Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Security / June 2005

Tip: Looking for answers? Try searching our database.

Security Challenge: Runtime impersonation without calling LogonUse

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Web Developer - 24 Jun 2005 19:38 GMT
I have an ASP.Net web application that uses Integrated Authentication.  I'd
like to impersonate the person making the request at RUNTIME instead of
specifying impersonate="true" in the web.config.  

Does anyone know how I can get the requesting user's userToken to pass to
the Impersonate method of the
System.Threading.Thread.CurrentPrincipal.Identity?

i.e.
'Retrieve the requesting user's security token
Dim userToken as IntPtr = /Some call here/

Dim MyImpersonationContext As
System.security.Principal.WindowsImpersonationContext

'Temporarily impersonate the requesting user
MyImpersonationContext =
CType(System.Threading.Thread.CurrentPrincipal.Identity(),
System.Security.Principal.WindowsIdentity).Impersonate(userToken)

'Call a web service with using the logged-on user's credentials

'Revert the impersonation
MyImpersonationContext.Undo()

Thanks for your help!
Reply to this Message
Joseph Bittman MCAD - 24 Jun 2005 20:56 GMT
June 24, 2005

  From what I understand, you are looking to create an impersonation
context from the web application's USER and Not the local web application's
service account. In this case, the easiest way would be to disable anonymous
auth in IIS & enable Windows Int. Auth and to disable anonymous auth in the
web.config. You do Not need to put the impersonation=true element in though.
Then use the code:

Dim context as windowsimpersonationcontext
context = USER.identity.impersonate
'do something
context.undo

User is a WindowsPrincipal object which contains the web application's user
identity and Not the service account of the application. You can use the
Identity.impersonate from it. I'm not quite sure what the usertoken you are
wanting is needed for, but I do believe that somewhere under User.Identity.
there is a usertoken property. This should work, and I hope this helps! :-)
Let me know how it turns out!

Signature

                Joseph Bittman
Microsoft Certified Application Developer

>I have an ASP.Net web application that uses Integrated Authentication.  I'd
> like to impersonate the person making the request at RUNTIME instead of
[quoted text clipped - 22 lines]
>
> Thanks for your help!
Reply to this Message
Web Developer - 24 Jun 2005 21:22 GMT
Thanks for your reply Joseph.

What I'm trying to do is make a web service call from my web application
using the credentials of the authenticated user.  After I call "context =
USER.identity.impersonate", I call "MyWebServiceProxyInstance.Credentials =
System.Net.CredentialCache.DefaultCredentials" to add the authenticated
user's credentials to the web service proxy.  However, the DefaultCredentials
are null.  

Do you know how I can pass the credentials of the authenticated user to the
web service proxy?

Thank you again.
Reply to this Message
Joe Kaplan \(MVP - ADSI\) - 24 Jun 2005 22:11 GMT
If you are using IWA in IIS, you will need Kerberos delegation to get this
scenario to work since it is a double hop.  The code you are using is
actually correct.  It is actually easier to just use impersonate="true", but
there may be some reason why you don't want impersonation on for the whole
request.

I'd suggest reading some of the documentation on Kerberos delegation to
figure out what it is that you need to do and how to troubleshoot it.
http://msdn.microsoft.com/vstudio/using/building/web/default.aspx?pull=/library/
en-us/dnnetsec/html/SecNetHT05.asp?FRAME=true#ImplementKerberos
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/secu
rity/tkerberr.mspx

Joe K.

> Thanks for your reply Joseph.
>
[quoted text clipped - 12 lines]
>
> Thank you again.
Reply to this Message
Joseph Bittman MCAD - 25 Jun 2005 00:04 GMT
June 24, 2005

  It is perfectly understandable that he doesn't want to use
impersonate=true. If the user is an Administrator, it would not be as secure
by having the entire request be under that account. Instead as an
application security best practice, you should impersonate right before and
ONLY during the sensitive task time period...... :-)

Signature

                Joseph Bittman
Microsoft Certified Application Developer

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote

> If you are using IWA in IIS, you will need Kerberos delegation to get this
> scenario to work since it is a double hop.  The code you are using is
[quoted text clipped - 25 lines]
>>
>> Thank you again.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.