Re: ASP.NET Impersonation

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: jongalloway (jongalloway_at_gmail.com)
Date: 10/29/04 

Date: 29 Oct 2004 14:21:53 -0700

See Scott Galloway's code for temporary impersonation in an ASP.NET
app:
http://www.mostlylucid.co.uk/archive/2003/12/05/662.aspx

The basic idea is to call into LogonUser and DuplicateToken.

However, you may run into problem with a scenario called the Single Hop
problem.
http://blogs.geekdojo.net/ryan/archive/2003/12/10/427.aspx
http://blogs.geekdojo.net/justin/archive/2003/12/10/430.aspx

To quote Justin Rudd from his post referenced above:
<quote>
This is what is commonly referred to in the NTLM world as the "one hop"
problem. For example, you are on machine A. You have a process that is
running as you and it calls a DCOM process on Machine B. Depending on
how the DCOM server is setup, it assumes your credentials (think
ASP.NET impersonation). Now if that DCOM server makes a call out to
another DCOM server, the credentials that go across the wire are the
credentials that the process is running as.

In IIS when you use Windows Authentication, you use your single hop as
soon as you connect to the web server. So if you have some code in
ASP.NET try to access a network resource, it will use the ASP.NET
worker process' credentials.
</quote>

You may need to have your ASP.NET application impersonate at the
application level (that's what I've had to fall back on):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfIdentitySection.asp

This just involves a setting in web.config, as you probably know:
<identity impersonate="true|false" userName="domain\username"
password="password"/>

Other alternatives are serviced components and delegation:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconaspnetdelegation.asp
- Jon
http://weblogs.asp.net/jgalloway

Relevant Pages

  • Re: Windows authentication for web service client??
    ... > Dim Response As System.Net.HttpWebResponse ... > make my http WEBDAV request here ... ... CredentialCache.DefaultCredentials will return the credentials that ... I have try the same approach using implicity impersonation, ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: SetPassword access denied
    ... That said, I think one thing worth pointing out is that in both cases here, your code is supplying credentials to the DirectoryEntry constructor. ... the identity of the current thread (established either via impersonation or using the process token without impersonation) is NOT the account that is used for performing remote activities in the directory. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows authentication for web service client??
    ... >> Dim Response As System.Net.HttpWebResponse ... >> make my http WEBDAV request here ... ... CredentialCache.DefaultCredentials will return the credentials that ... > I have try the same approach using implicity impersonation, ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: No access to AD through DirectoryEntry/Searcher even when logging on
    ... the explicit credentials are used when binding. ... Following uses the default credentials (process or impersonation thread token): ... When specifying the usesername as something like: eTrond, then you need to specify secure binding. ... Also check whether computer.company.no is a server name or a domain name, if not sure use the flat NetBIOS name of the AD/DC. ...
    (microsoft.public.dotnet.framework.aspnet.security)