Who am I impersonating?

G

Gary Bagen

Is there a way I can get the user of the identity I will be
impersonating to get network resources?

I know WindowsIdentity.GetCurrent().Name for the person coming into
the ASP.NET app but I want to do some testing of different
combinations of impersonating based on Anon, Windows Auth, and
impersonate = true in web.config. So I am looking for the identity
that will be used for the ASP.NET app to go to a network resource.

thanks,
Gar
 
A

Aaron Margosis [MS]

If the question is, "can I impersonate the caller in such a way that I can
access network resources as that caller", then:

If you are using integrated Windows authentication at the IIS level, the
answer is "no", unless:
* You enable Kerberos delegation for the account and the machines involved
in the delegation, or
* Your web browser is on the same machine as the web server.

If you are using Basic authentication at the IIS level, the answer is "yes"
if Basic auth is configured to use "interactive" logon. This is the default
for IIS5. (I'm blanking all of a sudden as to whether it is the default for
IIS6, but I think it isn't.)

-- Aaron
 
G

Gary Bagen

Hi Aaron,

I understand what you are describing, but I have done a poor job of
asking the right question.

For production, what we plan on doing is using the ProcessModel
element of Machine.Config on the web servers to point to a registry
location for username/password attributes which will use aspnetreg.exe
for encryption.

We want to test this out before making a final recommendation. So,
with my ASP.NET temporary test app, I just wanted to display the name
of the user the ASP.NET app will use to try and access network
resources.

Then I can show depending on how machine.config, web.config, IIS
Anonymous and IIS Windows Authentication settings determine who will
try and use network resources from the ASP.NET app. This is not
something we will be doing in production.

Thanks,
Gar
 
T

Tim Thacker

I've got a similar issue and I think I'm running into the same problem.
I've got a ASPX Page on Server A. Web Service on Server B. I need to
pass the Windows Creditials through Server A to Server B. I've set the
Impersonate options, turned on Windows Auth. When I run IE from Server A
everyhting works fine. Run it from anywhere else and I get Access
Denied. Is this by design or am I doing something wrong?

Thanks!
Tim
 
A

Alek Davis

Tim,

This is by design (as Aaron described). To summarize, in a typical situation
(integrated authentication), you cannot pass users credentials over one
machine (i.e. from computer A (IE) through server B (ASPX) to server C (SQL
Server/Web Service/etc)), unless you enable Kerberos/delegation on the
network, which is generally not recommended for security reasons.

Alek
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,904
Latest member
HealthyVisionsCBDPrice

Latest Threads

Top