WindowsImpersonationContext and DirectoryServices

[danycloutier]

Hi everybody,

I'm developping an application where I have to read information in the
Active Directory (windows 2000). I have to impersonate my calls with
specific users to have acces to different parts of the AD.

I impersonate the user with the code below (I get token via the
function LogonUser in ADVAPI32.DLL ).

WindowsImpersonationContext wic;
if (token != IntPtr.Zero)
{
WindowsIdentity wi;
using (wi = new WindowsIdentity(token))
{
wic = wi.Impersonate();
}
}
dirEntry = new DirectoryEntry(myConnString)


But after it, I'm unable to read in the AD. I think the directoryEntry
constructor is called with the credentials of my web server (the user
USR_... on local computer) and the connection is refused. Is there any
solutions to impersonate the call to the AD without specifying the
credentials in the DirectoryEntry constructor ?

Thank you

Dany

 

[Joe Kaplan]

Your DirectoryEntry is outside of the "using" block, so your impersonation
is being undone before you even call anything. That is why this isn't
working.

Note that with the DirectoryEntry, you don't need impersonation like you do
with a lot of other remote security operations. DirectoryEntry is
LDAP-based (assuming you are using the LDAP provider, which you should be
100% for AD) and LDAP natively supports supplying credentials directly.

Thus, instead of bothering to call LogonUser, getting a token and
impersonating, you could just pass those credentials directly to the
DirectoryEntry object (using the AuthenticationTypes.Secure parameter as
well!) and it will just work.

HTH,

Joe K.