科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网软件频道通过ASP.net程序创建域帐户故障

通过ASP.net程序创建域帐户故障

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

我曾经成功地使用windows程序成功的创建了一批带邮箱的域帐户

作者:中国IT实验室 来源:中国IT实验室 2007年9月5日

关键字: 故障 域帐户 ASP.NET

  • 评论
  • 分享微博
  • 分享邮件

    我曾经成功地使用windows程序成功的创建了一批带邮箱的域帐户,但是,当我把这段代码交给我的一个同事(她负责开发Web应用)迁移到asp.net中后,只能创建域帐户,不能创建邮箱。为什么呢?

    我们咨询了微软的工程师,他告诉我们,这是由于asp.net的权限不够,我们应该在asp.net模拟用户,这样就可以成功创建。

    我将微软的相关文章摘录下来:

    模拟 IIS 验证的帐户或用户

    若要在收到 ASP.NET 应用程序中每个页的每个请求时模拟 Microsoft Internet 信息服务 (IIS) 身份验证用户,必须在此应用程序的 Web.config 文件中包含 <identity> 标记,并将 impersonate 属性设置为 true.例如:

    <identity impersonate="true" />

    为 ASP.NET 应用程序的所有请求模拟特定用户

    若要为 ASP.NET 应用程序的所有页面上的所有请求模拟特定用户,可以在该应用程序的 Web.config 文件的 <identity> 标记中指定 userName 和 password 属性。例如:

    <identity impersonate="true" userName="accountname" password="password" />

    注意:在线程上模拟特定用户的进程的标识必须具有“作为操作系统的一部分”权限。默认情况下,Aspnet_wp.exe 进程在名为 ASPNET 的计算机帐户下运行。不过,此帐户没有模拟特定用户所需的权限。如果您尝试模拟特定用户,则会出现一条错误信息。

    要解决此问题,请使用下列方法之一:

    为 ASPNET 帐户(权限最低的帐户)授予“作为操作系统的一部分”权限。

    注意:虽然此方法可以解决问题,但 Microsoft 不建议使用此方法。

    在 Machine.config 文件的 <processModel> 配置部分中,将运行 Aspnet_wp.exe 进程所使用的帐户更改为 System 帐户。

    在代码中模拟身份验证用户

    若要仅在运行代码特定部分时模拟身份验证用户 (User.Identity),您可以使用以下代码。此方法要求身份验证用户标识的类型为 WindowsIdentity.

    Visual Basic .NET

    Dim impersonationContext As System.Security.Principal.WindowsImpersonationContext Dim currentWindowsIdentity As System.Security.Principal.WindowsIdentity currentWindowsIdentity = CType(User.Identity, System.Security.Principal.WindowsIdentity)

    impersonationContext = currentWindowsIdentity.Impersonate()

    'Insert your code that runs under the security context of the authenticating user here. impersonationContext.Undo()

    Visual C# .NET

    System.Security.Principal.WindowsImpersonationContext impersonationContext;impersonationContext =((System.Security.Principal.WindowsIdentity)User.Identity)。Impersonate();//Insert your code that runs under the security context of the authenticating user here. impersonationContext.Undo();

    Visual J# .NET

    System.Security.Principal.WindowsImpersonationContext impersonationContext;impersonationContext =((System.Security.Principal.WindowsIdentity)get_User()。get_Identity())。Impersonate();//Insert your code that runs under the security context of the authenticating user here. impersonationContext.Undo();

    在代码中模拟特定用户

    若要仅在运行代码特定部分时模拟特定用户,请使用以下代码:   Visual Basic .NET

    <%@ Page Language="VB" %> <%@ Import Namespace = "System.Web" %> <%@ Import Namespace = "System.Web.Security" %> <%@ Import Namespace = "System.Security.Principal" %> <%@ Import Namespace = "System.Runtime.InteropServices" %> <script runat=server> Dim LOGON32_LOGON_INTERACTIVE As Integer = 2 Dim LOGON32_PROVIDER_DEFAULT As Integer = 0 Dim impersonationContext As WindowsImpersonationContext Declare Function LogonUserA Lib "advapi32.dll" (ByVal lpszUsername As String, _ ByVal lpszDomain As String, _ ByVal lpszPassword As String, _ ByVal dwLogonType As Integer, _ ByVal dwLogonProvider As Integer, _ ByRef phToken As IntPtr) As Integer Declare Auto Function DuplicateToken Lib "advapi32.dll" ( _ ByVal ExistingTokenHandle As IntPtr, _ ByVal ImpersonationLevel As Integer, _ ByRef DuplicateTokenHandle As IntPtr) As Integer Declare Auto Function RevertToSelf Lib "advapi32.dll" () As Long Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal handle As IntPtr) As Long Public Sub Page_Load(ByVal s As Object, ByVal e As EventArgs)

    If impersonateValidUser("username", "domain", "password") Then 'Insert your code that runs under the security context of a specific user here. undoImpersonation()

    Else 'Your impersonation failed. Therefore, include a fail-safe mechanism here. End If End Sub Private Function impersonateValidUser(ByVal userName As String, _ ByVal domain As String, ByVal password As String) As Boolean Dim tempWindowsIdentity As WindowsIdentity Dim token As IntPtr = IntPtr.Zero Dim tokenDuplicate As IntPtr = IntPtr.Zero impersonateValidUser = False If RevertToSelf() Then If LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE,LOGON32_PROVIDER_DEFAULT, token) <> 0 Then If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)

    impersonationContext = tempWindowsIdentity.Impersonate()

    If Not impersonationContext Is Nothing Then impersonateValidUser = True End If If Not tokenDuplicate.Equals(IntPtr.Zero) Then CloseHandle(tokenDuplicate)

    End If If Not token.Equals(IntPtr.Zero) Then CloseHandle(token)

    End If End Function Private Sub undoImpersonation()

    impersonationContext.Undo()

    End Sub </script>

    Visual C# .NET

    <%@ Page Language="C#"%> <%@ Import Namespace = "System.Web" %> <%@ Import Namespace = "System.Web.Security" %> <%@ Import Namespace = "System.Security.Principal" %> <%@ Import Namespace = "System.Runtime.InteropServices" %> <script runat=server> public const int LOGON32_LOGON_INTERACTIVE = 2;public const int LOGON32_PROVIDER_DEFAULT = 0;WindowsImpersonationContext impersonationContext;[DllImport("advapi32.dll")] public static extern int LogonUserA(String lpszUserName,String lpszDomain,String lpszPassword,int dwLogonType,int dwLogonProvider,ref IntPtr phToken);[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)] public static extern int DuplicateToken(IntPtr hToken,int impersonationLevel,ref IntPtr hNewToken);[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)] public static extern bool RevertToSelf();[DllImport("kernel32.dll", CharSet=CharSet.Auto)] public static extern bool CloseHandle(IntPtr handle);public void Page_Load(Object s, EventArgs e)

    { if(impersonateValidUser("username", "domain", "password"))

    { //Insert your code that runs under the security context of a specific user here. undoImpersonation();} else { //Your impersonation failed. Therefore, include a fail-safe mechanism here. } private bool impersonateValidUser(String userName, String domain, String password)

    { WindowsIdentity tempWindowsIdentity;IntPtr token = IntPtr.Zero;IntPtr tokenDuplicate = IntPtr.Zero;if(RevertToSelf())

    { if(LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE,LOGON32_PROVIDER_DEFAULT, ref token) != 0)

    { if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)

    { tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);impersonationContext = tempWindowsIdentity.Impersonate();if (impersonationContext != null)

    { CloseHandle(token);CloseHandle(tokenDuplicate);return true;} if(token!= IntPtr.Zero)

    CloseHandle(token);if(tokenDuplicate!=IntPtr.Zero)

    CloseHandle(tokenDuplicate);return false;} private void undoImpersonation()

    { impersonationContext.Undo();} </script>

    Visual J# .NET

    <%@ Page language="VJ#" %> <%@ Import Namespace="System.Web" %> <%@ Import Namespace="System.Web.Security" %> <%@ Import Namespace="System.Security.Principal" %> <%@ Import Namespace="System.Runtime.InteropServices" %> <script runat=server> public static int LOGON32_LOGON_INTERACTIVE = 2;public static int LOGON32_PROVIDER_DEFAULT = 0;WindowsImpersonationContext impersonationContext;/** @attribute DllImport("advapi32.dll") */ public static native int LogonUserA(String lpszUserName,String lpszDomain,String lpszPassword,int dwLogonType,int dwLogonProvider,System.IntPtr[] phToken);/** @attribute DllImport("advapi32.dll",CharSet=CharSet.Auto, SetLastError=true) */ public static native int DuplicateToken(System.IntPtr hToken,int impersonationLevel,System.IntPtr[] hNewToken);/** @attribute DllImport("kernel32.dll",CharSet=CharSet.Auto) */ public static native boolean CloseHandle(System.IntPtr[] handle);/** @attribute DllImport("advapi32.dll",CharSet=CharSet.Auto,SetLastError=true) */ public static native boolean RevertToSelf();public void Page_Load(Object s, System.EventArgs e)

    { if(impersonateValidUser("username", "domain", " password"))

    { //Insert your code that runs under the security context of a specific user here. undoImpersonation();} else { //Your impersonation failed. Therefore, include a fail-safe mechanism here. } private boolean impersonateValidUser(String userName, String domain, String password)

    { WindowsIdentity tempWindowsIdentity;System.IntPtr[] token = new System.IntPtr[1];System.IntPtr[] tokenDuplicate = new System.IntPtr[1];if(RevertToSelf())

    { if(LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE,LOGON32_PROVIDER_DEFAULT, token) != 0)

    { if(DuplicateToken(token[0], 2, tokenDuplicate) != 0)

    { tempWindowsIdentity = new WindowsIdentity(tokenDuplicate[0]);impersonationContext = tempWindowsIdentity.Impersonate();if (impersonationContext != null)

    { CloseHandle(tokenDuplicate);CloseHandle(token);return true;} if(!token[0].Equals(System.IntPtr.Zero))

    CloseHandle(token);if(!tokenDuplicate[0].Equals(System.IntPtr.Zero))

    CloseHandle(tokenDuplicate);return false;} private void undoImpersonation()

    { impersonationContext.Undo();} </script>

    注意:在线程上模拟特定用户的进程的标识必须具有“作为操作系统的一部分”权限。默认情况下,Aspnet_wp.exe 进程在名为 ASPNET 的计算机帐户下运行。不过,此帐户没有模拟特定用户所需的权限。如果您尝试模拟特定用户,则会出现一条错误信息。

    要解决此问题,请使用下列方法之一:

    为 ASPNET 帐户授予“作为操作系统的一部分”权限。

    在 Machine.config 文件的 <processModel> 配置部分中,将运行 Aspnet_wp.exe 进程所使用的帐户更改为 System 帐户。

查看本文来源

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章