Impersonation of forms-authenticated Active Directory user

M

Mike Swift

Hello all

I wonder if the great and the good of this esteemed forum might shed
some light on a problem of mine...

Three servers in a domain: one Active Directory server, one SQL Server
and one IIS. IIS hosts an ASP.NET Web Application which requires that
users log on through a web form, are authenticated against their
Active Directory account and then acquire the permissions on the SQL
Server objects that their Active Directory group membership bestows.

In the following code authentication through LDAP works and authTicket
appears to be generated correctly. At this stage User.Identity is
empty, but by loading the page a second time User.Identity contains
the correct details. This is presumably as a result of reading the
cookie, but how can I get the correct User.Identity from the
authTicket without letting the cookie reader do it for me
automagically?

Anyway, even on the refresh when we have...

User.Identity.Name=myuser
User.Identity.IsAuthenticated=True
User.Identity.AuthenticationType=Forms

....the code still fails on
(System.Security.Principal.WindowsIdentity)User.Identity, producing
'specified cast is invalid'. Is this because its authentication type
is Forms? If so, and given that form based login is a requirement, how
can I "Impersonate the Authenticating User in Code".


string adPath = "LDAP://ad1.mydomain.com/DC=mydomain,DC=com";
LdapAuthentication adAuth = new LdapAuthentication(adPath);
if(true == adAuth.IsAuthenticated(txtDomainName.Text,
txtUserName.Text, txtPassword.Text))
{
FormsAuthenticationTicket authTicket =
new FormsAuthenticationTicket(1,
txtUserName.Text,
DateTime.Now,
DateTime.Now.AddMinutes(60),
false, "");
string encryptedTicket =
FormsAuthentication.Encrypt(authTicket);
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
Response.Cookies.Add(authCookie);
System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
}

As you may recognise, this code has been cribbed from
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306158 and it
may help diagnosis to know that the code from the "Impersonate a
Specific User in Code" section is working fine, but presumably this
approach would require me to carry the username and password around,
in the session say, and re-authenticate on every page_load.

Once the user has logged I want every page to be executed in the
context of their AD account, so should perhaps there's some altogether
better way of achieving this that I'm missing.

Cheers,
Mike.
 
J

Joe Kaplan \(MVP - ADSI\)

This isn't going to work. You can't cast a FormsPrincipal to a
WindowsPrincipal.

In order to get a WindowsPrincipal, you must either use Windows auth in
ASP.NET/IIS or explicitly call the LogonUser API with the user's credentials
in order to create a token that you can then use to create a WindowsIdentity
that you can impersonate. For the latter, the canonical example is here,
but it can't be used easily on Win2K due to security restrictions:

http://msdn.microsoft.com/library/d...ImpersonationContextClassTopic.asp?frame=true

If you use Windows auth in ASP.NET, you will also need to be careful about
impersonation and double hop issues.

HTH,

Joe K.
 
A

avnrao

just wanted to find out why User.Identity is empty for the first time..
r u populating User.Identity with GenericPrinciple object for the first time
just after validating from your login page?

Av.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,480
Members
44,900
Latest member
Nell636132

Latest Threads

Top