Re: Impersonate User
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 03/18/04
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: I need to know how to test to see if a string value in the 'DOMAIN/somevalue' format is either a NT user's login or a NT security group"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Can I retreive the encrypted password from Win2K/AD?"
- In reply to: Novice: "Impersonate User"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Mar 2004 09:52:23 -0600
Are these Active Directory users or local machine/NT 4 users? If they are
AD, you should be using the LDAP provider.
There is also a really good topic on security issues with S.DS and ASP.NET
here that you will likely find very helpful.
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
Also, most S.DS questions get asked over at microsoft.public.adsi.general
instead of here, so you may get better help on that stuff in that group.
Joe K.
"Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message
news:670ED26D-E19B-4F75-8B78-945D5801EC84@microsoft.com...
> Hi all, I have three real questions (in addition to a couple of trivial
ones) that are really perplexing me concerning "impersonating users" in
.NET.
>
> The first question has to do with a problem I was having finding all the
details on a user through their DirectoryEntry in WinNT. Currently, I'm
using the following code to simply get all the properties associate with a
particular user:
> The following is included in one of my .aspx pages:
> ---------------------------
> Private Function GetUserDetails() as String
> Dim arrName() as String
> Dim FullName as string, LogonName as String, objUser as new
DirectoryEntry
> LogonName = trim(User.Identity.Name)
> logonName = LogonName.Replace("\", "/")
> objUser.Path = "WinNT://" + logonName
>
> Dim collectionOfProperties As
System.DirectoryServices.PropertyCollection
> collectionOfProperties = objUser.Properties
> Dim dEnumerator as IDictionaryEnumerator
> dEnumerator = collectionOfProperties.GetEnumerator
> while (dEnumerator.MoveNext = True)
> FullName = FullName + "<br>"+ dEnumerator.Key + ": " +
(collectionOfProperties.Item(dEnumerator.Key)).Value().toString()
> End While
>
> Return FullName
> End Function
> ---------------------------
> In addition, the following has to be at the top of the aspx page:
> <%@ Assembly name="System.DirectoryServices, Version=1.0.3300.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"%><%@ Import
Namespace="System.DirectoryServices" %>
>
> An additional small question is:
> 4. How do I translate this:
> <%@ Assembly name="System.DirectoryServices, Version=1.0.3300.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"%>
>
> into the VB code (in the aspx.vb file) that is running behind my .aspx
files? I.E. how do I import the System.DirectoryServices namespace in a
aspx.vb file without getting a compiler error (Namespace cannot be found)?
> ---------------------------
> The first "real" question I have is:
> 1. Why do I get the following run-time exception:
>
> Exception Details: System.Runtime.InteropServices.COMException: The
> network path was not found
>
> if I don't enable "impersonate-user" by putting the following in my
web.config file:
> <identity impersonate="true"/>
>
> It can't be a result of the ASP.NET account having insufficient privileges
because I have tried removing the above string fom my web.config file and
increasing the ASP.NET account to FULL privileges and still I get the above
run-time error/exception.
>
> Is it because Windows does not allow me to get all the details of the
above user unless I'm able to switch the current httpcontext user Principal
to the user accessing the website?
> ---------------------------
> 2. The second "real" question I have is in what context (in either a web
application or a stand-alone application) am I likely to want to impersonate
a user (other than the one above)?
>
> I gave it some thought and I couldn't think of any reason why I would want
to impersonate a user in a web application, unless it was to do exactly what
I'm doing in my function at the beginning of this post and that is to get
all the details of that user's account.
> ---------------------------
> 3. The third "real" question is why do users not residing on the machine
hosting the aspx files get a "Enter Network Password" dialog box when they
view the aspx files? They can just click on "OK" without entering their
username, password or domain and it works fine. But I want to stop the
server from prompting them with those dialog boxes. I realize they are
coming up because I've chosen "windows integrated" authentication, but since
they don't need to enter any details to have the server httpcontext
"impersonate" them, then I would rather them not be prompted with the dialog
box in the first place. If I try accessing the aspx files from the server
machine, I do not get the dialog box prompting.
> ---------------------------
>
> Thanks,
> Novice
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: I need to know how to test to see if a string value in the 'DOMAIN/somevalue' format is either a NT user's login or a NT security group"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Can I retreive the encrypted password from Win2K/AD?"
- In reply to: Novice: "Impersonate User"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
