如何在Powershell中模拟Active Directory用户?
我正在尝试通过Web界面(ASP.NET / C#)运行powershell命令,以便在Exchange 2007上创建邮箱/等。当我使用Visual Studio(Cassini)运行页面时,页面正确加载。 但是,当我在IIS(v5.1)上运行它时,我收到错误“未知用户名或密码错误”。 我注意到的最大问题是Powershell以ASPNET而不是我的Active Directory帐户登录。 如何强制我的Powershell会话使用其他Active Directory帐户进行身份validation?
基本上,我到目前为止的脚本看起来像这样:
RunspaceConfiguration rc = RunspaceConfiguration.Create(); PSSnapInException snapEx = null; rc.AddPSSnapIn("Microsoft.Exchange.Management.PowerShell.Admin", out snapEx); Runspace runspace = RunspaceFactory.CreateRunspace(rc); runspace.Open(); Pipeline pipeline = runspace.CreatePipeline(); using (pipeline) { pipeline.Commands.AddScript("Get-Mailbox -identity 'user.name'"); pipeline.Commands.Add("Out-String"); Collection results = pipeline.Invoke(); if (pipeline.Error != null && pipeline.Error.Count > 0) { foreach (object item in pipeline.Error.ReadToEnd()) resultString += "Error: " + item.ToString() + "\n"; } runspace.Close(); foreach (PSObject obj in results) resultString += obj.ToString(); } return resultString; 这是我用来冒充用户的类。
using System; using System.Data; using System.Configuration; using System.Web; using System.Web.Security; using System.Web.UI; using System.Web.UI.WebControls; using System.Web.UI.WebControls.WebParts; using System.Web.UI.HtmlControls; namespace orr.Tools { #region Using directives. using System.Security.Principal; using System.Runtime.InteropServices; using System.ComponentModel; #endregion /// /// Impersonation of a user. Allows to execute code under another /// user context. /// Please note that the account that instantiates the Impersonator class /// needs to have the 'Act as part of operating system' privilege set. /// /// /// This class is based on the information in the Microsoft knowledge base /// article http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158 /// /// Encapsulate an instance into a using-directive like eg: /// /// ... /// using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) ) /// { /// ... /// [code that executes under the new context] /// ... /// } /// ... /// /// Please contact the author Uwe Keim (mailto:uwe.keim@zeta-software.de) /// for questions regarding this class. /// public class Impersonator : IDisposable { #region Public methods. /// /// Constructor. Starts the impersonation with the given credentials. /// Please note that the account that instantiates the Impersonator class /// needs to have the 'Act as part of operating system' privilege set. /// /// The name of the user to act as. /// The domain name of the user to act as. /// The password of the user to act as. public Impersonator( string userName, string domainName, string password) { ImpersonateValidUser(userName, domainName, password); } // ------------------------------------------------------------------ #endregion #region IDisposable member. public void Dispose() { UndoImpersonation(); } // ------------------------------------------------------------------ #endregion #region P/Invoke. [DllImport("advapi32.dll", SetLastError = true)] private static extern int LogonUser( string lpszUserName, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] private static extern int DuplicateToken( IntPtr hToken, int impersonationLevel, ref IntPtr hNewToken); [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] private static extern bool RevertToSelf(); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] private static extern bool CloseHandle( IntPtr handle); private const int LOGON32_LOGON_INTERACTIVE = 2; private const int LOGON32_PROVIDER_DEFAULT = 0; // ------------------------------------------------------------------ #endregion #region Private member. // ------------------------------------------------------------------ /// /// Does the actual impersonation. /// /// The name of the user to act as. /// The domain name of the user to act as. /// The password of the user to act as. private void ImpersonateValidUser( string userName, string domain, string password) { WindowsIdentity tempWindowsIdentity = null; IntPtr token = IntPtr.Zero; IntPtr tokenDuplicate = IntPtr.Zero; try { if (RevertToSelf()) { if (LogonUser( userName, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0) { if (DuplicateToken(token, 2, ref tokenDuplicate) != 0) { tempWindowsIdentity = new WindowsIdentity(tokenDuplicate); impersonationContext = tempWindowsIdentity.Impersonate(); } else { throw new Win32Exception(Marshal.GetLastWin32Error()); } } else { throw new Win32Exception(Marshal.GetLastWin32Error()); } } else { throw new Win32Exception(Marshal.GetLastWin32Error()); } } finally { if (token != IntPtr.Zero) { CloseHandle(token); } if (tokenDuplicate != IntPtr.Zero) { CloseHandle(tokenDuplicate); } } } /// /// Reverts the impersonation. /// private void UndoImpersonation() { if (impersonationContext != null) { impersonationContext.Undo(); } } private WindowsImpersonationContext impersonationContext = null; // ------------------------------------------------------------------ #endregion } }
在ASP.NET应用程序中,您需要使用正确的权限模拟有效的AD帐户:
出于安全原因,Exchange 2007不允许您模拟用户。 这意味着(目前)无法通过模拟用户来创建邮箱。 为了解决这个问题,我创建了一个在AD用户下运行的Web服务,该用户具有创建电子邮件帐户等的权限。然后,您可以访问此Web服务以访问powershell。 请记住添加必要的安全性,因为这可能是一个巨大的安全漏洞。
您可能需要一个补丁。
来自: http : //support.microsoft.com/kb/943937
应用程序无法模拟用户,然后在Exchange Server 2007环境中运行Windows PowerShell命令
要解决此问题,请安装Exchange Server 2007 Service Pack 1的更新汇总1。
这篇关于MSDN博客的文章似乎显示了一种方法,我还没有尝试过,但是当我这样做时会让你知道。
- 根据Active Directory策略检查密码
- 如何在Active Directory中获取/更新“联系人”?
- WCF服务中的System.DirectoryServices.AccountManagement.PrincipalContext和Impersonation
- 如何通过LDAP + SSLvalidationActive Directory信誉?
- 使用c#删除活动目录中的用户
- c #Active Directory服务findAll()仅返回1000个条目
- 如何在C#中的AD LDS条目上获得用户的有效权限?
- 你能在C#中找到一个Active Directory用户的主要组吗?
- 在ASP.NET webapp中,FindByIdentity因PricipalOperationException而失败