Impersonation of an existing user in AD when logged in as admin:Possible?

Discussion in 'ASP .Net Security' started by MarkusJ_NZ, Jun 17, 2009.

  1. MarkusJ_NZ

    MarkusJ_NZ Guest

    Hi, I was wondering if the following was possible.

    A user logs in using Forms Authentication which is aithenticated
    against AD and is set a FormsAuthentication Cookie.

    If the user is an admin user I would like to be able to impersonate
    another user simply by passing through the username. I was hoping that
    because the current user is an Admin user they could easily
    impersonate another user without having to supply the others users
    password.

    The sceptic in me knows that this should probably not work as a user
    should have to supply the existing username / password of a user if
    the want to impersonate another user but I thought that I would just
    ask :)

    Thanks for any response / help
    Markus
     
    MarkusJ_NZ, Jun 17, 2009
    #1
    1. Advertising

  2. MarkusJ_NZ

    Joe Kaplan Guest

    Re: Impersonation of an existing user in AD when logged in as admin: Possible?

    You can use protocol transition logon to get a WindowsIdentity for an
    arbitrary user if you know their UPN. This token can be impersonated and
    used to access local resources if the process that executes the
    WindowsIdentity constructor has TCB privilege aka "act as part of the
    operating system" (which usually you would not in a web app).

    To use this constructor for WindowsIdentity, you must have a 2003+ server
    and must have a 2003+ native forest mode AD.

    If you can't use protocol transition, you'll need credentials for the user.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "MarkusJ_NZ" <> wrote in message
    news:...
    > Hi, I was wondering if the following was possible.
    >
    > A user logs in using Forms Authentication which is aithenticated
    > against AD and is set a FormsAuthentication Cookie.
    >
    > If the user is an admin user I would like to be able to impersonate
    > another user simply by passing through the username. I was hoping that
    > because the current user is an Admin user they could easily
    > impersonate another user without having to supply the others users
    > password.
    >
    > The sceptic in me knows that this should probably not work as a user
    > should have to supply the existing username / password of a user if
    > the want to impersonate another user but I thought that I would just
    > ask :)
    >
    > Thanks for any response / help
    > Markus
     
    Joe Kaplan, Jun 17, 2009
    #2
    1. Advertising

  3. MarkusJ_NZ

    MarkusJ_NZ Guest

    On Jun 18, 3:09 am, "Joe Kaplan"
    <> wrote:
    > You can use protocol transition logon to get a WindowsIdentity for an
    > arbitrary user if you know their UPN.  This token can be impersonated and
    > used to access local resources if the process that executes the
    > WindowsIdentity constructor has TCB privilege aka "act as part of the
    > operating system" (which usually you would not in a web app).
    >
    > To use this constructor for WindowsIdentity, you must have a 2003+ server
    > and must have a 2003+ native forest mode AD.
    >
    > If you can't use protocol transition, you'll need credentials for the user.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net"MarkusJ_NZ" <> wrote in message
    >
    > news:...
    >
    >
    >
    > > Hi, I was wondering if the following was possible.

    >
    > > A user logs in using Forms Authentication which is aithenticated
    > > against AD and is set a FormsAuthentication Cookie.

    >
    > > If the user is an admin user I would like to be able to impersonate
    > > another user simply by passing through the username. I was hoping that
    > > because the current user is an Admin user they could easily
    > > impersonate another user without having to supply the others users
    > > password.

    >
    > > The sceptic in me knows that this should probably not work as a user
    > > should have to supply the existing username / password of a user if
    > > the want to impersonate another user but I thought that I would just
    > > ask :)

    >
    > > Thanks for any response / help
    > > Markus- Hide quoted text -

    >
    > - Show quoted text -


    Thanks for the response Joe

    best wishes
    Markus
     
    MarkusJ_NZ, Jun 17, 2009
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. keithb
    Replies:
    0
    Views:
    658
    keithb
    Feb 16, 2006
  2. Replies:
    1
    Views:
    972
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=
    Apr 12, 2007
  3. sarah Fernandes
    Replies:
    0
    Views:
    566
    sarah Fernandes
    Nov 1, 2010
  4. ShilpaM
    Replies:
    1
    Views:
    283
    Joe Kaplan
    Jan 18, 2007
  5. Phlip
    Replies:
    1
    Views:
    329
    Eero Saynatkari
    Sep 15, 2006
Loading...

Share This Page