How can I impersonate a user in code?

[Friso Wiskerke]

Hi all,

I'm trying to save an uploaded file to a share on another computer in the
domain. If I use the <identity impersonate ..... /> tag in the web.config
and enter the credentials of a domain user which has sufficient rights on
that share it works fine.

However I don't need (and want) to run the complete site under this user, I
only need to impersonate the moment I'm trying to save the file. I've tried
to achieve this is code by creating a WindowsIdentity object and
impersonating it but that isn't working (NotSupported Exception). The code
works fine in a sample winapp but apparantly a webapp doesn't like it.

Does anyone have an idea on how I can achieve the impersonation in code?

TIA,
Friso Wiskerke

 

[MikeS]

You might use a location tag to specify that only the page you post to
impersonates.

<location path="upload.aspx">
<system.web>
<identity impersonate="true" userName="UID"
password="PWD"></identity>
</system.web>
</location>

 

[Joe Kaplan \(MVP - ADSI\)]

You can also use the LogonUser API to do this. That's the typical way.

http://msdn.microsoft.com/library/d...ImpersonationContextClassTopic.asp?frame=true

Note that if you were trying to use the WindowsIdentity constructor that
takes a UPN, there are bunch of restrictions on how it can be used. That is
the "protocol transition" constructor. PT only works if your AD forest is
2003 native mode and the client OS is 2003 or higher. Also, you can only
use the returned WindowsIdentity for impersonation to access local resources
if the calling account has "act as part of the operating system" privilege.
Only SYSTEM has this by default.

HTH,

Joe K.

 

[Friso Wiskerke]

Joe,

this is the example I tried to use in the web application but failed with a
NotSupported exception when calling the newId.Impersonate method. There's no
problem executing the code in a windows application though.

I think the best way for me at the moment is to use the web.config and
specifically specify the page(s) that the impersonation applies to as stated
in MikeS reply.

Thanx non the less...

Cheers,
Friso Wiskerke

 

[Joe Kaplan \(MVP - ADSI\)]

That NotSupportedException is pretty weird. I'm not sure what might cause
that. Can you show the full stack trace for the exception? I'd like to
know where it is coming from.

Joe K.

 

[Friso Wiskerke]

Joe,

I've cracked it !

In the call to the LogonUser API function I used values which are stored in
the web.config as follows:

bRetval =
LogonUser(ConfigurationSettings.AppSettings("impersonate_username"),
ConfigurationSettings.AppSettings("impersonate_domain"),
ConfigurationSettings.AppSettings("impersonate_password"), 2, 0, token)

When I change the retrieval from the web.config to:
ConfigurationSettings.AppSettings("impersonate_username").ToString the call
does work. Apparantly the API tries to do something with ths string
variables and that failes.

I'd placed this code in a separate function also called ImpersonateUser,
that's why I thought that the WindowsIdentity.ImpersonateUser() call
generated the error.

Cheers,
Friso

 

[MikeS]

I took a minute and created a class wrapper for a version of the code
in the article too so I can use it like below. Seems to work fine.
Can I secure the credentials in appSettings like I can using
aspnet_setreg and the location tag?

Try
With New UserProxy(uid, pwd, domain)
.Impersonate()
Try
' do privileged operation...
Catch ex As Exception
Throw New Exception(ex.Message)
Finally
.Undo()
End Try
End With
Catch ex As Exception
' Handle proxy creation, impersonate or operation error
End Try