impersonating and LogonUser

[Jason]

I have an ASP.NET application with forms authentication.
However, the login details correspond to a Windows account
(I cannot use Windows authentication). If I obtain a token
with LogonUser, can I store it in a session variable and
perform an impersonation on each page load? How long is
that token valid? If I do an impersonation on each page
load but never an Undo, will it cause problems?

I think that once the response finishes, the impersonation
finishes. When the response re-starts i.e. page is loaded,
the impersonation can be manually restarted without
problems. I'm not sure about the lifetime of the token.

 

[Jim Cheshire [MSFT]]

Jason,

I'm not really sure how long that token persists. However, I certainly
wouldn't implement your functionality in this way. Instead, why not just
use Forms Authentication and authenticate against Active Directory?

Jim Cheshire, MCSE, MCSD [MSFT]
Microsoft Product Support Services
ASP.NET Developer Support

This post is provided "as-is" and confers no rights.


--------------------

 

[Jason]

I actually do that. The problem is that I need to perform
operations on the Active Directory as the logged on user.
Which means I need to either pass the logged on user name
and password to the DirectoryEntry object or impersonate -
that way, if the logged on user does not have the right,
the operation fails.

Unless there is another way?

-----Original Message-----
Jason,

I'm not really sure how long that token persists. However, I certainly
wouldn't implement your functionality in this way. Instead, why not just
use Forms Authentication and authenticate against Active Directory?

Jim Cheshire, MCSE, MCSD [MSFT]
Microsoft Product Support Services
ASP.NET Developer Support

This post is provided "as-is" and confers no rights.


--------------------

Content-Class: urn:content-classes:message
From: "Jason" <[email protected]>
Sender: "Jason" <[email protected]>
Subject: impersonating and LogonUser
Date: Tue, 30 Dec 2003 07:09:52 -0800
Lines: 12
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Thread-Index: AcPO5vn/DZ4sZUF0TVKQjDolroRyKQ==
Newsgroups: microsoft.public.dotnet.framework.aspnet
Path: cpmsftngxa07.phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet:198854
NNTP-Posting-Host: tk2msftngxa11.phx.gbl 10.40.1.163
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

I have an ASP.NET application with forms authentication.
However, the login details correspond to a Windows account
(I cannot use Windows authentication). If I obtain a token
with LogonUser, can I store it in a session variable and
perform an impersonation on each page load? How long is
that token valid? If I do an impersonation on each page
load but never an Undo, will it cause problems?

I think that once the response finishes, the impersonation
finishes. When the response re-starts i.e. page is loaded,
the impersonation can be manually restarted without
problems. I'm not sure about the lifetime of the token.

.

 

[Jim Cheshire [MSFT]]

Jason,

Do you need to impersonate a specific user just during the execution of a
particular code block? If not and you really just need to ensure that the
app runs under the context of the currently logged on user, you simply need
to deny access to unauthenticated users via the web.config and enable
impersonation.

Jim Cheshire [MSFT]
Microsoft Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

Content-Class: urn:content-classes:message
From: "Jason" <[email protected]>
Sender: "Jason" <[email protected]>
References: <[email protected]>

Subject: RE: impersonating and LogonUser
Date: Tue, 30 Dec 2003 09:41:16 -0800
Lines: 67
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Thread-Index: AcPO/CAi0MD771MWTeW4DDpNCftk0g==
Newsgroups: microsoft.public.dotnet.framework.aspnet
Path: cpmsftngxa07.phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet:198905
NNTP-Posting-Host: tk2msftngxa08.phx.gbl 10.40.1.160
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

I actually do that. The problem is that I need to perform
operations on the Active Directory as the logged on user.
Which means I need to either pass the logged on user name
and password to the DirectoryEntry object or impersonate -
that way, if the logged on user does not have the right,
the operation fails.

Unless there is another way?

-----Original Message-----
Jason,

I'm not really sure how long that token persists. However, I certainly
wouldn't implement your functionality in this way. Instead, why not just
use Forms Authentication and authenticate against Active Directory?

Jim Cheshire, MCSE, MCSD [MSFT]
Microsoft Product Support Services
ASP.NET Developer Support

This post is provided "as-is" and confers no rights.


--------------------

Content-Class: urn:content-classes:message
From: "Jason" <[email protected]>
Sender: "Jason" <[email protected]>
Subject: impersonating and LogonUser
Date: Tue, 30 Dec 2003 07:09:52 -0800
Lines: 12
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Thread-Index: AcPO5vn/DZ4sZUF0TVKQjDolroRyKQ==
Newsgroups: microsoft.public.dotnet.framework.aspnet
Path: cpmsftngxa07.phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet:198854
NNTP-Posting-Host: tk2msftngxa11.phx.gbl 10.40.1.163
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

I have an ASP.NET application with forms authentication.
However, the login details correspond to a Windows account
(I cannot use Windows authentication). If I obtain a token
with LogonUser, can I store it in a session variable and
perform an impersonation on each page load? How long is
that token valid? If I do an impersonation on each page
load but never an Undo, will it cause problems?

I think that once the response finishes, the impersonation
finishes. When the response re-starts i.e. page is loaded,
the impersonation can be manually restarted without
problems. I'm not sure about the lifetime of the token.

.

 

[Jason]

Maybe I'm missing something with my understanding of
impersonation.

I thought impersonation either ran as the user specified
in the web.config or as the account configured in IIS or
as the windows identity user if windows authentication is
selected.

I have to use forms authentication but I validate the user
logging on against active directory. I retrieve their
username and password from a login screen.

Is it possible to have the application run as the user
once they have been verified using forms authentication?

-----Original Message-----
Jason,

Do you need to impersonate a specific user just during the execution of a
particular code block? If not and you really just need to ensure that the
app runs under the context of the currently logged on user, you simply need
to deny access to unauthenticated users via the web.config and enable
impersonation.

Jim Cheshire [MSFT]
Microsoft Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

I actually do that. The problem is that I need to perform
operations on the Active Directory as the logged on user.
Which means I need to either pass the logged on user name
and password to the DirectoryEntry object or impersonate -
that way, if the logged on user does not have the right,
the operation fails.

Unless there is another way?

-----Original Message-----
Jason,

I'm not really sure how long that token persists. However, I certainly
wouldn't implement your functionality in this way. Instead, why not just
use Forms Authentication and authenticate against

Active
Directory?

Jim Cheshire, MCSE, MCSD [MSFT]
Microsoft Product Support Services
ASP.NET Developer Support

This post is provided "as-is" and confers no rights.


--------------------
I have an ASP.NET application with forms authentication.
However, the login details correspond to a Windows account
(I cannot use Windows authentication). If I obtain a token
with LogonUser, can I store it in a session variable and
perform an impersonation on each page load? How long is
that token valid? If I do an impersonation on each page
load but never an Undo, will it cause problems?

I think that once the response finishes, the impersonation
finishes. When the response re-starts i.e. page is loaded,
the impersonation can be manually restarted without
problems. I'm not sure about the lifetime of the token.


.

.

 

[Jim Cheshire [MSFT]]

Jason,

Your understanding of impersonation is correct. The WindowsIdentity in
your case of Forms authentication will be the process account. The
HttpContext.Current.User.Identity will be your user authenticated via Forms
auth. I'm not sure how long the token will be valid before it is expired.
I do know that we timestamp the token for the purposes of preventing
improper token reuse.

I would definitely not take this route however. First of all, there is an
ASP.NET issue whereby an impersonated thread that is returned to the
threadpool without having had RevertToSelf() called is going to retain its
impersonated identity. As soon as someone else grabs that thread from the
pool, it will run under the context of the original user. This is
obviously a bad thing. Therefore, you should ALWAYS undo the
impersonation. (This is a developing issue, so I don't have many
specifics.)

The other thing is just general security practice. You want to minimize
your exposure surface to any attacks. It would then make logical sense
that you would only want to run under elevated priviledges when necessary.
Therefore, a much better option for you would be to store the username and
password in the FormsAuthenticationTicket when it's created and then use
that information to call LogonUser when necessary.

This assumes that you are following our recommendation of encrypting the
ticket.

Jim Cheshire, MCSE, MCSD [MSFT]
Microsoft Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------

Content-Class: urn:content-classes:message
From: "Jason" <[email protected]>
Sender: "Jason" <[email protected]>
References: <[email protected]>

<#[email protected]>

Subject: RE: impersonating and LogonUser
Date: Tue, 30 Dec 2003 13:01:06 -0800
Lines: 97
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Thread-Index: AcPPGArOEJZUmCWqTvWaK6UCxhVpMw==
Newsgroups: microsoft.public.dotnet.framework.aspnet
Path: cpmsftngxa07.phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet:198969
NNTP-Posting-Host: tk2msftngxa13.phx.gbl 10.40.1.165
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Maybe I'm missing something with my understanding of
impersonation.

I thought impersonation either ran as the user specified
in the web.config or as the account configured in IIS or
as the windows identity user if windows authentication is
selected.

I have to use forms authentication but I validate the user
logging on against active directory. I retrieve their
username and password from a login screen.

Is it possible to have the application run as the user
once they have been verified using forms authentication?

-----Original Message-----
Jason,

Do you need to impersonate a specific user just during the execution of a
particular code block? If not and you really just need to ensure that the
app runs under the context of the currently logged on user, you simply need
to deny access to unauthenticated users via the web.config and enable
impersonation.

Jim Cheshire [MSFT]
Microsoft Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

I actually do that. The problem is that I need to perform
operations on the Active Directory as the logged on user.
Which means I need to either pass the logged on user name
and password to the DirectoryEntry object or impersonate -
that way, if the logged on user does not have the right,
the operation fails.

Unless there is another way?
-----Original Message-----
Jason,

I'm not really sure how long that token persists.
However, I certainly
wouldn't implement your functionality in this way.
Instead, why not just
use Forms Authentication and authenticate against Active
Directory?

Jim Cheshire, MCSE, MCSD [MSFT]
Microsoft Product Support Services
ASP.NET Developer Support

This post is provided "as-is" and confers no rights.


--------------------
I have an ASP.NET application with forms authentication.
However, the login details correspond to a Windows
account
(I cannot use Windows authentication). If I obtain a
token
with LogonUser, can I store it in a session variable and
perform an impersonation on each page load? How long is
that token valid? If I do an impersonation on each page
load but never an Undo, will it cause problems?

I think that once the response finishes, the
impersonation
finishes. When the response re-starts i.e. page is
loaded,
the impersonation can be manually restarted without
problems. I'm not sure about the lifetime of the token.


.

.

 

[Jason]

Thanks for your help.
I am going to store the password in the encrypted forms
authentication ticket and only impersonate where
neccessary.

-----Original Message-----
Jason,

Your understanding of impersonation is correct. The WindowsIdentity in
your case of Forms authentication will be the process account. The
HttpContext.Current.User.Identity will be your user authenticated via Forms
auth. I'm not sure how long the token will be valid before it is expired.
I do know that we timestamp the token for the purposes of preventing
improper token reuse.

I would definitely not take this route however. First of all, there is an
ASP.NET issue whereby an impersonated thread that is returned to the
threadpool without having had RevertToSelf() called is going to retain its
impersonated identity. As soon as someone else grabs that thread from the
pool, it will run under the context of the original user. This is
obviously a bad thing. Therefore, you should ALWAYS undo the
impersonation. (This is a developing issue, so I don't have many
specifics.)

The other thing is just general security practice. You want to minimize
your exposure surface to any attacks. It would then make logical sense
that you would only want to run under elevated priviledges when necessary.
Therefore, a much better option for you would be to store the username and
password in the FormsAuthenticationTicket when it's created and then use
that information to call LogonUser when necessary.

This assumes that you are following our recommendation of encrypting the
ticket.

Jim Cheshire, MCSE, MCSD [MSFT]
Microsoft Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------

Content-Class: urn:content-classes:message
From: "Jason" <[email protected]>
Sender: "Jason" <[email protected]>
References: <[email protected]>

<#[email protected]>

Subject: RE: impersonating and LogonUser
Date: Tue, 30 Dec 2003 13:01:06 -0800
Lines: 97
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Thread-Index: AcPPGArOEJZUmCWqTvWaK6UCxhVpMw==
Newsgroups: microsoft.public.dotnet.framework.aspnet
Path: cpmsftngxa07.phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet:198969
NNTP-Posting-Host: tk2msftngxa13.phx.gbl 10.40.1.165
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Maybe I'm missing something with my understanding of
impersonation.

I thought impersonation either ran as the user specified
in the web.config or as the account configured in IIS or
as the windows identity user if windows authentication is
selected.

I have to use forms authentication but I validate the user
logging on against active directory. I retrieve their
username and password from a login screen.

Is it possible to have the application run as the user
once they have been verified using forms authentication?

-----Original Message-----
Jason,

Do you need to impersonate a specific user just during the execution of a
particular code block? If not and you really just need to ensure that the
app runs under the context of the currently logged on user, you simply need
to deny access to unauthenticated users via the web.config and enable
impersonation.

Jim Cheshire [MSFT]
Microsoft Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
I actually do that. The problem is that I need to perform
operations on the Active Directory as the logged on user.
Which means I need to either pass the logged on user name
and password to the DirectoryEntry object or impersonate -
that way, if the logged on user does not have the right,
the operation fails.

Unless there is another way?
-----Original Message-----
Jason,

I'm not really sure how long that token persists.
However, I certainly
wouldn't implement your functionality in this way.
Instead, why not just
use Forms Authentication and authenticate against Active
Directory?

Jim Cheshire, MCSE, MCSD [MSFT]
Microsoft Product Support Services
ASP.NET Developer Support

This post is provided "as-is" and confers no rights.


--------------------
I have an ASP.NET application with forms authentication.
However, the login details correspond to a Windows
account
(I cannot use Windows authentication). If I obtain a
token
with LogonUser, can I store it in a session variable and
perform an impersonation on each page load? How long is
that token valid? If I do an impersonation on each page
load but never an Undo, will it cause problems?

I think that once the response finishes, the
impersonation
finishes. When the response re-starts i.e. page is
loaded,
the impersonation can be manually restarted without
problems. I'm not sure about the lifetime of the token.


.



.

.

 

[Jim Cheshire [MSFT]]

Hi Jason,

Very good. Post back if you encounter problems.

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------

Content-Class: urn:content-classes:message
From: "Jason" <[email protected]>
Sender: "Jason" <[email protected]>
References: <[email protected]>

<#[email protected]>
<[email protected]>
<#[email protected]>

Subject: RE: impersonating and LogonUser
Date: Sat, 3 Jan 2004 15:52:03 -0800
Lines: 191
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Thread-Index: AcPSVJY/IoO+KDe3Tceh4HGBaGENhQ==
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Newsgroups: microsoft.public.dotnet.framework.aspnet
Path: cpmsftngxa07.phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet:199523
NNTP-Posting-Host: tk2msftngxa13.phx.gbl 10.40.1.165
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Thanks for your help.
I am going to store the password in the encrypted forms
authentication ticket and only impersonate where
neccessary.

-----Original Message-----
Jason,

Your understanding of impersonation is correct. The WindowsIdentity in
your case of Forms authentication will be the process account. The
HttpContext.Current.User.Identity will be your user authenticated via Forms
auth. I'm not sure how long the token will be valid before it is expired.
I do know that we timestamp the token for the purposes of preventing
improper token reuse.

I would definitely not take this route however. First of all, there is an
ASP.NET issue whereby an impersonated thread that is returned to the
threadpool without having had RevertToSelf() called is going to retain its
impersonated identity. As soon as someone else grabs that thread from the
pool, it will run under the context of the original user. This is
obviously a bad thing. Therefore, you should ALWAYS undo the
impersonation. (This is a developing issue, so I don't have many
specifics.)

The other thing is just general security practice. You want to minimize
your exposure surface to any attacks. It would then make logical sense
that you would only want to run under elevated priviledges when necessary.
Therefore, a much better option for you would be to store the username and
password in the FormsAuthenticationTicket when it's created and then use
that information to call LogonUser when necessary.

This assumes that you are following our recommendation of encrypting the
ticket.

Jim Cheshire, MCSE, MCSD [MSFT]
Microsoft Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.


--------------------

Content-Class: urn:content-classes:message
From: "Jason" <[email protected]>
Sender: "Jason" <[email protected]>
References: <[email protected]>

<#[email protected]>

Subject: RE: impersonating and LogonUser
Date: Tue, 30 Dec 2003 13:01:06 -0800
Lines: 97
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Thread-Index: AcPPGArOEJZUmCWqTvWaK6UCxhVpMw==
Newsgroups: microsoft.public.dotnet.framework.aspnet
Path: cpmsftngxa07.phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet:198969
NNTP-Posting-Host: tk2msftngxa13.phx.gbl 10.40.1.165
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

Maybe I'm missing something with my understanding of
impersonation.

I thought impersonation either ran as the user specified
in the web.config or as the account configured in IIS or
as the windows identity user if windows authentication is
selected.

I have to use forms authentication but I validate the user
logging on against active directory. I retrieve their
username and password from a login screen.

Is it possible to have the application run as the user
once they have been verified using forms authentication?


-----Original Message-----
Jason,

Do you need to impersonate a specific user just during
the execution of a
particular code block? If not and you really just need
to ensure that the
app runs under the context of the currently logged on
user, you simply need
to deny access to unauthenticated users via the
web.config and enable
impersonation.

Jim Cheshire [MSFT]
Microsoft Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and
confers no rights.

--------------------
I actually do that. The problem is that I need to
perform
operations on the Active Directory as the logged on
user.
Which means I need to either pass the logged on user
name
and password to the DirectoryEntry object or
impersonate -
that way, if the logged on user does not have the right,
the operation fails.

Unless there is another way?
-----Original Message-----
Jason,

I'm not really sure how long that token persists.
However, I certainly
wouldn't implement your functionality in this way.
Instead, why not just
use Forms Authentication and authenticate against
Active
Directory?

Jim Cheshire, MCSE, MCSD [MSFT]
Microsoft Product Support Services
ASP.NET Developer Support

This post is provided "as-is" and confers no rights.


--------------------
I have an ASP.NET application with forms
authentication.
However, the login details correspond to a Windows
account
(I cannot use Windows authentication). If I obtain a
token
with LogonUser, can I store it in a session variable
and
perform an impersonation on each page load? How long
is
that token valid? If I do an impersonation on each
page
load but never an Undo, will it cause problems?

I think that once the response finishes, the
impersonation
finishes. When the response re-starts i.e. page is
loaded,
the impersonation can be manually restarted without
problems. I'm not sure about the lifetime of the token.


.



.

.