Impersonate asp application to run like IIS basic authentication.

Hi,
I need to build and asp page which access a remote windows server's
registry and create a registry key.
In order for the ASP page to be able to access the registry on the
remote server I need it to run using credentials supplied by the user.
When using basic authentication this is not an issue since the user
has to provide a user name and password.
But I don't want to use basic authentication so I created a login form
and I am using FORMS authentication to force the user to login.
The problem is that was unable to force the asp application to
impersonate to the user who logged in to the application.
Any help on this would be appreciated.
Thanks,
Erez.

Erez Shor

Basic auth uses a credential store from the machine or the domain. Forms
auth is completely separate to this and does not use any form of credential
store apart from either the web.config or what you do in code to verify the
credentials. Using impersonation will probably just impersonate the local
ASPNET account (under which ASP.NET runs).

--
- Paul Glavich


"Erez Shor" <> wrote in message
news: om...
> Hi,
> I need to build and asp page which access a remote windows server's
> registry and create a registry key.
> In order for the ASP page to be able to access the registry on the
> remote server I need it to run using credentials supplied by the user.
> When using basic authentication this is not an issue since the user
> has to provide a user name and password.
> But I don't want to use basic authentication so I created a login form
> and I am using FORMS authentication to force the user to login.
> The problem is that was unable to force the asp application to
> impersonate to the user who logged in to the application.
> Any help on this would be appreciated.
> Thanks,
> Erez.

Paul Glavich

This is exactly what I am seeing.
So is there any other way I can have my application access the remote
server using a logged in account and not the local machine account?
Erez.


"Paul Glavich" <-NOSPAM> wrote in message news:<#>...
> Basic auth uses a credential store from the machine or the domain. Forms
> auth is completely separate to this and does not use any form of credential
> store apart from either the web.config or what you do in code to verify the
> credentials. Using impersonation will probably just impersonate the local
> ASPNET account (under which ASP.NET runs).
>
> --
> - Paul Glavich
>
>
> "Erez Shor" <> wrote in message
> news: om...
> > Hi,
> > I need to build and asp page which access a remote windows server's
> > registry and create a registry key.
> > In order for the ASP page to be able to access the registry on the
> > remote server I need it to run using credentials supplied by the user.
> > When using basic authentication this is not an issue since the user
> > has to provide a user name and password.
> > But I don't want to use basic authentication so I created a login form
> > and I am using FORMS authentication to force the user to login.
> > The problem is that was unable to force the asp application to
> > impersonate to the user who logged in to the application.
> > Any help on this would be appreciated.
> > Thanks,
> > Erez.

Erez Shor

You can do a couple of things. In code, you can manually impersonate
(WindowsIdentity.Impersonate() / WindowsImpersonationContext class) a user
and access the remote server, or you can specify this user within the
web.config file. Something like :-

<identity impersonate="true" userName="domain\username"
password="password"/>

--
- Paul Glavich


"Erez Shor" <> wrote in message
news: om...
> This is exactly what I am seeing.
> So is there any other way I can have my application access the remote
> server using a logged in account and not the local machine account?
> Erez.
>
>
> "Paul Glavich" <-NOSPAM> wrote in message
news:<#>...
> > Basic auth uses a credential store from the machine or the domain. Forms
> > auth is completely separate to this and does not use any form of
credential
> > store apart from either the web.config or what you do in code to verify
the
> > credentials. Using impersonation will probably just impersonate the
local
> > ASPNET account (under which ASP.NET runs).
> >
> > --
> > - Paul Glavich
> >
> >
> > "Erez Shor" <> wrote in message
> > news: om...
> > > Hi,
> > > I need to build and asp page which access a remote windows server's
> > > registry and create a registry key.
> > > In order for the ASP page to be able to access the registry on the
> > > remote server I need it to run using credentials supplied by the user.
> > > When using basic authentication this is not an issue since the user
> > > has to provide a user name and password.
> > > But I don't want to use basic authentication so I created a login form
> > > and I am using FORMS authentication to force the user to login.
> > > The problem is that was unable to force the asp application to
> > > impersonate to the user who logged in to the application.
> > > Any help on this would be appreciated.
> > > Thanks,
> > > Erez.

Paul Glavich

Paul,
I know I can use the web.config file but then the account used is
constant and I want it to change using the user name logged in it to
the application.
As for WindowsImpersonationContext I tried using it but was unable to
get it to work. What I did was to use forms authentication and use
WindowsIdentity.Impersonate(User.Identity.Name.ToS tring()) but I
received a cast error.
Do you have a code example which works?
Erez.


"Paul Glavich" <-NOSPAM> wrote in message news:<#2#>...
> You can do a couple of things. In code, you can manually impersonate
> (WindowsIdentity.Impersonate() / WindowsImpersonationContext class) a user
> and access the remote server, or you can specify this user within the
> web.config file. Something like :-
>
> <identity impersonate="true" userName="domain\username"
> password="password"/>
>
> --
> - Paul Glavich
>
>
> "Erez Shor" <> wrote in message
> news: om...
> > This is exactly what I am seeing.
> > So is there any other way I can have my application access the remote
> > server using a logged in account and not the local machine account?
> > Erez.
> >
> >
> > "Paul Glavich" <-NOSPAM> wrote in message
> news:<#>...
> > > Basic auth uses a credential store from the machine or the domain. Forms
> > > auth is completely separate to this and does not use any form of
> credential
> > > store apart from either the web.config or what you do in code to verify
> the
> > > credentials. Using impersonation will probably just impersonate the
> local
> > > ASPNET account (under which ASP.NET runs).
> > >
> > > --
> > > - Paul Glavich
> > >
> > >
> > > "Erez Shor" <> wrote in message
> > > news: om...
> > > > Hi,
> > > > I need to build and asp page which access a remote windows server's
> > > > registry and create a registry key.
> > > > In order for the ASP page to be able to access the registry on the
> > > > remote server I need it to run using credentials supplied by the user.
> > > > When using basic authentication this is not an issue since the user
> > > > has to provide a user name and password.
> > > > But I don't want to use basic authentication so I created a login form
> > > > and I am using FORMS authentication to force the user to login.
> > > > The problem is that was unable to force the asp application to
> > > > impersonate to the user who logged in to the application.
> > > > Any help on this would be appreciated.
> > > > Thanks,
> > > > Erez.

Erez Shor

You have to do a little bit more than that. Below is some code that is taken
directly from the MSDN library.

If you have the MSDN library or Visual Studio.NET installed, you should be
able to paste the link below into a browser or the MSDN address bar and get
the same.

Link is :
ms-help://MS.MSDNQTR.2003FEB.1033/cpref/html/frlrfsystemsecurityprincipalwin
dowsimpersonationcontextclasstopic.htm


**************Code Sample Below*********************


// This sample demonstrates the use of the WindowsIdentity class to
impersonate a user.
// IMPORTANT NOTES:
// This sample can be run only on Windows XP. The default Windows 2000
security policy
// prevents this sample from executing properly, and changing the policy to
allow
// proper execution presents a security risk.
// This sample requests the user to enter a password on the console screen.
// Because the console window does not support methods allowing the password
to be masked,
// it will be visible to anyone viewing the screen.

using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Security.Permissions;

[assembly:SecurityPermissionAttribute(SecurityActio n.RequestMinimum,
UnmanagedCode=true)]
[assemblyermissionSetAttribute(SecurityAction.Req uestMinimum, Name =
"FullTrust")]
public class ImpersonationDemo
{
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

[DllImport("kernel32.dll",
CharSet=System.Runtime.InteropServices.CharSet.Aut o)]
private unsafe static extern int FormatMessage(int dwFlags, ref IntPtr
lpSource,
int dwMessageId, int dwLanguageId, ref String lpBuffer, int nSize,
IntPtr *Arguments);

[DllImport("kernel32.dll", CharSet=CharSet.Auto)]
public extern static bool CloseHandle(IntPtr handle);

[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);


// GetErrorMessage formats and returns an error message
// corresponding to the input errorCode.
public unsafe static string GetErrorMessage(int errorCode)
{
int FORMAT_MESSAGE_ALLOCATE_BUFFER = 0x00000100;
int FORMAT_MESSAGE_IGNORE_INSERTS = 0x00000200;
int FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000;

int messageSize = 255;
String lpMsgBuf = "";
int dwFlags = FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS;

IntPtr ptrlpSource = IntPtr.Zero;
IntPtr prtArguments = IntPtr.Zero;

int retVal = FormatMessage(dwFlags, ref ptrlpSource, errorCode, 0,
ref lpMsgBuf, messageSize, &prtArguments);
if (0 == retVal)
{
throw new Exception("Failed to format message for error code " +
errorCode + ". ");
}

return lpMsgBuf;
}

// Test harness.
// If you incorporate this code into a DLL, be sure to demand FullTrust.
[PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
public static void Main(string[] args)
{
IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0);
try
{
string UserName, MachineName;

// Get the user token for the specified user, machine, and
password using the
// unmanaged LogonUser method.

Console.Write("Enter the name of a machine on which to log on:
");
MachineName = Console.ReadLine();

Console.Write("Enter the login of a user on {0} that you wish to
impersonate: ", MachineName);
UserName = Console.ReadLine();

Console.Write("Enter the password for {0}: ", UserName);

const int LOGON32_PROVIDER_DEFAULT = 0;
//This parameter causes LogonUser to create a primary token.
const int LOGON32_LOGON_INTERACTIVE = 2;
const int SecurityImpersonation = 2;

tokenHandle = IntPtr.Zero;
dupeTokenHandle = IntPtr.Zero;

// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(UserName, MachineName,
Console.ReadLine(),
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);

Console.WriteLine("LogonUser called.");

if (false == returnValue)
{
int ret = Marshal.GetLastWin32Error();
Console.WriteLine("LogonUser failed with error code : {0}",
ret);
Console.WriteLine("\nError: [{0}] {1}\n", ret,
GetErrorMessage(ret));

return;
}

Console.WriteLine("Did LogonUser Succeed? " + (returnValue?
"Yes" : "No"));
Console.WriteLine("Value of Windows NT token: " +
tokenHandle);

// Check the identity.
Console.WriteLine("Before impersonation: "
+ WindowsIdentity.GetCurrent().Name);

bool retVal = DuplicateToken(tokenHandle, SecurityImpersonation,
ref dupeTokenHandle);
if (false == retVal)
{
CloseHandle(tokenHandle);
Console.WriteLine("Exception thrown in trying to duplicate
token.");
return;
}

// The token that is passed to the following constructor must
// be a primary token in order to use it for impersonation.
WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
WindowsImpersonationContext impersonatedUser =
newId.Impersonate();

// Check the identity.
Console.WriteLine("After impersonation: "
+ WindowsIdentity.GetCurrent().Name);

// Stop impersonating the user.
impersonatedUser.Undo();

// Check the identity.
Console.WriteLine("After Undo: " +
WindowsIdentity.GetCurrent().Name);

// Free the tokens.
if (tokenHandle != IntPtr.Zero)
CloseHandle(tokenHandle);
if (dupeTokenHandle != IntPtr.Zero)
CloseHandle(dupeTokenHandle);
}
catch(Exception ex)
{
Console.WriteLine("Exception occurred. " + ex.Message);
}

}
}


--
- Paul Glavich


"Erez Shor" <> wrote in message
news: om...
> Paul,
> I know I can use the web.config file but then the account used is
> constant and I want it to change using the user name logged in it to
> the application.
> As for WindowsImpersonationContext I tried using it but was unable to
> get it to work. What I did was to use forms authentication and use
> WindowsIdentity.Impersonate(User.Identity.Name.ToS tring()) but I
> received a cast error.
> Do you have a code example which works?
> Erez.
>
>
> "Paul Glavich" <-NOSPAM> wrote in message
news:<#2#>...
> > You can do a couple of things. In code, you can manually impersonate
> > (WindowsIdentity.Impersonate() / WindowsImpersonationContext class) a
user
> > and access the remote server, or you can specify this user within the
> > web.config file. Something like :-
> >
> > <identity impersonate="true" userName="domain\username"
> > password="password"/>
> >
> > --
> > - Paul Glavich
> >
> >
> > "Erez Shor" <> wrote in message
> > news: om...
> > > This is exactly what I am seeing.
> > > So is there any other way I can have my application access the remote
> > > server using a logged in account and not the local machine account?
> > > Erez.
> > >
> > >
> > > "Paul Glavich" <-NOSPAM> wrote in message
> > news:<#>...
> > > > Basic auth uses a credential store from the machine or the domain.
Forms
> > > > auth is completely separate to this and does not use any form of
> > credential
> > > > store apart from either the web.config or what you do in code to
verify
> > the
> > > > credentials. Using impersonation will probably just impersonate the
> > local
> > > > ASPNET account (under which ASP.NET runs).
> > > >
> > > > --
> > > > - Paul Glavich
> > > >
> > > >
> > > > "Erez Shor" <> wrote in message
> > > > news: om...
> > > > > Hi,
> > > > > I need to build and asp page which access a remote windows
server's
> > > > > registry and create a registry key.
> > > > > In order for the ASP page to be able to access the registry on the
> > > > > remote server I need it to run using credentials supplied by the
user.
> > > > > When using basic authentication this is not an issue since the
user
> > > > > has to provide a user name and password.
> > > > > But I don't want to use basic authentication so I created a login
form
> > > > > and I am using FORMS authentication to force the user to login.
> > > > > The problem is that was unable to force the asp application to
> > > > > impersonate to the user who logged in to the application.
> > > > > Any help on this would be appreciated.
> > > > > Thanks,
> > > > > Erez.

Paul Glavich