Security Challenge: Runtime impersonation without calling LogonUse

Discussion in 'ASP .Net Security' started by Web Developer, Jun 24, 2005.

  1. I have an ASP.Net web application that uses Integrated Authentication. I'd
    like to impersonate the person making the request at RUNTIME instead of
    specifying impersonate="true" in the web.config.

    Does anyone know how I can get the requesting user's userToken to pass to
    the Impersonate method of the
    System.Threading.Thread.CurrentPrincipal.Identity?

    i.e.
    'Retrieve the requesting user's security token
    Dim userToken as IntPtr = /Some call here/

    Dim MyImpersonationContext As
    System.security.Principal.WindowsImpersonationContext

    'Temporarily impersonate the requesting user
    MyImpersonationContext =
    CType(System.Threading.Thread.CurrentPrincipal.Identity(),
    System.Security.Principal.WindowsIdentity).Impersonate(userToken)

    'Call a web service with using the logged-on user's credentials

    'Revert the impersonation
    MyImpersonationContext.Undo()

    Thanks for your help!
    Web Developer, Jun 24, 2005
    #1
    1. Advertising

  2. June 24, 2005

    From what I understand, you are looking to create an impersonation
    context from the web application's USER and Not the local web application's
    service account. In this case, the easiest way would be to disable anonymous
    auth in IIS & enable Windows Int. Auth and to disable anonymous auth in the
    web.config. You do Not need to put the impersonation=true element in though.
    Then use the code:

    Dim context as windowsimpersonationcontext
    context = USER.identity.impersonate
    'do something
    context.undo

    User is a WindowsPrincipal object which contains the web application's user
    identity and Not the service account of the application. You can use the
    Identity.impersonate from it. I'm not quite sure what the usertoken you are
    wanting is needed for, but I do believe that somewhere under User.Identity.
    there is a usertoken property. This should work, and I hope this helps! :)
    Let me know how it turns out!


    --
    Joseph Bittman
    Microsoft Certified Application Developer



    "Web Developer" <> wrote in message
    news:...
    >I have an ASP.Net web application that uses Integrated Authentication. I'd
    > like to impersonate the person making the request at RUNTIME instead of
    > specifying impersonate="true" in the web.config.
    >
    > Does anyone know how I can get the requesting user's userToken to pass to
    > the Impersonate method of the
    > System.Threading.Thread.CurrentPrincipal.Identity?
    >
    > i.e.
    > 'Retrieve the requesting user's security token
    > Dim userToken as IntPtr = /Some call here/
    >
    > Dim MyImpersonationContext As
    > System.security.Principal.WindowsImpersonationContext
    >
    > 'Temporarily impersonate the requesting user
    > MyImpersonationContext =
    > CType(System.Threading.Thread.CurrentPrincipal.Identity(),
    > System.Security.Principal.WindowsIdentity).Impersonate(userToken)
    >
    > 'Call a web service with using the logged-on user's credentials
    >
    > 'Revert the impersonation
    > MyImpersonationContext.Undo()
    >
    > Thanks for your help!
    Joseph Bittman MCAD, Jun 24, 2005
    #2
    1. Advertising

  3. Re: Security Challenge: Runtime impersonation without calling Logo

    Thanks for your reply Joseph.

    What I'm trying to do is make a web service call from my web application
    using the credentials of the authenticated user. After I call "context =
    USER.identity.impersonate", I call "MyWebServiceProxyInstance.Credentials =
    System.Net.CredentialCache.DefaultCredentials" to add the authenticated
    user's credentials to the web service proxy. However, the DefaultCredentials
    are null.

    Do you know how I can pass the credentials of the authenticated user to the
    web service proxy?

    Thank you again.
    Web Developer, Jun 24, 2005
    #3
  4. Re: Security Challenge: Runtime impersonation without calling Logo

    If you are using IWA in IIS, you will need Kerberos delegation to get this
    scenario to work since it is a double hop. The code you are using is
    actually correct. It is actually easier to just use impersonate="true", but
    there may be some reason why you don't want impersonation on for the whole
    request.

    I'd suggest reading some of the documentation on Kerberos delegation to
    figure out what it is that you need to do and how to troubleshoot it.
    http://msdn.microsoft.com/vstudio/u...l/SecNetHT05.asp?FRAME=true#ImplementKerberos
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

    Joe K.

    "Web Developer" <> wrote in message
    news:...
    > Thanks for your reply Joseph.
    >
    > What I'm trying to do is make a web service call from my web application
    > using the credentials of the authenticated user. After I call "context =
    > USER.identity.impersonate", I call "MyWebServiceProxyInstance.Credentials
    > =
    > System.Net.CredentialCache.DefaultCredentials" to add the authenticated
    > user's credentials to the web service proxy. However, the
    > DefaultCredentials
    > are null.
    >
    > Do you know how I can pass the credentials of the authenticated user to
    > the
    > web service proxy?
    >
    > Thank you again.
    Joe Kaplan \(MVP - ADSI\), Jun 24, 2005
    #4
  5. Re: Security Challenge: Runtime impersonation without calling Logo

    June 24, 2005

    It is perfectly understandable that he doesn't want to use
    impersonate=true. If the user is an Administrator, it would not be as secure
    by having the entire request be under that account. Instead as an
    application security best practice, you should impersonate right before and
    ONLY during the sensitive task time period...... :)

    --
    Joseph Bittman
    Microsoft Certified Application Developer



    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > If you are using IWA in IIS, you will need Kerberos delegation to get this
    > scenario to work since it is a double hop. The code you are using is
    > actually correct. It is actually easier to just use impersonate="true",
    > but there may be some reason why you don't want impersonation on for the
    > whole request.
    >
    > I'd suggest reading some of the documentation on Kerberos delegation to
    > figure out what it is that you need to do and how to troubleshoot it.
    > http://msdn.microsoft.com/vstudio/u...l/SecNetHT05.asp?FRAME=true#ImplementKerberos
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
    >
    > Joe K.
    >
    > "Web Developer" <> wrote in message
    > news:...
    >> Thanks for your reply Joseph.
    >>
    >> What I'm trying to do is make a web service call from my web application
    >> using the credentials of the authenticated user. After I call "context =
    >> USER.identity.impersonate", I call "MyWebServiceProxyInstance.Credentials
    >> =
    >> System.Net.CredentialCache.DefaultCredentials" to add the authenticated
    >> user's credentials to the web service proxy. However, the
    >> DefaultCredentials
    >> are null.
    >>
    >> Do you know how I can pass the credentials of the authenticated user to
    >> the
    >> web service proxy?
    >>
    >> Thank you again.

    >
    >
    Joseph Bittman MCAD, Jun 25, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian
    Replies:
    1
    Views:
    474
    Scott Allen
    May 4, 2005
  2. Snig

    Runtime Impersonation

    Snig, Jul 30, 2003, in forum: ASP .Net Security
    Replies:
    1
    Views:
    115
    Brendan Duffy
    Jul 31, 2003
  3. Snig

    Runtime Impersonation

    Snig, Jul 30, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    111
  4. Snig

    Runtime Impersonation - Help !!!

    Snig, Jul 31, 2003, in forum: ASP .Net Security
    Replies:
    3
    Views:
    155
  5. msnews.microsoft.com

    Setting Impersonation Level at Runtime

    msnews.microsoft.com, Apr 25, 2006, in forum: ASP .Net Security
    Replies:
    0
    Views:
    224
    msnews.microsoft.com
    Apr 25, 2006
Loading...

Share This Page