Override Windows auth using global.asax?

Discussion in 'ASP .Net Security' started by gbrowins, Jun 29, 2010.

  1. gbrowins

    gbrowins Guest

    Here's my environment
    Win2003 Standard SP2, IIS 6.0, MOSS 2007, .NET 2.0.50727

    IIS website uses MOSS 2007 "Team Site" template and has only IWA
    enabled. Web.config has Windows auth w/ Impersonation:
    <authentication mode="Windows" />
    <identity impersonate="true" />

    IE HTTP headers shows that NTLM authentication occurs for workstation
    user. In global.asax, I've defined
    WindowsAuthentication_OnAuthenticate() and can see incoming the
    Principal/Identity values as:
    WindowsAuthenticationEventArgs.Identity.Name = ACME\testuser
    WindowsAuthenticationEventArgs.Identity.AuthenticationType =
    Negotiate
    HttpContext.User.Identity = null
    Thread.CurrentPrincipal.Identity = <blank>

    I'm using the KerbS4U extension to create a new WindowsIdentity which
    is then used to create a WindowsPrincipal for the new/overriding user:
    WindowsIdentity winid = new WindowsIdentity("");
    WindowsPrincipal princ = new WindowsPrincipal(winid);

    These succeed and I set the new principal to HttpContext.Current.User
    & Thread.CurrentPrincipal without errors. I've defined both
    Application_AuthenticateRequest() and
    Application_PostAuthenticateRequest() functions in global.asax. These
    show the "new" Identity in the HttpContext.Current.User &
    Thread.CurrentPrincipal, but the "Welcome <DOMAIN\username>" in the
    upper-right menu of the default.aspx homepage itself still shows the
    name from the initial IWA!

    Does anyone have any ideas about where this is breaking down?

    -Gregg
     
    gbrowins, Jun 29, 2010
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.