web service, active directory authentication

Jan 29, 2010 at 10:21 PM

I'm looking to deploy a web service for AD computer tasks and SCCM OSD.  My problem is that I want to be able to perform the AD tasks (e.g. create a computer object) as the frontend user rather than a predefined user.  In other words, have the user enter their credentials using a front end and then use the web service to perform the necessary tasks.  The reason for this is I'm under heavy audit requirements to log who is doing the creating and/or moving of the computer objects.

I'm pretty sure this can't be done in the current v6 web service implementation.  Assuming I'm right, does anyone have any advice to go about implementing something like this?

Thanks in advance!


Jan 30, 2010 at 5:29 PM

Hi Paul,

even if I haven't tested it yet (but will do in the next couple days), Impersonation should be able to do what you want. See http://msdn.microsoft.com/en-us/library/ms998351.aspx for more information about this topic (or http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx for an overview). The initial configuration of your webservice will be come a bit more complicated due to some sideeffects, but finally each call should be executed in the context of the user calling the function. The current logging is mainly for debugging purposes, so it won't log what user executed what function. But you could implement a custom logging and simply add something like "User.Identity.Name" to each call.

I don't know your timeframe but I'm going to release large parts of the webservice in source code, so that everybody (who wants to) is able to create it's own functions by using a pre-compiled backend. I don't have an exakt date when this will be published, as I need to make some minor changes to the source (like better code documentation ;-) ), but it shouldn't take to long.