Impersonation of an existing user in AD when logged in as admin:Possible?

Discussion in 'ASP .Net Security' started by MarkusJ_NZ, Jun 17, 2009.

  1. MarkusJ_NZ

    MarkusJ_NZ Guest

    Hi, I was wondering if the following was possible.

    A user logs in using Forms Authentication which is aithenticated
    against AD and is set a FormsAuthentication Cookie.

    If the user is an admin user I would like to be able to impersonate
    another user simply by passing through the username. I was hoping that
    because the current user is an Admin user they could easily
    impersonate another user without having to supply the others users

    The sceptic in me knows that this should probably not work as a user
    should have to supply the existing username / password of a user if
    the want to impersonate another user but I thought that I would just
    ask :)

    Thanks for any response / help
    MarkusJ_NZ, Jun 17, 2009
    1. Advertisements

  2. MarkusJ_NZ

    Joe Kaplan Guest

    You can use protocol transition logon to get a WindowsIdentity for an
    arbitrary user if you know their UPN. This token can be impersonated and
    used to access local resources if the process that executes the
    WindowsIdentity constructor has TCB privilege aka "act as part of the
    operating system" (which usually you would not in a web app).

    To use this constructor for WindowsIdentity, you must have a 2003+ server
    and must have a 2003+ native forest mode AD.

    If you can't use protocol transition, you'll need credentials for the user.
    Joe Kaplan, Jun 17, 2009
    1. Advertisements

  3. MarkusJ_NZ

    MarkusJ_NZ Guest

    Thanks for the response Joe

    best wishes
    MarkusJ_NZ, Jun 17, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.