Security Challenge: Runtime impersonation without calling LogonUse

W

Web Developer

I have an ASP.Net web application that uses Integrated Authentication. I'd
like to impersonate the person making the request at RUNTIME instead of
specifying impersonate="true" in the web.config.

Does anyone know how I can get the requesting user's userToken to pass to
the Impersonate method of the
System.Threading.Thread.CurrentPrincipal.Identity?

i.e.
'Retrieve the requesting user's security token
Dim userToken as IntPtr = /Some call here/

Dim MyImpersonationContext As
System.security.Principal.WindowsImpersonationContext

'Temporarily impersonate the requesting user
MyImpersonationContext =
CType(System.Threading.Thread.CurrentPrincipal.Identity(),
System.Security.Principal.WindowsIdentity).Impersonate(userToken)

'Call a web service with using the logged-on user's credentials

'Revert the impersonation
MyImpersonationContext.Undo()

Thanks for your help!
 
J

Joseph Bittman MCAD

June 24, 2005

From what I understand, you are looking to create an impersonation
context from the web application's USER and Not the local web application's
service account. In this case, the easiest way would be to disable anonymous
auth in IIS & enable Windows Int. Auth and to disable anonymous auth in the
web.config. You do Not need to put the impersonation=true element in though.
Then use the code:

Dim context as windowsimpersonationcontext
context = USER.identity.impersonate
'do something
context.undo

User is a WindowsPrincipal object which contains the web application's user
identity and Not the service account of the application. You can use the
Identity.impersonate from it. I'm not quite sure what the usertoken you are
wanting is needed for, but I do believe that somewhere under User.Identity.
there is a usertoken property. This should work, and I hope this helps! :)
Let me know how it turns out!
 
W

Web Developer

Thanks for your reply Joseph.

What I'm trying to do is make a web service call from my web application
using the credentials of the authenticated user. After I call "context =
USER.identity.impersonate", I call "MyWebServiceProxyInstance.Credentials =
System.Net.CredentialCache.DefaultCredentials" to add the authenticated
user's credentials to the web service proxy. However, the DefaultCredentials
are null.

Do you know how I can pass the credentials of the authenticated user to the
web service proxy?

Thank you again.
 
J

Joe Kaplan \(MVP - ADSI\)

If you are using IWA in IIS, you will need Kerberos delegation to get this
scenario to work since it is a double hop. The code you are using is
actually correct. It is actually easier to just use impersonate="true", but
there may be some reason why you don't want impersonation on for the whole
request.

I'd suggest reading some of the documentation on Kerberos delegation to
figure out what it is that you need to do and how to troubleshoot it.
http://msdn.microsoft.com/vstudio/u...l/SecNetHT05.asp?FRAME=true#ImplementKerberos
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

Joe K.
 
J

Joseph Bittman MCAD

June 24, 2005

It is perfectly understandable that he doesn't want to use
impersonate=true. If the user is an Administrator, it would not be as secure
by having the entire request be under that account. Instead as an
application security best practice, you should impersonate right before and
ONLY during the sensitive task time period...... :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,734
Messages
2,569,441
Members
44,832
Latest member
GlennSmall

Latest Threads

Top