|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How to impersonate while creating a User via System.DirectoryServiWe are trying to create a local user through this code in a ASP.NET page:
Dim AD As DirectoryEntry = _ New DirectoryEntry("WinNT://" + Environment.MachineName + ",computer") Dim NewUser As DirectoryEntry = AD.Children.Add("TestUser1", "user") NewUser.Invoke("SetPassword", New Object() {"#12345Abc"}) NewUser.Invoke("Put", New Object() {"Description", "Test User from .NET"}) NewUser.CommitChanges() What do I have to do, to make this code work in asp.net without opening to many security holes ? Thanks a lot Norbert Essentially, you want to be running as an administrative user either at the
process level or via impersonation when you make this call. There are many ways to do both. For the process approach (assuming IIS6): You can change your application pool identity You can host this code in a COM+ component and run that under the admin user For impersonation, you can log in as the local admininstrator using Windows authentication in IIS and impersonate the authenticated user, either via web.config (<identity impersonate="true"/>) or in code by casting Context.User.Identity to a WindowsIdentity and creating an WindowsImpersonationContext based on that. You can also impersonate a specific user in web.config by specifying username and password in the identity tag. Finally, you can impersonate by calling LogonUser to get a logon token and creating a WindowsImpersonationContext that way. The most secure way is probably to either use COM+ for the process-based approach or to log in to the app as the administrator in question and impersonate that user when making the call. The latter approach has the advantage that you don't even need to know the local administrator's credentials at all, so it is probably considered the most secure. HTH, Joe K. Show quoteHide quote "Norbert Kessler" <NorbertKess***@discussions.microsoft.com> wrote in message news:4E361B23-3282-4C35-A64D-3DA782067C79@microsoft.com... > We are trying to create a local user through this code in a ASP.NET page: > > Dim AD As DirectoryEntry = _ > New DirectoryEntry("WinNT://" + Environment.MachineName + ",computer") > Dim NewUser As DirectoryEntry = AD.Children.Add("TestUser1", "user") > NewUser.Invoke("SetPassword", New Object() {"#12345Abc"}) > NewUser.Invoke("Put", New Object() {"Description", "Test User from .NET"}) > NewUser.CommitChanges() > > What do I have to do, to make this code work in asp.net without opening to > many security holes ? > > Thanks a lot > Norbert > > 
Other interesting topics
Authorization against AD using MC++
Why defaultcredential doesn't use the impersonated user? Java security api - DCE 128bit encryption with .NET SecurityException: Request Failed on CreateInstanceAndUnwrap Bad Data error in DES encryption Securing a control assembly against use of foreign assemblies sn.exe exit code documentation ? HttpWebRequest.GetRequestStream - Trust Failure In Windows Service Runtime error when running caspol w/ -pub -hex Propagate Credentials from Internet Explorer Host Instead of Defau |
|||||||||||||||||||||||
