问题
My issue here is how to deal with security and a proper implementation of impersonation which will work from a client machine and authenticate properly to my IIS server which passes the still valid impersonation ticket along with the LDAP request.
My System is an independent server running on my company intranet which hosts the domain controller, LDAP server, etc, and uses Kerberos protocol.
- System Info: IIS7 with Windows Auth and Impersonate on Windows 7 x64
- Network Info: IIS 6, LDAP, Kerberos
Here is my VB.NET method.
Protected FirstName, LastName, EMail As String
Protected Sub Lookup(ByVal UserName As String)
UserName = Trim(UserName)
UserName = Replace(UserName, "\", "/")
UserName = Right(UserName, Len(UserName) - InStr(1, UserName, "/"))
Using (Hosting.HostingEnvironment.Impersonate) 'ADDED
Dim directoryEntry As New DirectoryEntry("LDAP://dl/DC=dl,DC=net")
'directoryEntry.AuthenticationType = AuthenticationTypes.Delegation 'REMOVED
Dim ds As New DirectorySearcher(directoryEntry)
Dim r As SearchResult
Try
ds.PropertiesToLoad.Add("givenName") 'First Name
ds.PropertiesToLoad.Add("sn") 'Last Name
ds.PropertiesToLoad.Add("mail") 'Email
ds.Filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & UserName & "))"
r = ds.FindOne 'Query LDAP; find record with UserName.
'Populates all the variables retrieved from LDAP.
FirstName = If(r.Properties.Contains("givenName"), Trim(r.Properties("givenName").Item(0)), "")
LastName = If(r.Properties.Contains("sn"), Trim(r.Properties("sn").Item(0)), "")
If IsNothing(r.Properties.Contains("mail")) Then
EMail = If(r.Properties.Contains("userPrincipalName"), Trim(r.Properties("userPrincipalName").Item(0)), "")
Else
EMail = If(r.Properties.Contains("mail"), Trim(r.Properties("mail").Item(0)), "")
End If
EMail = EMail.ToLower
Catch ex As Exception
'Error Logging to Database Here
End Try
End Using
End Sub
Please ask any questions necessary to get the information you need to help me. I've been researching this for weeks and it seems that Impersonation has such an insane number of variables that I could easily get lost. I just can't figure out how to implement this in my code... I'm still fairly new to .NET :(
回答1:
You shouldn't need to configure an AuthenticationType
for this to work. You will however need to ensure that the service account (or computer account if network service) hosting the code above is allowed to delegate to the LDAP service on all of the DCs in your environment.
来源:https://stackoverflow.com/questions/9232482/impersonate-with-delegation-or-more-than-one-hop-on-kerberos-completely-lost