programmatically login using LDAP and impersonation

Discussion in 'ASP .Net Security' started by bob, Nov 13, 2006.

  1. bob

    bob Guest

    I'm on a network system that has some pretty strict policies that I can not change. My criteria is to use forms login for extranet users, against a sql server database and impersonate an account that is on an intranet Active Directory.

    Saying it a different way, I need to impersonate an intranet Active directory account that must be authenticated using Kerberos authentication.

    I'm stuck at this point trying to figure out how to programticly impersonate the account that will be used to access the sql server. It will only allow windows authentication, our system uses LDAP windows auth, that runs thru a kerberos portal.

    *sigh* The only thing I can think of is to programaticly log in the intranet account, get the authentication ticket assign that ticket to the user, then using the login name and password they provided check the database and determine authorization from there. Is there another way, am I missing something? If I'm not missing something where can I get the information that I need?

    EggHeadCafe.com - .NET Developer Portal of Choice
    http://www.eggheadcafe.com
     
    bob, Nov 13, 2006
    #1
    1. Advertising

  2. bob

    bob Guest

    oopsie

    Its on .net 2.0 framework, sql server 2005, win server 2003.

    EggHeadCafe.com - .NET Developer Portal of Choice
    http://www.eggheadcafe.com
     
    bob, Nov 13, 2006
    #2
    1. Advertising

  3. bob

    Consultant Guest

    use the enterprise library


    <bob> wrote in message news:...
    > I'm on a network system that has some pretty strict policies that I can
    > not change. My criteria is to use forms login for extranet users, against
    > a sql server database and impersonate an account that is on an intranet
    > Active Directory.
    >
    > Saying it a different way, I need to impersonate an intranet Active
    > directory account that must be authenticated using Kerberos
    > authentication.
    >
    > I'm stuck at this point trying to figure out how to programticly
    > impersonate the account that will be used to access the sql server. It
    > will only allow windows authentication, our system uses LDAP windows auth,
    > that runs thru a kerberos portal.
    >
    > *sigh* The only thing I can think of is to programaticly log in the
    > intranet account, get the authentication ticket assign that ticket to the
    > user, then using the login name and password they provided check the
    > database and determine authorization from there. Is there another way, am
    > I missing something? If I'm not missing something where can I get the
    > information that I need?
    >
    > EggHeadCafe.com - .NET Developer Portal of Choice
    > http://www.eggheadcafe.com
     
    Consultant, Nov 13, 2006
    #3
  4. why?

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > use the enterprise library
    >
    > <bob> wrote in message news:...
    >
    >> I'm on a network system that has some pretty strict policies that I
    >> can not change. My criteria is to use forms login for extranet users,
    >> against a sql server database and impersonate an account that is on
    >> an intranet Active Directory.
    >>
    >> Saying it a different way, I need to impersonate an intranet Active
    >> directory account that must be authenticated using Kerberos
    >> authentication.
    >>
    >> I'm stuck at this point trying to figure out how to programticly
    >> impersonate the account that will be used to access the sql server.
    >> It will only allow windows authentication, our system uses LDAP
    >> windows auth, that runs thru a kerberos portal.
    >>
    >> *sigh* The only thing I can think of is to programaticly log in the
    >> intranet account, get the authentication ticket assign that ticket to
    >> the user, then using the login name and password they provided check
    >> the database and determine authorization from there. Is there another
    >> way, am I missing something? If I'm not missing something where can I
    >> get the information that I need?
    >>
    >> EggHeadCafe.com - .NET Developer Portal of Choice
    >> http://www.eggheadcafe.co
     
    Dominick Baier, Nov 13, 2006
    #4
  5. In Windows 2003 domains you can impersonat an account by using the UPN (user@domain)

    e.g.

    WindowsIdentity id = new WindowsIdentity(username);
    id.Impersonate();

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > I'm on a network system that has some pretty strict policies that I
    > can not change. My criteria is to use forms login for extranet users,
    > against a sql server database and impersonate an account that is on an
    > intranet Active Directory.
    >
    > Saying it a different way, I need to impersonate an intranet Active
    > directory account that must be authenticated using Kerberos
    > authentication.
    >
    > I'm stuck at this point trying to figure out how to programticly
    > impersonate the account that will be used to access the sql server. It
    > will only allow windows authentication, our system uses LDAP windows
    > auth, that runs thru a kerberos portal.
    >
    > *sigh* The only thing I can think of is to programaticly log in the
    > intranet account, get the authentication ticket assign that ticket to
    > the user, then using the login name and password they provided check
    > the database and determine authorization from there. Is there another
    > way, am I missing something? If I'm not missing something where can I
    > get the information that I need?
    >
    > EggHeadCafe.com - .NET Developer Portal of Choice
    > http://www.eggheadcafe.com
    >
     
    Dominick Baier, Nov 13, 2006
    #5
  6. bob

    Joe Kaplan Guest

    Is it possible that you can configure the IIS App Pool identity to use the
    domain account you need to log in to both SQL and AD? This is by far the
    easiest way and requires no impersonation. Authentication will use Kerberos
    as long as proper SPNs for all of the identities are configured, otherwise
    it will fail over to NTLM.

    Alternately, you can call LogonUser (see SDK docs of
    WindowsImpersonationContext for sample) and impersonate or potentially
    configure the ASP.NET identity element to impersonate a specific identity.
    However, I'd stay away from both of those if possible as you then need to
    store the credentials of the identity yourself instead of letting IIS do it
    in the metabase.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    <bob> wrote in message news:...
    > I'm on a network system that has some pretty strict policies that I can
    > not change. My criteria is to use forms login for extranet users, against
    > a sql server database and impersonate an account that is on an intranet
    > Active Directory.
    >
    > Saying it a different way, I need to impersonate an intranet Active
    > directory account that must be authenticated using Kerberos
    > authentication.
    >
    > I'm stuck at this point trying to figure out how to programticly
    > impersonate the account that will be used to access the sql server. It
    > will only allow windows authentication, our system uses LDAP windows auth,
    > that runs thru a kerberos portal.
    >
    > *sigh* The only thing I can think of is to programaticly log in the
    > intranet account, get the authentication ticket assign that ticket to the
    > user, then using the login name and password they provided check the
    > database and determine authorization from there. Is there another way, am
    > I missing something? If I'm not missing something where can I get the
    > information that I need?
    >
    > EggHeadCafe.com - .NET Developer Portal of Choice
    > http://www.eggheadcafe.com
     
    Joe Kaplan, Nov 13, 2006
    #6
  7. bob

    Joe Kaplan Guest

    Well, sort of. :)

    In able to actually be able to do anything, the process that created the
    WindowsIdentity must have act as part of the operating system privilege.
    This is not a normal configuration.

    It is a very useful feature all the same...

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > In Windows 2003 domains you can impersonat an account by using the UPN
    > (user@domain)
    >
    > e.g.
    > WindowsIdentity id = new WindowsIdentity(username);
    > id.Impersonate();
    >
    > ---
    > Dominick Baier, DevelopMentor
    > http://www.leastprivilege.com
    >
    >> I'm on a network system that has some pretty strict policies that I
    >> can not change. My criteria is to use forms login for extranet users,
    >> against a sql server database and impersonate an account that is on an
    >> intranet Active Directory.
    >>
    >> Saying it a different way, I need to impersonate an intranet Active
    >> directory account that must be authenticated using Kerberos
    >> authentication.
    >>
    >> I'm stuck at this point trying to figure out how to programticly
    >> impersonate the account that will be used to access the sql server. It
    >> will only allow windows authentication, our system uses LDAP windows
    >> auth, that runs thru a kerberos portal.
    >>
    >> *sigh* The only thing I can think of is to programaticly log in the
    >> intranet account, get the authentication ticket assign that ticket to
    >> the user, then using the login name and password they provided check
    >> the database and determine authorization from there. Is there another
    >> way, am I missing something? If I'm not missing something where can I
    >> get the information that I need?
    >>
    >> EggHeadCafe.com - .NET Developer Portal of Choice
    >> http://www.eggheadcafe.com
    >>

    >
    >
     
    Joe Kaplan, Nov 14, 2006
    #7
  8. well - for SQL and file access you don't need this privilege..i tested that

    but i know that some stupid "side effects" can require this often...

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > Well, sort of. :)
    >
    > In able to actually be able to do anything, the process that created
    > the WindowsIdentity must have act as part of the operating system
    > privilege. This is not a normal configuration.
    >
    > It is a very useful feature all the same...
    >
    > Joe K.
    >
     
    Dominick Baier, Nov 14, 2006
    #8
  9. sorry - of course only for remote resource via constrained delegation.

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > well - for SQL and file access you don't need this privilege..i tested
    > that
    >
    > but i know that some stupid "side effects" can require this often...
    >
    > ---
    > Dominick Baier, DevelopMentor
    > http://www.leastprivilege.com
    >> Well, sort of. :)
    >>
    >> In able to actually be able to do anything, the process that created
    >> the WindowsIdentity must have act as part of the operating system
    >> privilege. This is not a normal configuration.
    >>
    >> It is a very useful feature all the same...
    >>
    >> Joe K.
    >>
     
    Dominick Baier, Nov 14, 2006
    #9
  10. bob

    Joe Kaplan Guest

    Right. That's what I was getting at. The remote stuff is also dicey
    because a lot of stuff in the .NET runtime accesses local resources like
    file system or perf counters on the way out to the remote resource, so a lot
    of things that should work (accessing a remote web service via HTTP) don't
    because they may hit a config file or a perf counter.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > sorry - of course only for remote resource via constrained delegation.
    >
    > ---
    > Dominick Baier, DevelopMentor
    > http://www.leastprivilege.com
    >
    >> well - for SQL and file access you don't need this privilege..i tested
    >> that
    >>
    >> but i know that some stupid "side effects" can require this often...
    >>
    >> ---
    >> Dominick Baier, DevelopMentor
    >> http://www.leastprivilege.com
    >>> Well, sort of. :)
    >>>
    >>> In able to actually be able to do anything, the process that created
    >>> the WindowsIdentity must have act as part of the operating system
    >>> privilege. This is not a normal configuration.
    >>>
    >>> It is a very useful feature all the same...
    >>>
    >>> Joe K.
    >>>

    >
    >
     
    Joe Kaplan, Nov 14, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?amVzdGVy?=
    Replies:
    1
    Views:
    474
    Patrice
    Sep 23, 2004
  2. Tobias Lekman

    Disable impersonation programmatically?

    Tobias Lekman, Nov 3, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    336
    Tobias Lekman
    Nov 3, 2003
  3. Karl
    Replies:
    3
    Views:
    721
    Joe Kaplan
    Sep 19, 2006
  4. inoculator
    Replies:
    0
    Views:
    177
    inoculator
    Oct 19, 2005
  5. Jason Wold

    using LDAP Controls in ruby-ldap

    Jason Wold, Nov 4, 2004, in forum: Ruby
    Replies:
    5
    Views:
    260
Loading...

Share This Page