[英]ASP.NET with Active Directory: User Credentials
I am an ASP.NET newbie and creating an inhouse application (will be used by 10 users inside group). 我是ASP.NET新手,正在创建内部应用程序(组中的10个用户将使用该应用程序)。 One of the objective is to add users to Active Directory group.
目标之一是将用户添加到Active Directory组。 For audit purpose, the app-users should do the AD change with there own credentials (and not with common id created for this sole purpose).The website is hosted on Windows Server 2008 R2/IIS 7.0 and everything is in enterprise domain.
出于审核目的,应用程序用户应使用自己的凭据进行AD更改(而不是为此目的创建通用ID)。该网站托管在Windows Server 2008 R2 / IIS 7.0上,所有内容都在企业域中。
IIS Settings: IIS设置:
Application Pool Name: UserAppMapping, Integrated, ApplicationPoolIdentity 应用程序池名称:UserAppMapping,Integrated,ApplicationPoolIdentity
Authentication: ASP.NET Impersonation and Windows Authentication only are Enabled. 身份验证:仅启用ASP.NET模拟和Windows身份验证。
VB.NET Code (i have removed all error checking so I can see the actual error): VB.NET代码(我已经删除了所有错误检查,所以我可以看到实际的错误):
Public Sub AddUserToGroup(userId As String, groupName As String, Optional GroupDN As String = "")
Using (HostingEnvironment.Impersonate())
Dim domainName As String = "DOM"
Dim ou = [String].Format(CultureInfo.InvariantCulture, "dc={0},dc=myorg,dc=com", domainName)
Dim domain = [String].Format(CultureInfo.InvariantCulture, "{0}.myorg.com", domainName)
Using insPrincipalContext = New PrincipalContext(ContextType.Domain, domain, ou)
If insPrincipalContext IsNot Nothing Then
Dim insGroupPrincipal As GroupPrincipal = GroupPrincipal.FindByIdentity(insPrincipalContext, System.DirectoryServices.AccountManagement.IdentityType.Name, groupName)
Dim user As UserPrincipal = UserPrincipal.FindByIdentity(insPrincipalContext, userId)
If insGroupPrincipal IsNot Nothing Then
'add user to group
If user.IsMemberOf(insGroupPrincipal) Then
LabelErr.Text = userId + " is already part of " + groupName
Else
insGroupPrincipal.Members.Add(user)
insGroupPrincipal.Save()
Label1.Text = "User added successfully"
End If
Else
Label1.Text = "Cannot retrieve information about " + groupName + " from Active Directory"
End If
Else
Label1.Text = "Principal Context is Null"
End If
insPrincipalContext.Dispose()
End Using
End Using
End Sub
` `
Problem : 问题 :
Everything works fine but when following lines are encountered in the code: 一切正常,但是在代码中遇到以下几行时:
insGroupPrincipal.Members.Add(user) insGroupPrincipal.Members.Add(用户)
insGroupPrincipal.Save() insGroupPrincipal.Save()
The application prompts for user credentials. 该应用程序提示输入用户凭据。 While I understand the code in this function is running under the context of Windows Identity “IIS APPPOOL\\UserAppMapping”, it will prompt for credentials which has access to Active Directory.
当我了解此函数中的代码在Windows标识“ IIS APPPOOL \\ UserAppMapping”的上下文中运行时,它将提示输入可以访问Active Directory的凭据。 Is there a way for app user to modify the AD groups (I am assuming the user can modify the groups directly in AD) without typing extra credentials?
应用程序用户是否可以修改AD组 (我假设用户可以直接在AD中修改组) 而无需键入额外的凭据?
If I remove "Using (HostingEnvironment.Impersonate())" from the code, it fails right away when GroupPrincipal.FindByIdentity is encountered. 如果我从代码中删除“使用(HostingEnvironment.Impersonate())”,遇到GroupPrincipal.FindByIdentity时,它将立即失败。
The web.config is set with: web.config设置为:
authentication mode="Windows" 身份验证模式=“ Windows”
identity impersonate="true" 身份冒充=“ true”
Thanks in advance. 提前致谢。
Do the following. 请执行下列操作。
Step 2: You need an account has higher rights in AD than ApplicationPoolIndentity. 步骤2:您需要在AD中具有比ApplicationPoolIndentity更高的权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.