If you have to deal with an overly aggressive network administrator and can't or don't what to run your whole site under an impersonated user id, make the following changes to your ADSI Provider. I have used this method with all versions of the DotNetNuke AD code but the code listed here is for 4.06x + code.
1. un-comment the <identity impersonate="true" /> but do not add a userid password.
2. Add the following class to your ADSIProvider project (you will need the Active Directory Provider source code)
********************* Copy From Here *******************************
Imports Microsoft.VisualBasic
Imports System.Web
Imports System.Web.Security
Imports System.Security.Principal
Imports System.Runtime.InteropServices
Namespace DotNetNuke.Authentication.ActiveDirectory.ADSI
Public Class ImpersonateUser
Private LOGON32_LOGON_INTERACTIVE As Integer = 2
Private LOGON32_LOGON_NETWORK As Integer = 3
Private LOGON32_PROVIDER_DEFAULT As Integer = 0
Private impersonationContext As WindowsImpersonationContext
Declare Function LogonUserA Lib "advapi32.dll" (ByVal lpszUsername As String, _
ByVal lpszDomain As String, _
ByVal lpszPassword As String, _
ByVal dwLogonType As Integer, _
ByVal dwLogonProvider As Integer, _
ByRef phToken As IntPtr) As Integer
Declare Auto Function DuplicateToken Lib "advapi32.dll" ( _
ByVal ExistingTokenHandle As IntPtr, _
ByVal ImpersonationLevel As Integer, _
ByRef DuplicateTokenHandle As IntPtr) As Integer
Declare Auto Function RevertToSelf Lib "advapi32.dll" () As Long
Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal handle As IntPtr) As Long
Public Function impersonateValidUser(ByVal userName As String, _
ByVal domain As String, _
ByVal password As String) As Boolean
Dim tempWindowsIdentity As WindowsIdentity
Dim token As IntPtr = IntPtr.Zero
Dim tokenDuplicate As IntPtr = IntPtr.Zero
impersonateValidUser = False
If CBool(RevertToSelf()) Then
If LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE, _
LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
impersonationContext = tempWindowsIdentity.Impersonate()
If Not impersonationContext Is Nothing Then
impersonateValidUser = True
End If
End If
End If
End If
If Not tokenDuplicate.Equals(IntPtr.Zero) Then
CloseHandle(tokenDuplicate)
End If
If Not token.Equals(IntPtr.Zero) Then
CloseHandle(token)
End If
End Function
Public Sub undoImpersonation()
If Not impersonationContext Is Nothing Then
impersonationContext.Undo()
End If
End Sub
End Class
End Namespace
********************* To Here *******************************
3. Replace the new function in the Configuration.vb file with the following function. The actual new 4 lines end with the commit '***ImpersonateUser***
********************* Copy From Here *******************************
Sub New()
Dim UseUser As New ImpersonateUser '***ImpersonateUser***
Dim authConfig As DotNetNuke.Authentication.ActiveDirectory.Configuration = DotNetNuke.Authentication.ActiveDirectory.Configuration.GetConfig()
mPortalId = authConfig.PortalId
Try
'Temporary fix this setting as TRUE for design, to be removed when release
mConfigDomainPath = authConfig.RootDomain
mDefaultEmailDomain = authConfig.EmailDomain
mUserName = authConfig.UserName
mPassword = authConfig.Password
mAuthenticationType = CType([Enum].Parse(GetType(AuthenticationTypes), authConfig.AuthenticationType), AuthenticationTypes)
' IMPORTANT: Remove ADSIPath, to be added later depends on accessing method
mRootDomainPath = ADSI.Utilities.ValidateDomainPath(mConfigDomainPath)
mRootDomainPath = Right(mRootDomainPath, mRootDomainPath.Length - mRootDomainPath.IndexOf("DC="))
Catch exc As Exception
mProcessLog += exc.Message & "<br>"
End Try
UseUser.impersonateValidUser(mUserName, mConfigDomainPath, mPassword) '***ImpersonateUser***
' Also check if Authentication implemented in this Windows Network
Dim gc As New DirectoryEntry
Try
If DirectoryEntry.Exists("GC://rootDSE") Then
Dim rootGC As DirectoryEntry
If (mUserName.Length > 0) AndAlso (mPassword.Length > 0) Then
rootGC = New DirectoryEntry("GC://rootDSE", mUserName, mPassword, mAuthenticationType)
Else
rootGC = New DirectoryEntry("GC://rootDSE")
End If
mConfigurationPath = rootGC.Properties(ADSI_CONFIGURATIONNAMIMGCONTEXT).Value.ToString
mADSINetwork = True
End If
Catch exc As System.Runtime.InteropServices.COMException
mADSINetwork = False
mLDAPAccesible = False
mProcessLog += exc.Message & "<br>"
LogException(exc)
UseUser.undoImpersonation() '***ImpersonateUser***
' Nothing to do if we could not access Global Catalog, so return
Return
End Try
' Also check if LDAP fully accessible
Dim ldap As New DirectoryEntry
Try
If DirectoryEntry.Exists("LDAP://rootDSE") Then
mLDAPAccesible = True
mRefCollection = New ADSI.CrossReferenceCollection(mUserName, mPassword, mAuthenticationType)
End If
Catch exc As System.Runtime.InteropServices.COMException
mLDAPAccesible = False
mProcessLog += exc.Message & "<br>"
LogException(exc)
End Try
UseUser.undoImpersonation() '***ImpersonateUser***
End Sub
********************* To Here *******************************
4. Compile the DotNetNuke.Authentication.ActiveDirectory.dll and configure the provider as you normally would and the new code will use the provide user id and password when integrating AD during the configuration process.
As long as the supplied user has read access to your AD this code should work no matter how tight the security is. I would also like to apologize for requiring you to cut and paste, but I just lost my personal web server due to a hardware failure and current have no place to host the files for download.