Active Directory Passthrough Credentials
I am trying to create some processes for our Helpdesk team. Some of them are very complicated, but I will present a very simple one here:
The worker (with rights granted through AD) wants to unlock a user's account. They click the "Unlock Account" link provided on their website. This kicks off a web form that grabs the username from the Get Current User component (HttpContext option). Data is retrieved from AD and the worker's account information is formed into an array. This array contains Username and Userpass items. The provided info is used to authenticate the worker during the Unlock User process.
When running this in Debug mode (and Get Current User in WindowsPrincipal mode) it works like a charm. However, when published to the server I get a "bad password" error. I can't understand why the data returned from AD would contain the correct password information in Debug mode, but not in production.
Any ideas?
Please let me know if you get
Please let me know if you get this working. I'd like to use it too if you don't mind sharing. :)
-Geo
Don't forget to mark the solution to your forum post if it has been answered!
When you run your Workflow in
When you run your Workflow in your local debugger, you execute it with your own credentials, thus it'll work just fine.
After you have published it, it's run on the IIS which by default is access "anonymously" by the "Network Service" account.
You need to change your projects web.config file to read:
<authentication mode="Windows" /> instead of <authentication mode="None" />
After the project is published, you need to modify the permissions within the IISManager for this project and remove the "Allow anonymous access" checkbox.
I've already done that. This
I've already done that. This is why I'm confused that the same account in Debug does not work on production. I even have ASCII labels to verify the domain and user are correct before attempting the unlock. When using debug (WindowsPrincipal account) I take the returned name and pull back the AD information. The username, description, etc are pulled back as expected, and the Userpass authenticates with no problem. When I move to production (HttpContext mode with Windows authentication), it pulls back all of the same AD information but will not authenticate with Userpass. I added a text box to allow me to enter my password manually, and it works fine (but that's not what I want to do)......................
Just as a side note, I think you also need to check the "Integrated windows authentication" box after removing the "Allow anonymous access" box.
After some research, I think
After some research, I think what's happening is that Userpass takes the current Windows password (not the user returned by the Get User component) and compares it to the AD password of the retrieved user. In Debug mode, the current Windows user is me, so of course my password will match the retrieved AD password. In production, the Windows user is NETWORK SERVICE. Obvoiusly the passwords will not match up. What I need is a way to retrieve the browser or Windows password of the actual user, just like the Get Current User component pulls the username.
On other words, I need to compare the HttpContext password to the appropriate AD account. Any suggestions?
I had a similar problem passing credentials..
And the problem was actually an issue with the OOB ActiveDirectory integration component in 6.5. You can use the Incendio component, but instead I would recommend downloading the 7.0 version of the ActiveDirectory DLLs, which are available on workflowswat.com, and using those instead.
That way, when you upgrade to 7.0 you won't have to worry about compatibility.
Hope that helps,
Jim
Question
Steve, are you trying to unlock only the current user's account or do you want them to be able to unlock anyone's account?
Would you like to reply?
Login or Register to post your comment.