Impersonation to Update user AD info in an ASP.NET Forms Authenticated Site
We have a Forms Authenticated intranet which querys AD for the login and stores a copy of the windows identity in the session in order to impersonate the user later when updating their AD entry. We can't use windows auth for impersonation (long story).
So the login code is:
[DllImport("advapi32.dll")]
public static extern bool LogonUser(String
lpszUsername, String lpszDomain,
String lpszPassword, int dwLogonType, int
dwLogonProvider, out int phToken);
public bool LoginWindowsUser(String domain, String username, String pwd, HttpSessionStateBase session)
{
int ret = 0;
int l_token1;
bool loggedOn = LogonUser(username,
domain, pwd,
// Logon type=LOGON32_LOGON_NETWORK_CLEARTEXT.
3,
// Logon provider=LOGON32_PROVIDER_DEFAULT.
0,
// User token for specified user is returned
//here.
out l_token1);
if (loggedOn)
{
IntPtr token2 = new IntPtr(l_token1);
var l_Wid = new WindowsIdentity(token2);
session["WindowsIdentity"] = l_Wid;
}
return loggedOn;
}
And then later when we need to update the user's AD info we do this:
public void UpdateUserProperty(string username, string propertyName, string propertyValue)
{
// Obtain the authenticated user's identity.
var winId = (WindowsIdentity) ControllerContext.HttpContext.Session["WindowsIdentity"];
// Start impersonating.
using (WindowsImpersonationContext ctx = winId.Impersonate())
{
try
{
var ds = new DirectorySearcher();
int ind = username.IndexOf("\\") + 1;
username = username.Substring(ind, username.Length - ind);
var filter = "(&(objectCategory=Person)(objectClass=user)";
if (!username.IsNullOrEmpty())
{
filter += "(samaccountname=*{0}*)".F(username);
}
开发者_运维知识库 filter += ")";
ds.Filter = filter;
foreach (var property in ADUserDetailsDisplay.LoadProperties())
{
ds.PropertiesToLoad.Add(property);
}
///////////// ERROR OCCURS AFTER NEXT LINE /////////////
var searchResult = ds.FindOne();
var userDirectoryEntry = searchResult.GetDirectoryEntry();
if (propertyValue.IsNullOrEmpty())
{
if (userDirectoryEntry.Properties[propertyName].Count > 0) userDirectoryEntry.Properties[propertyName].RemoveAt(0);
}
else if (userDirectoryEntry.Properties[propertyName].Count == 0)
{
userDirectoryEntry.Properties[propertyName].Add(propertyValue);
}
else
{
userDirectoryEntry.Properties[propertyName][0] = propertyValue;
}
userDirectoryEntry.CommitChanges();
}
catch (Exception ex)
{
TempData.AddErrorMessage("Unable to update user: " + ex.Message);
}
finally
{
// Revert impersonation.
if (ctx != null)
ctx.Undo();
}
}
// Back to running under the default ASP.NET process identity.
}
The problem is that we are getting the following error:
Unable to update user: An operations error occurred.
If anyone can guide me to a solution I would be very grateful.
Using IIS 7.5 Win2008 R2 ASP.NET MVC2
Thanks.
Where is your context/searchroot that tells it who you are trying to connect to/where you are trying to search?
Ex.
// Bind to the users container.
DirectoryEntry entry = new DirectoryEntry("LDAP://CN=users,DC=fabrikam,DC=com");
// Create a DirectorySearcher object.
DirectorySearcher mySearcher = new DirectorySearcher(entry);
If you don't have this then according to MSDN the default value for SearchRoot is null... MSDN Link: http://msdn.microsoft.com/en-us/library/h9zyssd8.aspx
Our own @dunnry has addressed the steps to get System.DirectoryServices running with impersonation under ASP.NET:
Ryann Dunn can help you here.
Dealing with AD sometimes is a PIA.
Anyway, make sure that the account set in the Application Pool running your application has administrative rights on the active directory to perform changes in an user account.
精彩评论