[英]WCF impersonation is not impersonating an administrator
I am trying to use WCF to do some remote user management things. 我正在尝试使用WCF来做一些远程用户管理的事情。 I and reusing some code I had on a server 2003 box and worked fine, but on my windows 7 test box when I check to see if the user who called the function is administrator it says it is not.
我重复使用我在服务器2003盒子上的一些代码并且工作正常,但是当我检查调用该函数的用户是否为管理员时,在我的Windows 7测试框中它说它不是。
[OperationBehavior(Impersonation=ImpersonationOption.Required)]
public string SetPassword(string username)
{
WindowsPrincipal principal = new WindowsPrincipal(OperationContext.Current.ServiceSecurityContext.WindowsIdentity);
System.Diagnostics.Debug.Print(WindowsIdentity.GetCurrent().Name);
System.Diagnostics.Debug.Print(principal.Identity.Name);
if (principal.IsInRole(WindowsBuiltInRole.Administrator))
{
//try
{
lock (Watchdog.m_principalContext)
{
using (UserPrincipal up = UserPrincipal.FindByIdentity(Watchdog.m_principalContext, username))
{
string newpassword = CreateRandomPassword();
up.SetPassword(newpassword);
up.Save();
return newpassword;
}
}
}
//catch
{
return null;
}
}
else
throw new System.Security.SecurityException("User not administrator");
}
principal.IsInRole(WindowsBuiltInRole.Administrator)
is returning false every time. principal.IsInRole(WindowsBuiltInRole.Administrator)
每次都返回false。 Both my current identity and principal.idenity are the correct user to be impersonated. 我当前的身份和principal.idenity都是被模仿的正确用户。 and that user is a member of the administrators user group.
该用户是管理员用户组的成员。
I think it has to do with UAC that was implemented in windows vista and up. 我认为它与在Windows Vista中实现的UAC有关。 this will be a issue because the production machine this will be going on to is a win2k8-r2 box.
这将是一个问题,因为这将是一个win2k8-r2框的生产机器。
Any suggestions on what to do? 有关该怎么办的任何建议?
看一下这篇文章 ,在“应对Windows Vista”一节中,这是一篇关于UAC的非常好的文章,并以编程方式检查Admin privs。
As I did not want to do all that work (from RandomNoob's post) for check if the user is an administrator and the service is already running in a administrative context, I decided to just drop impersonation. 由于我不想做所有工作(来自RandomNoob的帖子)以检查用户是否是管理员并且服务已经在管理上下文中运行,我决定放弃模拟。 I created a new user group called WCFUsers and anyone who will be using the service was added to that group.
我创建了一个名为WCFUsers的新用户组,任何将使用该服务的用户都被添加到该组中。 It now does the
System.DirectoryServices.AccountManagement
operations in its own context. 它现在在自己的上下文中执行
System.DirectoryServices.AccountManagement
操作。
[OperationBehavior(Impersonation=ImpersonationOption.NotAllowed)]
public string SetPassword(string username)
{
WindowsPrincipal principal = new WindowsPrincipal(OperationContext.Current.ServiceSecurityContext.WindowsIdentity);
if (principal.IsInRole("WCFUsers"))
{
try
{
lock (Watchdog.m_principalContext)
{
using (UserPrincipal up = UserPrincipal.FindByIdentity(Watchdog.m_principalContext, username))
{
string newpassword = CreateRandomPassword();
up.SetPassword(newpassword);
up.Save();
return newpassword;
}
}
}
catch
{
return null;
}
}
else
return null;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.