是否有可能通过模拟在ASP.NET中的Windows身份验证的用户从Active Directory检索数据？ [英] Is it possible to retrieve data from Active Directory by impersonating a Windows authenticated user in ASP.NET?

问题描述

我一直想了一整天来解决这个问题，而且我读过的标准谷歌留言板答案中的一些相互矛盾的信息。

I've been trying to solve this problem all day, and I've read some conflicting information within the standard google message board answers.

我试图做的是检索域用户（即当前登录的用户）从Active Directory中的电子邮件地址。我的ASP.NET 4网站是设置为Windows身份验证和一切工作正常，直到活动目录的要求。

What I'm trying to do is retrieve a domain user's (that is, the currently logged in user's) email address from active directory. My ASP.NET 4 website is setup for Windows Authentication and everything works fine until the active directory calls.

当我这样做时，我得到了search.findAll（）线收到COMException。异常消息是一个操作出错（非常有帮助的消息吧？） （精简$ C $下的可读性）

When I do the following, I get a COMException on the search.findAll() line. The exception message is "An operations error occured" (Very helpful message eh?) (Stripped down code for readability)

WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext wic = null;

wic = winId.Impersonate();
using (DirectoryEntry root = new DirectoryEntry(rootQuery))
{
      String userQuery = GetUserQuery();
      DirectorySearcher searcher = new DirectorySearcher(root);
      searcher.SearchScope = SearchScope.Subtree;
      searcher.Filter = userQuery;

      SearchResultCollection results = searcher.FindAll();
      return (results[0].Properties["proxyaddresses"][0]).ToString();
}

所以基本上我想冒充登录的用户可拨打电话。 注意按预期如果我通过我的凭据直接的DirectoryEntry构造这个code ++工程。另外，我收到了同样的错误，如果我摆脱模仿code和设置应用广泛的模拟在Web配置。

So basically I want to impersonate the logged in user to make the call. Note this code works as expected if I pass in my credentials directly to the DirectoryEntry constructor. Also, I receive the same error if I get rid of the impersonation code and set application wide impersonation in the web config.

所以，我想我的问题，在我浪费更多的时间在这，这甚至可能吗？还是你的有无的指定用户名和密码才能访问AD？

So I guess my question, before I waste any more time on this, is this even possible? Or do you have to specify a username and password to access AD?

顺便说一句我开发中我跑IIS5，但可能会部署到IIS6。

BTW on my dev box I'm running IIS5, but will probably deploy to IIS6.

编辑：

的要求：

rootQuery = @"LDAP://{0}.com/DC={0}, DC=com";
userQuery = @"(&(samAccountName={0})(objectCategory=person)(objectClass=user))";

通过指定正确的域和用户。

with the proper domain and user specified.

推荐答案

您正在尝试模拟用户访问外部资源（外部，这意味着不能在同一台服务器上）。你可以这样做，但你需要安装代表团在Active Directory中，这样的IIS服务器（或者现在你的WindowsXP盒）被委派信任。检查出一些资源上手，如果这是你想要去的方向。

You are trying to impersonate a user to access an external resource (external meaning not on the same server). You CAN do this, but you will need to setup delegation in active directory so that the IIS server (or your WindowsXP box for now) is trusted for delegation. Check out some of these resources to get started if this is the direction you want to go.

• http://support.microsoft.com/kb/810572
• <一个href="http://msdn.microsoft.com/en-us/library/ff647404.aspx#paght000023_delegation">http://msdn.microsoft.com/en-us/library/ff647404.aspx#paght000023_delegation

• http://support.microsoft.com/kb/810572
• http://msdn.microsoft.com/en-us/library/ff647404.aspx#paght000023_delegation

另外，避免设置和配置代表团妥善我只需要在活动目录服务帐户，并用它来代替hastle。您可以使用的凭据在code，像你说的前面的工作，或使用模拟元素在web.config中模仿此服务帐户：＆LT;身份冒充=真的userName = 域\ ServiceAccount密码=密码/＆GT;

Alternatively, to avoid the hastle of setting up and configuring delegation properly I just create a service account in active directory and use it instead. You can either use the credentials in your code, like you said worked earlier, or use the Impersonation element in web.config to impersonate this service account: <identity impersonate="true" userName="DOMAIN\ServiceAccount" password="password"/>.

这篇关于是否有可能通过模拟在ASP.NET中的Windows身份验证的用户从Active Directory检索数据？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！