Hoe kan jy 'n Active Directory gebruiker in Powershell verpersoonlik?
https://stackoverflow.com/questions/11806
-
08-06-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianVra
Ek probeer om Powershell hardloop beveel deur 'n web koppelvlak (ASP.NET/C#) ten einde posbusse / ens te skep op Exchange 2007 Toe ek die bladsy uitgevoer met behulp van Visual Studio (Cassini), die bladsy laai korrek . Maar toe ek loop dit op IIS (v5.1), kry ek die fout "onbekende gebruiker naam of sleg wagwoord". Die grootste probleem wat ek opgemerk het, was dat Powershell is aangemeld as Aspnet in plaas van my Active Directory rekening. Hoe kan ek my Powershell sessie dwing om bekragtig met 'n ander Active Directory rekening?
Eintlik is die skrif wat ek tot dusver lyk iets soos hierdie:
RunspaceConfiguration rc = RunspaceConfiguration.Create();
PSSnapInException snapEx = null;
rc.AddPSSnapIn("Microsoft.Exchange.Management.PowerShell.Admin", out snapEx);
Runspace runspace = RunspaceFactory.CreateRunspace(rc);
runspace.Open();
Pipeline pipeline = runspace.CreatePipeline();
using (pipeline)
{
pipeline.Commands.AddScript("Get-Mailbox -identity 'user.name'");
pipeline.Commands.Add("Out-String");
Collection<PSObject> results = pipeline.Invoke();
if (pipeline.Error != null && pipeline.Error.Count > 0)
{
foreach (object item in pipeline.Error.ReadToEnd())
resultString += "Error: " + item.ToString() + "\n";
}
runspace.Close();
foreach (PSObject obj in results)
resultString += obj.ToString();
}
return resultString;
Oplossing 3
Exchange 2007 nie toelaat dat jy 'n gebruiker vir sekuriteitsredes verpersoonlik. Dit beteken dat dit onmoontlik is (op die oomblik) om posbusse te skep deur hom voordoen as 'n gebruiker. Ten einde om hierdie probleem te kry, ek het 'n web diens wat loop onder AD gebruiker wat toestemming het om e-pos Acounts skep, ens Jy kan dan toegang tot hierdie webservice om toegang tot Powershell kry. Onthou asseblief om die nodige sekuriteit by te voeg, want dit potensieel 'n groot gat in die beveiliging kon wees.
Ander wenke
Hier is 'n klas wat ek gebruik om 'n gebruiker te verpersoonlik.
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
namespace orr.Tools
{
#region Using directives.
using System.Security.Principal;
using System.Runtime.InteropServices;
using System.ComponentModel;
#endregion
/// <summary>
/// Impersonation of a user. Allows to execute code under another
/// user context.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <remarks>
/// This class is based on the information in the Microsoft knowledge base
/// article http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158
///
/// Encapsulate an instance into a using-directive like e.g.:
///
/// ...
/// using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) )
/// {
/// ...
/// [code that executes under the new context]
/// ...
/// }
/// ...
///
/// Please contact the author Uwe Keim (mailto:uwe.keim@zeta-software.de)
/// for questions regarding this class.
/// </remarks>
public class Impersonator :
IDisposable
{
#region Public methods.
/// <summary>
/// Constructor. Starts the impersonation with the given credentials.
/// Please note that the account that instantiates the Impersonator class
/// needs to have the 'Act as part of operating system' privilege set.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
public Impersonator(
string userName,
string domainName,
string password)
{
ImpersonateValidUser(userName, domainName, password);
}
// ------------------------------------------------------------------
#endregion
#region IDisposable member.
public void Dispose()
{
UndoImpersonation();
}
// ------------------------------------------------------------------
#endregion
#region P/Invoke.
[DllImport("advapi32.dll", SetLastError = true)]
private static extern int LogonUser(
string lpszUserName,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern int DuplicateToken(
IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
private static extern bool CloseHandle(
IntPtr handle);
private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0;
// ------------------------------------------------------------------
#endregion
#region Private member.
// ------------------------------------------------------------------
/// <summary>
/// Does the actual impersonation.
/// </summary>
/// <param name="userName">The name of the user to act as.</param>
/// <param name="domainName">The domain name of the user to act as.</param>
/// <param name="password">The password of the user to act as.</param>
private void ImpersonateValidUser(
string userName,
string domain,
string password)
{
WindowsIdentity tempWindowsIdentity = null;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
try
{
if (RevertToSelf())
{
if (LogonUser(
userName,
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
else
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
finally
{
if (token != IntPtr.Zero)
{
CloseHandle(token);
}
if (tokenDuplicate != IntPtr.Zero)
{
CloseHandle(tokenDuplicate);
}
}
}
/// <summary>
/// Reverts the impersonation.
/// </summary>
private void UndoImpersonation()
{
if (impersonationContext != null)
{
impersonationContext.Undo();
}
}
private WindowsImpersonationContext impersonationContext = null;
// ------------------------------------------------------------------
#endregion
}
}
In jou ASP.NET app, sal jy nodig het om 'n geldige AD rekening verpersoonlik met die korrekte permissies:
Jy kan 'n regstelling nodig het.
Van: http://support.microsoft.com/kb/943937
'n Aansoek kan nie verpersoonlik 'n gebruiker en dan hardloop Windows PowerShell beveel in 'n Exchange Server 2007 omgewing
Om hierdie probleem op te los, te installeer Werk Pakket 1 vir Exchange Server 2007 Service Pack 1.
Hierdie artikel oor MSDN blogs lyk na 'n manier om dit te doen wys, ek het nie in staat was om dit nog probeer, maar sal jou laat weet wanneer ek dit doen.
