Reputation: 1022
asp.net impersonation to alter active directory objects
So here's the scenario i'm trying to find a solution for.
my company currently has a records system for it's staff, but it is not linked to active directory. we have duplicate, and often inaccurate data because of this. what i'm trying to do allow the records system to update values in active directory, however i want to scope what can be changed and by who. so
- when we have a new hire, IT will enter in the initial record, which would also create the AD user.
- hr comes along and updates title/description/phone/address etc., but they shouldn't be able to create or delete a record from the system. (they'll have to file a ticket, or something)
i've been trying to read about the kerberos double-hop problem, and it seems i need the ability to delegate, however, my own IT powers aren't high enough. i could escalate and try and get sign off from the higher level IT folks to grant delegation to an account, but i'm saving that as a last resort.
I would like to accomplish things using impersonation, but i'm having a hard time finding a clear answer on how to implement impersonation.
i have enabled impersonation in web.config, and in iis. i have set the appPool Identity to network service. after that, i'm lost on what to do next or how to test settings.
edit 1: i'm also following this pattern for impersonation
var iid = HttpContext.Current.User.Identity;
WindowsIdentity wi = (WindowsIdentity)iid;
WindowsImpersonationContext wic = wi.Impersonate();
try
{
// do something with a directory entry here
}
catch
{}
finally
{
wic.Undo();
}
Upvotes: 1
Views: 922
Answers (2)
Reputation: 7878
Delegation is a stronger form of impersonation. Impersonation lets you act as the user on the local computer, delegation allows you to act as the user on remote computers. The only way to avoid delegation is to delegate control in AD to the web service (in this case you're running as the network service, so give the web server's computer account the ability to write to the desired attributes), and have the web service perform the updates. This is not a good idea though, since you can't attribute the changes to the user who was using the website.
Upvotes: 0
Reputation: 2257
Make sure your web server has delegation enabled in AD. That's the step I always forget about anyway.
Couple reference links:
http://blog.reveille.org.uk/2010/01/asp-net-impersonation-delegation/ http://support.microsoft.com/kb/810572?wa=wsignin1.0
Also make sure you're using windows auth for the website.
You'll be able to tell real quick if its working as only users with proper AD access will be able to manipulate the AD settings (because it will literally be just like they're making the AD change themselves).
Upvotes: 2
Related Questions
- Impersonate User in ASP.Net Core Web Api
- Add users to active directory through user impersonation
- C# access Active Directory as another user
- How to "un-impersonate" (un-delegate?) in Kerberos
- Impersonate using Forms Authentication
- Impersonating any user with ASP?
- Impersonate a Active Directory user in MVC application with Windows Authentication
- C# Impersonation of an AD user
- Trying to impersonate another user to update Active Directory
- User impersonation with asp.net forms authentication