问题
Working with the PrincipalContext in code that lies behind a WCF service. The WCF service is impersonating, to allow a 'pass-through' type authentication.
While everything else I do with Active Directory (mostly the System.DirectoryServices.Protocols namespace) works fine in this scenario, for some reason the classes in System.DirectoryServices.AccountManagement throw a fit. Sample code that fails:
PrincipalContext context = new PrincipalContext(ContextType.Domain, domainName);
UserPrincipal user =
UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, UserName);
When I make the call to FindByIdentity, I get a COMException: "An operations error has occurred". Calls to the PrincipalContext also fail, e.g.:
string server = context.ConnectedServer;
Both OperationContext.Current.ServiceSecurityContext and Thread.CurrentPrincipal.Identity show the impersonation is working correctly. And, like I say, other AD tasks in S.DS.P work fine.
If I explicitly set credentials on the PrincipalContext, everything works. For example:
PrincipalContext context =
new PrincipalContext(ContextType.Domain, domainName, user, password);
UserPrincipal user =
UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, UserName);
Now everything works. But I won't know the username and password from the caller; I must rely on the impersonation.
Any ideas on what would cause the issue I'm seeing?
Thanks in advance! James
回答1:
Make sure an spn is set for the app pool, delegation is set in AD, and that the app pool account has the act as part of the os privilege.
来源:https://stackoverflow.com/questions/3507476/system-directoryservices-accountmanagement-principalcontext-and-impersonation-in