How can I impersonate a user in code?

Discussion in 'ASP .Net Security' started by Friso Wiskerke, Feb 15, 2006.

  1. Hi all,

    I'm trying to save an uploaded file to a share on another computer in the
    domain. If I use the <identity impersonate ..... /> tag in the web.config
    and enter the credentials of a domain user which has sufficient rights on
    that share it works fine.

    However I don't need (and want) to run the complete site under this user, I
    only need to impersonate the moment I'm trying to save the file. I've tried
    to achieve this is code by creating a WindowsIdentity object and
    impersonating it but that isn't working (NotSupported Exception). The code
    works fine in a sample winapp but apparantly a webapp doesn't like it.

    Does anyone have an idea on how I can achieve the impersonation in code?

    TIA,
    Friso Wiskerke
     
    Friso Wiskerke, Feb 15, 2006
    #1
    1. Advertising

  2. Friso Wiskerke

    MikeS Guest

    You might use a location tag to specify that only the page you post to
    impersonates.

    <location path="upload.aspx">
    <system.web>
    <identity impersonate="true" userName="UID"
    password="PWD"></identity>
    </system.web>
    </location>
     
    MikeS, Feb 15, 2006
    #2
    1. Advertising

  3. You can also use the LogonUser API to do this. That's the typical way.

    http://msdn.microsoft.com/library/d...ImpersonationContextClassTopic.asp?frame=true

    Note that if you were trying to use the WindowsIdentity constructor that
    takes a UPN, there are bunch of restrictions on how it can be used. That is
    the "protocol transition" constructor. PT only works if your AD forest is
    2003 native mode and the client OS is 2003 or higher. Also, you can only
    use the returned WindowsIdentity for impersonation to access local resources
    if the calling account has "act as part of the operating system" privilege.
    Only SYSTEM has this by default.

    HTH,

    Joe K.

    "MikeS" <> wrote in message
    news:...
    > You might use a location tag to specify that only the page you post to
    > impersonates.
    >
    > <location path="upload.aspx">
    > <system.web>
    > <identity impersonate="true" userName="UID"
    > password="PWD"></identity>
    > </system.web>
    > </location>
    >
     
    Joe Kaplan \(MVP - ADSI\), Feb 15, 2006
    #3
  4. Joe,

    this is the example I tried to use in the web application but failed with a
    NotSupported exception when calling the newId.Impersonate method. There's no
    problem executing the code in a windows application though.

    I think the best way for me at the moment is to use the web.config and
    specifically specify the page(s) that the impersonation applies to as stated
    in MikeS reply.

    Thanx non the less...

    Cheers,
    Friso Wiskerke


    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > You can also use the LogonUser API to do this. That's the typical way.
    >
    > http://msdn.microsoft.com/library/d...ImpersonationContextClassTopic.asp?frame=true
    >
    > Note that if you were trying to use the WindowsIdentity constructor that
    > takes a UPN, there are bunch of restrictions on how it can be used. That
    > is the "protocol transition" constructor. PT only works if your AD forest
    > is 2003 native mode and the client OS is 2003 or higher. Also, you can
    > only use the returned WindowsIdentity for impersonation to access local
    > resources if the calling account has "act as part of the operating system"
    > privilege. Only SYSTEM has this by default.
    >
    > HTH,
    >
    > Joe K.
    >
    > "MikeS" <> wrote in message
    > news:...
    >> You might use a location tag to specify that only the page you post to
    >> impersonates.
    >>
    >> <location path="upload.aspx">
    >> <system.web>
    >> <identity impersonate="true" userName="UID"
    >> password="PWD"></identity>
    >> </system.web>
    >> </location>
    >>

    >
    >
     
    Friso Wiskerke, Feb 16, 2006
    #4
  5. That NotSupportedException is pretty weird. I'm not sure what might cause
    that. Can you show the full stack trace for the exception? I'd like to
    know where it is coming from.

    Joe K.

    "Friso Wiskerke" <> wrote in message
    news:%...
    > Joe,
    >
    > this is the example I tried to use in the web application but failed with
    > a NotSupported exception when calling the newId.Impersonate method.
    > There's no problem executing the code in a windows application though.
    >
    > I think the best way for me at the moment is to use the web.config and
    > specifically specify the page(s) that the impersonation applies to as
    > stated in MikeS reply.
    >
    > Thanx non the less...
    >
    > Cheers,
    > Friso Wiskerke
    >
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    >> You can also use the LogonUser API to do this. That's the typical way.
    >>
    >> http://msdn.microsoft.com/library/d...ImpersonationContextClassTopic.asp?frame=true
    >>
    >> Note that if you were trying to use the WindowsIdentity constructor that
    >> takes a UPN, there are bunch of restrictions on how it can be used. That
    >> is the "protocol transition" constructor. PT only works if your AD
    >> forest is 2003 native mode and the client OS is 2003 or higher. Also,
    >> you can only use the returned WindowsIdentity for impersonation to access
    >> local resources if the calling account has "act as part of the operating
    >> system" privilege. Only SYSTEM has this by default.
    >>
    >> HTH,
    >>
    >> Joe K.
    >>
    >> "MikeS" <> wrote in message
    >> news:...
    >>> You might use a location tag to specify that only the page you post to
    >>> impersonates.
    >>>
    >>> <location path="upload.aspx">
    >>> <system.web>
    >>> <identity impersonate="true" userName="UID"
    >>> password="PWD"></identity>
    >>> </system.web>
    >>> </location>
    >>>

    >>
    >>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Feb 16, 2006
    #5
  6. Joe,

    I've cracked it !

    In the call to the LogonUser API function I used values which are stored in
    the web.config as follows:

    bRetval =
    LogonUser(ConfigurationSettings.AppSettings("impersonate_username"),
    ConfigurationSettings.AppSettings("impersonate_domain"),
    ConfigurationSettings.AppSettings("impersonate_password"), 2, 0, token)

    When I change the retrieval from the web.config to:
    ConfigurationSettings.AppSettings("impersonate_username").ToString the call
    does work. Apparantly the API tries to do something with ths string
    variables and that failes.

    I'd placed this code in a separate function also called ImpersonateUser,
    that's why I thought that the WindowsIdentity.ImpersonateUser() call
    generated the error.

    Cheers,
    Friso


    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:%...
    > That NotSupportedException is pretty weird. I'm not sure what might cause
    > that. Can you show the full stack trace for the exception? I'd like to
    > know where it is coming from.
    >
    > Joe K.
    >
    > "Friso Wiskerke" <> wrote in message
    > news:%...
    >> Joe,
    >>
    >> this is the example I tried to use in the web application but failed with
    >> a NotSupported exception when calling the newId.Impersonate method.
    >> There's no problem executing the code in a windows application though.
    >>
    >> I think the best way for me at the moment is to use the web.config and
    >> specifically specify the page(s) that the impersonation applies to as
    >> stated in MikeS reply.
    >>
    >> Thanx non the less...
    >>
    >> Cheers,
    >> Friso Wiskerke
    >>
    >>
    >> "Joe Kaplan (MVP - ADSI)" <>
    >> wrote in message news:...
    >>> You can also use the LogonUser API to do this. That's the typical way.
    >>>
    >>> http://msdn.microsoft.com/library/d...ImpersonationContextClassTopic.asp?frame=true
    >>>
    >>> Note that if you were trying to use the WindowsIdentity constructor that
    >>> takes a UPN, there are bunch of restrictions on how it can be used.
    >>> That is the "protocol transition" constructor. PT only works if your AD
    >>> forest is 2003 native mode and the client OS is 2003 or higher. Also,
    >>> you can only use the returned WindowsIdentity for impersonation to
    >>> access local resources if the calling account has "act as part of the
    >>> operating system" privilege. Only SYSTEM has this by default.
    >>>
    >>> HTH,
    >>>
    >>> Joe K.
    >>>
    >>> "MikeS" <> wrote in message
    >>> news:...
    >>>> You might use a location tag to specify that only the page you post to
    >>>> impersonates.
    >>>>
    >>>> <location path="upload.aspx">
    >>>> <system.web>
    >>>> <identity impersonate="true" userName="UID"
    >>>> password="PWD"></identity>
    >>>> </system.web>
    >>>> </location>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Friso Wiskerke, Feb 17, 2006
    #6
  7. Friso Wiskerke

    MikeS Guest

    I took a minute and created a class wrapper for a version of the code
    in the article too so I can use it like below. Seems to work fine.
    Can I secure the credentials in appSettings like I can using
    aspnet_setreg and the location tag?

    Try
    With New UserProxy(uid, pwd, domain)
    .Impersonate()
    Try
    ' do privileged operation...
    Catch ex As Exception
    Throw New Exception(ex.Message)
    Finally
    .Undo()
    End Try
    End With
    Catch ex As Exception
    ' Handle proxy creation, impersonate or operation error
    End Try
     
    MikeS, Feb 17, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sorin Sandu

    Impersonate a user

    Sorin Sandu, Aug 16, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    492
    Paul Glavich [MVP - ASP.NET]
    Aug 16, 2004
  2. ajamrozek

    Impersonate NT user from Anonymous login

    ajamrozek, Feb 3, 2005, in forum: ASP .Net
    Replies:
    8
    Views:
    626
    ajamrozek
    Feb 4, 2005
  3. =?Utf-8?B?cmljaGk=?=

    Impersonate User asp.net

    =?Utf-8?B?cmljaGk=?=, Oct 11, 2005, in forum: ASP .Net
    Replies:
    7
    Views:
    4,209
    Valeriy Kirshin
    Aug 24, 2007
  4. AvaDev
    Replies:
    3
    Views:
    856
    AvaDev
    Jul 10, 2008
  5. Bill Belliveau

    DirectoryEntry Impersonate or WindowsIdentity Impersonate?

    Bill Belliveau, Jan 28, 2004, in forum: ASP .Net Security
    Replies:
    3
    Views:
    363
    Joe Kaplan \(MVP - ADSI\)
    Jan 31, 2004
Loading...

Share This Page