System.DirectoryServices.AccountManagement.PrincipalContext and Impersonation in a WCF service
Working with the PrincipalContext
in code that lies behind a WCF service. The WCF service is impersonating, to allow a 'pass-through' type authentication.
While everything else I do with Active Directory (mostly the System.DirectoryServices.Protocols
namespace) works fine in this scenario, for some reason the classes in System.DirectoryServices.AccountManagement throw a fit. Sample code that fails:
PrincipalContext context = new PrincipalContext(ContextType.Domain, domainName);
UserPrincipal user =
UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, UserName);
When I make the call to FindByIdentity
, I get a COMException: "An operations error has occurred". Calls to th开发者_运维技巧e PrincipalContext
also fail, e.g.:
string server = context.ConnectedServer;
Both OperationContext.Current.ServiceSecurityContext
and Thread.CurrentPrincipal.Identity
show the impersonation is working correctly. And, like I say, other AD tasks in S.DS.P work fine.
If I explicitly set credentials on the PrincipalContext
, everything works. For example:
PrincipalContext context =
new PrincipalContext(ContextType.Domain, domainName, user, password);
UserPrincipal user =
UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, UserName);
Now everything works. But I won't know the username and password from the caller; I must rely on the impersonation.
Any ideas on what would cause the issue I'm seeing?
Thanks in advance! James
Make sure an spn is set for the app pool, delegation is set in AD, and that the app pool account has the act as part of the os privilege.
精彩评论