Hey folks, I'm trying to figure out how to use the currently logged on user to perform an AD Search and not have to pass the username and password in the web.config file. I would rather the query look to AD like the current user rather than one specific
user account doing this job. I'll take whatever I can get, samples, examples, anything. I've been searching for a bit but I just cannot seem to find what I'm looking for. Thanks in advance for your help!
I would rather the query look to AD like the current user rather than one specific user account doing this job
You can implement impersonation with code as well, you do not required to impersonate by specifying impersonation tag in web.config. Because that will impersonate entire website functionalities to run under that user's privileges. Here is a class utility
to initiate and undo impersonation:
using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
namespace WebApp
{
public class Impersonate
{
#region "Members"
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
private WindowsImpersonationContext impersonationContext;
#endregion "Members"
#region "Methods"
[DllImport("advapi32.dll")]
public static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(IntPtr handle);
public bool ImpersonateValidUser(string UserName, string DomainName, string Password)
{
WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
if (RevertToSelf())
{
if (LogonUserA(UserName, DomainName, Password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
if (impersonationContext != null)
{
CloseHandle(token);
CloseHandle(tokenDuplicate);
return true;
}
}
}
}
if (token != IntPtr.Zero)
CloseHandle(token);
if (tokenDuplicate != IntPtr.Zero)
CloseHandle(tokenDuplicate);
return false;
}
public void UndoImpersonation()
{
impersonationContext.Undo();
}
#endregion "Methods"
}
}
You can use it where you required to impersonate a part of your code:
Impersonate impersonateUser = new Impersonate();
impersonateUser.ImpersonateValidUser("UserName", "Domain", "Password");
//-- your code to search AD
//-- your code to search AD
impersonateUser.UndoImpersonation();
नमस्ते,
[KaushaL] BlogTwitter [MS MVP 2008 & 2009] [MCC 2011] [MVP Reconnect 2017]
Don't forget to click "Mark as Answer" on the post that helped you
All-Star
35169 Points
9930 Posts
Moderator
Using Impersonation instead of specifying username/password during AD Query
Mar 31, 2017 06:26 PM|bbcompent1|LINK
Hey folks, I'm trying to figure out how to use the currently logged on user to perform an AD Search and not have to pass the username and password in the web.config file. I would rather the query look to AD like the current user rather than one specific user account doing this job. I'll take whatever I can get, samples, examples, anything. I've been searching for a bit but I just cannot seem to find what I'm looking for. Thanks in advance for your help!
All-Star
31362 Points
7055 Posts
Re: Using Impersonation instead of specifying username/password during AD Query
Apr 02, 2017 08:56 AM|kaushalparik27|LINK
You can implement impersonation with code as well, you do not required to impersonate by specifying impersonation tag in web.config. Because that will impersonate entire website functionalities to run under that user's privileges. Here is a class utility to initiate and undo impersonation:
using System; using System.Runtime.InteropServices; using System.Security.Principal; namespace WebApp { public class Impersonate { #region "Members" public const int LOGON32_LOGON_INTERACTIVE = 2; public const int LOGON32_PROVIDER_DEFAULT = 0; private WindowsImpersonationContext impersonationContext; #endregion "Members" #region "Methods" [DllImport("advapi32.dll")] public static extern int LogonUserA(String lpszUserName, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] public static extern int DuplicateToken(IntPtr hToken, int impersonationLevel, ref IntPtr hNewToken); [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] public static extern bool RevertToSelf(); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern bool CloseHandle(IntPtr handle); public bool ImpersonateValidUser(string UserName, string DomainName, string Password) { WindowsIdentity tempWindowsIdentity; IntPtr token = IntPtr.Zero; IntPtr tokenDuplicate = IntPtr.Zero; if (RevertToSelf()) { if (LogonUserA(UserName, DomainName, Password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0) { if (DuplicateToken(token, 2, ref tokenDuplicate) != 0) { tempWindowsIdentity = new WindowsIdentity(tokenDuplicate); impersonationContext = tempWindowsIdentity.Impersonate(); if (impersonationContext != null) { CloseHandle(token); CloseHandle(tokenDuplicate); return true; } } } } if (token != IntPtr.Zero) CloseHandle(token); if (tokenDuplicate != IntPtr.Zero) CloseHandle(tokenDuplicate); return false; } public void UndoImpersonation() { impersonationContext.Undo(); } #endregion "Methods" } }You can use it where you required to impersonate a part of your code:
Impersonate impersonateUser = new Impersonate(); impersonateUser.ImpersonateValidUser("UserName", "Domain", "Password"); //-- your code to search AD //-- your code to search AD impersonateUser.UndoImpersonation();[KaushaL] Blog Twitter [MS MVP 2008 & 2009] [MCC 2011] [MVP Reconnect 2017]
Don't forget to click "Mark as Answer" on the post that helped you