Impersonation of an existing user in AD when logged in as admin:Possible?

[MarkusJ_NZ]

Hi, I was wondering if the following was possible.

A user logs in using Forms Authentication which is aithenticated
against AD and is set a FormsAuthentication Cookie.

If the user is an admin user I would like to be able to impersonate
another user simply by passing through the username. I was hoping that
because the current user is an Admin user they could easily
impersonate another user without having to supply the others users
password.

The sceptic in me knows that this should probably not work as a user
should have to supply the existing username / password of a user if
the want to impersonate another user but I thought that I would just
ask

Thanks for any response / help
Markus

 

[Joe Kaplan]

You can use protocol transition logon to get a WindowsIdentity for an
arbitrary user if you know their UPN. This token can be impersonated and
used to access local resources if the process that executes the
WindowsIdentity constructor has TCB privilege aka "act as part of the
operating system" (which usually you would not in a web app).

To use this constructor for WindowsIdentity, you must have a 2003+ server
and must have a 2003+ native forest mode AD.

If you can't use protocol transition, you'll need credentials for the user.

 

[MarkusJ_NZ]

You can use protocol transition logon to get a WindowsIdentity for an
arbitrary user if you know their UPN.  This token can be impersonated and
used to access local resources if the process that executes the
WindowsIdentity constructor has TCB privilege aka "act as part of the
operating system" (which usually you would not in a web app).

To use this constructor for WindowsIdentity, you must have a 2003+ server
and must have a 2003+ native forest mode AD.

If you can't use protocol transition, you'll need credentials for the user.

--
Joe Kaplan-MS MVP Directory Services Programming









- Show quoted text -

Thanks for the response Joe

best wishes
Markus