Multiple Users with impersonation using one account

[Jeff]

Hi All,

I have several intranet applications that use impersonate=true and
anonymous turned off to allow me to check for certain network users to
use the application. Works great.

However, some applications use resources such as the file system for
writing temporary files, or for opening files on other network servers.
I don't want to maintain all of the security for each user on each
resource. Is there a way to specify "when opening this file, don't use
the credentials of who is logged in, use mydomain\joeuser instead?

Thanks,
Jeff

 

[Dominick Baier [DevelopMentor]]

Hi,

you don't need impersonation to check for user identity - Context.User.Identity.Name
is populated with the clients name

is there any other need for impersonation??

you can revert back to process identity by calling WindowsIdentity.Impersonate(IntPtr.Zero)
or use LogonUser to get a token for a different user that you can impersonate.
But this also requires the password.

Windows Server 2003 also offers Protocol Transition which allows you to get
a token without knowledge of the password.

But you should sort out first if impersonation is a requirement.

 

[Jeff]

Dominick,

Thanks for your great reply. I removed the <identity impersonate='True'
/> and used your suggestion of Context.User.Identity.Name. Works great.
I notice that the application is now acting as the user: NT
AUTHORITY\SYSTEM.

How can I give this user access to files on a different server?

Thanks!
Jeff

 

[Dominick Baier [DevelopMentor]]

Hi,

what operating system are you using?

how did you figure out under which account the application is running - by
calling WindowsIdentity.GetCurrent().Name ?

 

[Jeff]

I am using Windows Server 2000, not sure which SP.

The following line displays NT AUTHORITY\SYSTEM


Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent.Name
)

Which I am assuming is the current user. Yes, I do know what happens
when I assume!

Thanks,
Jeff

 

[Dominick Baier [DevelopMentor]]

Hi,

ok .-

the client identity is in Context.User

WindowsIdentity.GetCurrent() give you the account the process is running
under - this account is used for resource access when no impersonation is
enabled.

Any reason why you are running as SYSTEM?? This is generally not recommended
because this is a very high privileged account - this is also not the default
for ASP.NET under Windows 2000 -

i guess you made changes to the processModel element in machine.config.

You be able to access resources on remote machines, you have several options

a) configure your worker process to run under a specific account, this could
be a domain account or a local account, with a mirrored counterpart on the
remote machine
this will affect all applications on the server
b) you can set impersonation in web.config for a fixed identity using <identity
impersonate="true" username="xx" password="xx" /> - this will only affect
the current application
c) you can impersonate programmatically by using LogonUser / WindowsIdentiy.Impersonate

config vs. code

i would

a) lower the privileges of ASP.NET to the default (which is the ASPNET account)
- if possible
b) use programmatic impersonation when needed

 

[Dominick Baier [DevelopMentor]]

Oh - i forgot another option - upgrade to windows 2003 - IIS6 give you multiple
worker processes which can all have distinct identities -

that's the feature you really need.

 

[Jeff]

Dominick,

That was great thanks. I added the userName password section to the
identity tag, switched to using the Context to find the user and now I
can set permissions once. Perfect!

I would love to upgrade to 2003, but that is out of my hands.

Thanks again Dominick!!

Jeff