开发者

System.DirectoryServices.AccountManagement.PrincipalContext and Impersonation in a WCF service

Working with the PrincipalContext in code that lies behind a WCF service. The WCF service is impersonating, to allow a 'pass-through' type authentication.

While everything else I do with Active Directory (mostly the System.DirectoryServices.Protocols namespace) works fine in this scenario, for some reason the classes in System.DirectoryServices.AccountManagement throw a fit. Sample code that fails:

PrincipalContext context = new PrincipalContext(ContextType.Domain, domainName);
UserPrincipal user = 
    UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, UserName);

When I make the call to FindByIdentity, I get a COMException: "An operations error has occurred". Calls to th开发者_运维技巧e PrincipalContext also fail, e.g.:

string server = context.ConnectedServer;

Both OperationContext.Current.ServiceSecurityContext and Thread.CurrentPrincipal.Identity show the impersonation is working correctly. And, like I say, other AD tasks in S.DS.P work fine.

If I explicitly set credentials on the PrincipalContext, everything works. For example:

PrincipalContext context = 
    new PrincipalContext(ContextType.Domain, domainName, user, password);
UserPrincipal user = 
    UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, UserName);

Now everything works. But I won't know the username and password from the caller; I must rely on the impersonation.

Any ideas on what would cause the issue I'm seeing?

Thanks in advance! James


Make sure an spn is set for the app pool, delegation is set in AD, and that the app pool account has the act as part of the os privilege.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜