模拟和DirectoryEntry
我正在成功模拟用户帐户,但我无法使用模拟帐户绑定到AD并下拉DirectoryEntry 。
以下代码输出:
- 在模仿之前我是:DOMAIN \ user
- 冒充我之后:DOMAIN \ admin
- 错误:C:\ Users \ user \ ADSI_Impersonation \ bin \ Debug \ ADSI_Impersonation.exe samaccountname:
我的问题似乎与:
如何在ASP.NET中使用System.DirectoryServices命名空间
我正在获得一个主令牌。 我知道我需要使用委托在远程计算机上使用模拟令牌。 我确认该帐户没有选中“帐户敏感且无法委派”的标志。 我还确认本地组策略和域组策略不会阻止委派:
计算机配置\ Windows设置\安全设置\本地策略\用户权限分配\
我错过了什么?
谢谢!
using System; using System.DirectoryServices; using System.Security; using System.Security.Principal; using System.Runtime.InteropServices; using Microsoft.Win32.SafeHandles; using System.Runtime.ConstrainedExecution; namespace ADSI_Impersonation { class Program { [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out SafeTokenHandle phToken); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern bool CloseHandle(IntPtr handle); static void Main(string[] args) { const int LOGON32_PROVIDER_DEFAULT = 0; const int LOGON32_LOGON_INTERACTIVE = 2; string userName = "admin@domain.com"; string password = "password"; Console.WriteLine("Before impersonation I am: " + WindowsIdentity.GetCurrent().Name); SafeTokenHandle safeTokenHandle; try { bool returnValue = LogonUser(userName, null, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, out safeTokenHandle); if (returnValue) { WindowsIdentity newId = new WindowsIdentity(safeTokenHandle.DangerousGetHandle()); WindowsImpersonationContext impersonatedUser = newId.Impersonate(); } else { Console.WriteLine("Unable to create impersonatedUser."); return; } } catch (Exception e) { Console.WriteLine("Authentication error.\r\n" + e.Message); } Console.WriteLine("After impersonation I am: " + WindowsIdentity.GetCurrent().Name); string OU = "LDAP://dc=domain,dc=com"; DirectoryEntry entry = new DirectoryEntry(OU); entry.AuthenticationType = AuthenticationTypes.Secure; DirectorySearcher mySearcher = new DirectorySearcher(); mySearcher.SearchRoot = entry; mySearcher.SearchScope = System.DirectoryServices.SearchScope.Subtree; mySearcher.PropertiesToLoad.Add("cn"); mySearcher.PropertiesToLoad.Add("samaccountname"); string cn = "fistname mi. lastname"; string samaccountname = ""; try { // Create the LDAP query and send the request mySearcher.Filter = "(cn=" + cn + ")"; SearchResultCollection searchresultcollection = mySearcher.FindAll(); DirectoryEntry ADentry = searchresultcollection[0].GetDirectoryEntry(); Console.WriteLine("samaccountname: " + ADentry.Properties["samaccountname"].Value.ToString()); } catch (Exception e) { Console.WriteLine("Error: " + e.Message); } Console.WriteLine("samaccountname: " + samaccountname); Console.ReadLine(); } } public sealed class SafeTokenHandle : SafeHandleZeroOrMinusOneIsInvalid { private SafeTokenHandle() : base(true) { } [DllImport("kernel32.dll")] [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)] [SuppressUnmanagedCodeSecurity] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool CloseHandle(IntPtr handle); protected override bool ReleaseHandle() { return CloseHandle(handle); } } }
许多.NET API不会考虑您的手动模拟,例如您注意到的LDAP查询。 因此,您需要使用DirectoryEntry的重载构造函数,
错误(0x80004005):未指定错误
我有一些问题连接到远程窗口validation错误错误(0x80004005):未指定错误。 我解决如下:
//Define path //This path uses the full path of user authentication String path = string.Format("WinNT://{0}/{1},user", server_address, username); DirectoryEntry deBase = null; try { //Try to connect with secure connection deBase = new DirectoryEntry(path, username, _passwd, AuthenticationTypes.Secure); //Connection test //After test define the deBase with the parent of user (root container) object nativeObject = deBase.NativeObject; deBase = deBase.Parent; } catch (Exception ex) { //If an error occurred try without Secure Connection try { deBase = new DirectoryEntry(path, username, _passwd); //Connection test //After test define the deBase with the parent of user (root container) object nativeObject = deBase.NativeObject; deBase = deBase.Parent; nativeObject = deBase.NativeObject; } catch (Exception ex2) { //If an error occurred throw the error throw ex2; } }
希望有所帮助。 Helvio Junior http://www.helviojunior.com.br
- 尝试让main / form1以外的类互相交互是不好的forms?
- 为什么SerializationInfo没有TryGetValue方法?
- C#扩展方法是否允许通过引用传递参数?
- 为什么`DatabaseGenerated(DatabaseGeneratedOption.Identity)`在MVC 4中不起作用
- 访问flipview中第i项内的xaml控件
- 在gridview中合并合并标题列?
- 表单身份validation了解context.user.identity
- WebAuthenticationBroker是否在Release 8候选版本的Windows 8 Metro App中运行
- 无法解决程序集引用 – dependentAssembly问题?