Going from anonymous security to Windows Security in an ASP.NET application

Discussion in 'ASP .Net Security' started by Michael Randrup, Mar 27, 2006.

  1. Hi,

    I have the following problem:

    1) We have to validate users on an anonymous/public-website using a custom
    login page.

    2) From this login page we redirect them to an extranet site, which shows
    them sharepoint information, etc. e.g. from this point on their web requests
    should be performed with their impersonated identities not as anonymous
    users. The extranet sites uses Windows Integrated Security, while the "main
    site" uses anonymous logins.

    For them to use the sharepoint functionality we need to impersonate a
    windows user that have the correct access to sharepoint. I have gotten so
    far as to do the impersonation:

    imp = New ImpersonationWrapper

    imp.ImpersonateUser("username", "password", "domain")

    Me.Context.User = New
    System.Security.Principal.WindowsPrincipal(imp.NewId)Me.Cache.Add("W",
    Me.Context.User, Nothing, DateTime.MaxValue, New TimeSpan(0, 10, 0),
    CacheItemPriority.High, Nothing)


    This sets the request context to the correct windows user, using a small
    wrapper class around the Win32 LogonUser() API. I can now cache the
    IPrincipal and set the context in each form_load() from this point on:

    Me.Context.User = CType(Me.Cache("W"), IPrincipal)

    My problem is that when I, for example, load the sharepoint page in an
    IFRAME on the page, it is not using my impersonated user because the
    sharepoint page is located in another web application or something?!?!

    Do any of you have a good approach for doing this?!

    Thanks in advance!

    Michael
    Michael Randrup, Mar 27, 2006
    #1
    1. Advertising

  2. Hello,

    the Iframe is populated on the client, not on the server. Therefore, any
    impersonation, which takes place on the server has no effect on page loaded
    in an IFrame.

    Internet Explorer does have a setting regarding windows authentication -
    it's buried in the security settings for the
    internet/intranet/trusted/restricted sites. If you set this to "Automatic
    logon with current username and password", the user won't have to identify
    themselves each time.

    No other solution here, I'm afraid.

    Greetings,
    Henning Krause


    "Michael Randrup" <> wrote in message
    news:...
    > Hi,
    >
    > I have the following problem:
    >
    > 1) We have to validate users on an anonymous/public-website using a custom
    > login page.
    >
    > 2) From this login page we redirect them to an extranet site, which shows
    > them sharepoint information, etc. e.g. from this point on their web
    > requests should be performed with their impersonated identities not as
    > anonymous users. The extranet sites uses Windows Integrated Security,
    > while the "main site" uses anonymous logins.
    >
    > For them to use the sharepoint functionality we need to impersonate a
    > windows user that have the correct access to sharepoint. I have gotten so
    > far as to do the impersonation:
    >
    > imp = New ImpersonationWrapper
    >
    > imp.ImpersonateUser("username", "password", "domain")
    >
    > Me.Context.User = New
    > System.Security.Principal.WindowsPrincipal(imp.NewId)Me.Cache.Add("W",
    > Me.Context.User, Nothing, DateTime.MaxValue, New TimeSpan(0, 10, 0),
    > CacheItemPriority.High, Nothing)
    >
    >
    > This sets the request context to the correct windows user, using a small
    > wrapper class around the Win32 LogonUser() API. I can now cache the
    > IPrincipal and set the context in each form_load() from this point on:
    >
    > Me.Context.User = CType(Me.Cache("W"), IPrincipal)
    >
    > My problem is that when I, for example, load the sharepoint page in an
    > IFRAME on the page, it is not using my impersonated user because the
    > sharepoint page is located in another web application or something?!?!
    >
    > Do any of you have a good approach for doing this?!
    >
    > Thanks in advance!
    >
    > Michael
    >
    Henning Krause [MVP], Mar 27, 2006
    #2
    1. Advertising

  3. Hi Henning,

    Thanks for your suggestion. Although it wouldnt work for me in the real
    work, because the main site is actually a puclic website, so I have no
    control over the browser settings, I just tried your suggestion with my own
    browser.

    Apearantly the IFRAME posts a second request, which is not in the same
    context as the first request for which i am impersonating the
    page.context.user object :-(

    I would still be happy to hear any suggestions from people, on how it
    "integrate" a public website, with a Windows Authenticated website, where we
    need to have our own login page instead of the standard Windows logon
    dialog.

    Regards,
    Michael



    "Henning Krause [MVP]" <> wrote in
    message news:%...
    > Hello,
    >
    > the Iframe is populated on the client, not on the server. Therefore, any
    > impersonation, which takes place on the server has no effect on page
    > loaded in an IFrame.
    >
    > Internet Explorer does have a setting regarding windows authentication -
    > it's buried in the security settings for the
    > internet/intranet/trusted/restricted sites. If you set this to "Automatic
    > logon with current username and password", the user won't have to identify
    > themselves each time.
    >
    > No other solution here, I'm afraid.
    >
    > Greetings,
    > Henning Krause
    >
    >
    > "Michael Randrup" <> wrote in message
    > news:...
    >> Hi,
    >>
    >> I have the following problem:
    >>
    >> 1) We have to validate users on an anonymous/public-website using a
    >> custom login page.
    >>
    >> 2) From this login page we redirect them to an extranet site, which shows
    >> them sharepoint information, etc. e.g. from this point on their web
    >> requests should be performed with their impersonated identities not as
    >> anonymous users. The extranet sites uses Windows Integrated Security,
    >> while the "main site" uses anonymous logins.
    >>
    >> For them to use the sharepoint functionality we need to impersonate a
    >> windows user that have the correct access to sharepoint. I have gotten so
    >> far as to do the impersonation:
    >>
    >> imp = New ImpersonationWrapper
    >>
    >> imp.ImpersonateUser("username", "password", "domain")
    >>
    >> Me.Context.User = New
    >> System.Security.Principal.WindowsPrincipal(imp.NewId)Me.Cache.Add("W",
    >> Me.Context.User, Nothing, DateTime.MaxValue, New TimeSpan(0, 10, 0),
    >> CacheItemPriority.High, Nothing)
    >>
    >>
    >> This sets the request context to the correct windows user, using a small
    >> wrapper class around the Win32 LogonUser() API. I can now cache the
    >> IPrincipal and set the context in each form_load() from this point on:
    >>
    >> Me.Context.User = CType(Me.Cache("W"), IPrincipal)
    >>
    >> My problem is that when I, for example, load the sharepoint page in an
    >> IFRAME on the page, it is not using my impersonated user because the
    >> sharepoint page is located in another web application or something?!?!
    >>
    >> Do any of you have a good approach for doing this?!
    >>
    >> Thanks in advance!
    >>
    >> Michael
    >>

    >
    >
    Michael Randrup, Mar 27, 2006
    #3
  4. Hello,

    as I said in my previous post - there is no context on the client...

    Your page.context exists purely on the server. Once the site has been sent
    to your browser, all that is discarded.

    Next step, your browser renders the bits from the server, encounters an
    IFrame tag and then fetches the content the frame. That a second, complete
    independent request.

    You won't get a single-signon experience this way...

    Greetings,
    Henning Krause

    "Michael Randrup" <> wrote in message
    news:uE%...
    > Hi Henning,
    >
    > Thanks for your suggestion. Although it wouldnt work for me in the real
    > work, because the main site is actually a puclic website, so I have no
    > control over the browser settings, I just tried your suggestion with my
    > own browser.
    >
    > Apearantly the IFRAME posts a second request, which is not in the same
    > context as the first request for which i am impersonating the
    > page.context.user object :-(
    >
    > I would still be happy to hear any suggestions from people, on how it
    > "integrate" a public website, with a Windows Authenticated website, where
    > we need to have our own login page instead of the standard Windows logon
    > dialog.
    >
    > Regards,
    > Michael
    >
    >
    >
    > "Henning Krause [MVP]" <> wrote in
    > message news:%...
    >> Hello,
    >>
    >> the Iframe is populated on the client, not on the server. Therefore, any
    >> impersonation, which takes place on the server has no effect on page
    >> loaded in an IFrame.
    >>
    >> Internet Explorer does have a setting regarding windows authentication -
    >> it's buried in the security settings for the
    >> internet/intranet/trusted/restricted sites. If you set this to "Automatic
    >> logon with current username and password", the user won't have to
    >> identify themselves each time.
    >>
    >> No other solution here, I'm afraid.
    >>
    >> Greetings,
    >> Henning Krause
    >>
    >>
    >> "Michael Randrup" <> wrote in message
    >> news:...
    >>> Hi,
    >>>
    >>> I have the following problem:
    >>>
    >>> 1) We have to validate users on an anonymous/public-website using a
    >>> custom login page.
    >>>
    >>> 2) From this login page we redirect them to an extranet site, which
    >>> shows them sharepoint information, etc. e.g. from this point on their
    >>> web requests should be performed with their impersonated identities not
    >>> as anonymous users. The extranet sites uses Windows Integrated Security,
    >>> while the "main site" uses anonymous logins.
    >>>
    >>> For them to use the sharepoint functionality we need to impersonate a
    >>> windows user that have the correct access to sharepoint. I have gotten
    >>> so far as to do the impersonation:
    >>>
    >>> imp = New ImpersonationWrapper
    >>>
    >>> imp.ImpersonateUser("username", "password", "domain")
    >>>
    >>> Me.Context.User = New
    >>> System.Security.Principal.WindowsPrincipal(imp.NewId)Me.Cache.Add("W",
    >>> Me.Context.User, Nothing, DateTime.MaxValue, New TimeSpan(0, 10, 0),
    >>> CacheItemPriority.High, Nothing)
    >>>
    >>>
    >>> This sets the request context to the correct windows user, using a small
    >>> wrapper class around the Win32 LogonUser() API. I can now cache the
    >>> IPrincipal and set the context in each form_load() from this point on:
    >>>
    >>> Me.Context.User = CType(Me.Cache("W"), IPrincipal)
    >>>
    >>> My problem is that when I, for example, load the sharepoint page in an
    >>> IFRAME on the page, it is not using my impersonated user because the
    >>> sharepoint page is located in another web application or something?!?!
    >>>
    >>> Do any of you have a good approach for doing this?!
    >>>
    >>> Thanks in advance!
    >>>
    >>> Michael
    >>>

    >>
    >>

    >
    >
    Henning Krause [MVP], Mar 27, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Reporter
    Replies:
    3
    Views:
    465
    Mike Schilling
    May 12, 2007
  2. Evan Camilleri
    Replies:
    6
    Views:
    418
    Evan Camilleri
    Aug 26, 2007
  3. developer
    Replies:
    2
    Views:
    202
    [MSFT]
    Aug 31, 2004
  4. Craig Vedur

    How to have windows security w/ anonymous access?

    Craig Vedur, Aug 30, 2005, in forum: ASP .Net Security
    Replies:
    2
    Views:
    163
  5. Replies:
    1
    Views:
    213
Loading...

Share This Page