero) CloseHandle(token); > if (dupToken != IntPtr.Zero) > CloseHandle(dupToken); > } > #endregion > } > } > > > At the end of the Impersonate(...) method I would expect to have the > privileged user. > > > Dimitrios > > > >Dimitrios: > > > >> im.ImpersonateUser(User.DOMAIN, > AD_ACCOUNT, > >AD_ACCOUNT_PASSWORD, true); > > > >In ASP.Net, it will be the IIS user, which perhaps has no privilege > >to > the > >AD. > > > >HTH > > > >- Adwait > > > >-- > >Adwait Ullal > > > >e: mailto:[EMAIL PROTECTED] > >w: http://www.adwait.com > >l: http://www.linkedin.com/in/adwait > >j: http://finance.groups.yahoo.com/group/AdwaitsDotNetJobs > > > > > >On 11/29/06, Toulakis, Dimitrios (RESC) < > [EMAIL PROTECTED]> > >wrote: > >> > >> Hi all, > >> > >> got a strange behaviour with a piece of code which is creating user > >> accounts on the active directory. > >> > >> The code looks like this: > >> > >> public bool CreateUser(string userId, string > >> lookupDomain, ContactEntity contact) > >> { > >> string path = string.Format( "{0}://{1}", > >> PROVIDER_LDAP, lookupDomain); > >> > >> //the impersonate class wraps around the > >> "advapi32.dll" > >> //to get the impersonisation token > >> Impersonate im = new Impersonate(); > >> > >> bool score = true; > >> > >> Hashtable hash = GetUsers(lookupDomain); > >> > >> int counter = 0; > >> string originalId = userId; > >> > >> while(hash.Contains(userId)) > >> userId = originalId + > >> counter.ToString(); > >> > >> > >> try > >> { > >> DirectoryEntry de = new > >> DirectoryEntry(path, AD_ACCOUNT, AD_ACCOUNT_PASSWORD, > >> AuthenticationTypes.Secure); > >> > >> im.ImpersonateUser(User.DOMAIN, > >> AD_ACCOUNT, AD_ACCOUNT_PASSWORD, true); > >> > >> DirectoryEntry user = > >> de.Children.Add("CN=" + userId, "user"); > >> > >> > >> user.Properties["sAMAccountName"].Value > >> = userId; > >> > >> user.Properties["userAccountControl"].Value > >> = ActiveDs.ADS_USER_FLAG.ADS_UF_NORMAL_ACCOUNT > >> | > >> ActiveDs.ADS_USER_FLAG.ADS_UF_PASSWD_NOTREQD > >> | > >> ActiveDs.ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD; > >> > >> user.CommitChanges(); > >> user.Invoke("SetPassword", new > >> object[] {DEFAULT_AD_PASSWORD}); > >> > >> hash.Add(userId, userId); > >> > >> UpdateUsers(lookupDomain, hash); > >> } > >> catch(Exception ex) > >> { > >> ex.GetHashCode(); > >> score = false; > >> } > >> finally > >> { > >> im.UndoImpersonation(); > >> } > >> > >> return score; > >> > >> } > >> > >> > >> Using this piece of code in an Windows Forms application works fine. > >> But when using it in an ASP.NET application it fails. > >> > >> The error message is: > >> > >> Logon failure: unknown user name or bad password > >> > >> This is strange to me because with the same credentials I am able > >> to > get > >> all the domain user accounts (within the ASP.NET application). > >> > >> So, I am currently running out of ideas... > >> > >> Any suggestions? > >> > >> > >> > >> > >> Met vriendelijke groet / With kind regards, > >> > >> Dimitrios Toulakis > >> > >> Postbus 1010 > >> 3600 BA Maarssen/Amsterdam > >> The Netherlands > >> > >> Tel : +31(0) 346 583300 > >> Fax: +31(0) 346 583399 > >> URL: http://www.resourcesconnection.nl > >> <http://www.resourcesconnection.nl/> > >> E-mail disclaimer: > >> http://www.resourcesconnection.nl/e-maildisclaimer > >> <http://www.resourcesconnection.nl/e-maildisclaimer> > >> > >> =================================== > >> This list is hosted by DevelopMentor(r) http://www.develop.com > >> > >> View archives and manage your subscription(s) at > >> http://discuss.develop.com > >> > > > >=================================== > >This list is hosted by DevelopMentor(r) http://www.develop.com > > > >View archives and manage your subscription(s) at > http://discuss.develop.com > > =================================== > This list is hosted by DevelopMentor http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
