«

I have an ASP.Net web application that uses Integrated Authentication. I'd
like to impersonate the person making the request at RUNTIME instead of
specifying impersonate="true" in the web.config.

Does anyone know how I can get the requesting user's userToken to pass to
the Impersonate method of the
System.Threading.Thread.CurrentPrincipal.Identity?

i.e.
'Retrieve the requesting user's security token
Dim userToken as IntPtr = /Some call here/

Dim MyImpersonationContext As
System.security.Principal.WindowsImpersonationCont ext

'Temporarily impersonate the requesting user
MyImpersonationContext =
CType(System.Threading.Thread.CurrentPrincipal.Ide ntity(),
System.Security.Principal.WindowsIdentity).Imperso nate(userToken)

'Call a web service with using the logged-on user's credentials

'Revert the impersonation
MyImpersonationContext.Undo()

Thanks for your help!

June 24, 2005

From what I understand, you are looking to create an impersonation
context from the web application's USER and Not the local web application's
service account. In this case, the easiest way would be to disable anonymous
auth in IIS & enable Windows Int. Auth and to disable anonymous auth in the
web.config. You do Not need to put the impersonation=true element in though.
Then use the code:

Dim context as windowsimpersonationcontext
context = USER.identity.impersonate
'do something
context.undo

User is a WindowsPrincipal object which contains the web application's user
identity and Not the service account of the application. You can use the
Identity.impersonate from it. I'm not quite sure what the usertoken you are
wanting is needed for, but I do believe that somewhere under User.Identity.
there is a usertoken property. This should work, and I hope this helps!
Let me know how it turns out!


--
Joseph Bittman
Microsoft Certified Application Developer



"Web Developer" <> wrote in message
news:9989FB8F-D192-40C8-ADA7-...
>I have an ASP.Net web application that uses Integrated Authentication. I'd
> like to impersonate the person making the request at RUNTIME instead of
> specifying impersonate="true" in the web.config.
>
> Does anyone know how I can get the requesting user's userToken to pass to
> the Impersonate method of the
> System.Threading.Thread.CurrentPrincipal.Identity?
>
> i.e.
> 'Retrieve the requesting user's security token
> Dim userToken as IntPtr = /Some call here/
>
> Dim MyImpersonationContext As
> System.security.Principal.WindowsImpersonationCont ext
>
> 'Temporarily impersonate the requesting user
> MyImpersonationContext =
> CType(System.Threading.Thread.CurrentPrincipal.Ide ntity(),
> System.Security.Principal.WindowsIdentity).Imperso nate(userToken)
>
> 'Call a web service with using the logged-on user's credentials
>
> 'Revert the impersonation
> MyImpersonationContext.Undo()
>
> Thanks for your help!

Thanks for your reply Joseph.

What I'm trying to do is make a web service call from my web application
using the credentials of the authenticated user. After I call "context =
USER.identity.impersonate", I call "MyWebServiceProxyInstance.Credentials =
System.Net.CredentialCache.DefaultCredentials" to add the authenticated
user's credentials to the web service proxy. However, the DefaultCredentials
are null.

Do you know how I can pass the credentials of the authenticated user to the
web service proxy?

Thank you again.

If you are using IWA in IIS, you will need Kerberos delegation to get this
scenario to work since it is a double hop. The code you are using is
actually correct. It is actually easier to just use impersonate="true", but
there may be some reason why you don't want impersonation on for the whole
request.

I'd suggest reading some of the documentation on Kerberos delegation to
figure out what it is that you need to do and how to troubleshoot it.
http://msdn.microsoft.com/vstudio/us...lementKerberos
http://www.microsoft.com/technet/pro.../tkerberr.mspx

Joe K.

"Web Developer" <> wrote in message
news:58F38410-21E9-428C-B191-...
> Thanks for your reply Joseph.
>
> What I'm trying to do is make a web service call from my web application
> using the credentials of the authenticated user. After I call "context =
> USER.identity.impersonate", I call "MyWebServiceProxyInstance.Credentials
> =
> System.Net.CredentialCache.DefaultCredentials" to add the authenticated
> user's credentials to the web service proxy. However, the
> DefaultCredentials
> are null.
>
> Do you know how I can pass the credentials of the authenticated user to
> the
> web service proxy?
>
> Thank you again.

June 24, 2005

It is perfectly understandable that he doesn't want to use
impersonate=true. If the user is an Administrator, it would not be as secure
by having the entire request be under that account. Instead as an
application security best practice, you should impersonate right before and
ONLY during the sensitive task time period......

--
Joseph Bittman
Microsoft Certified Application Developer



"Joe Kaplan (MVP - ADSI)" <> wrote
in message news:...
> If you are using IWA in IIS, you will need Kerberos delegation to get this
> scenario to work since it is a double hop. The code you are using is
> actually correct. It is actually easier to just use impersonate="true",
> but there may be some reason why you don't want impersonation on for the
> whole request.
>
> I'd suggest reading some of the documentation on Kerberos delegation to
> figure out what it is that you need to do and how to troubleshoot it.
> http://msdn.microsoft.com/vstudio/us...lementKerberos
> http://www.microsoft.com/technet/pro.../tkerberr.mspx
>
> Joe K.
>
> "Web Developer" <> wrote in message
> news:58F38410-21E9-428C-B191-...
>> Thanks for your reply Joseph.
>>
>> What I'm trying to do is make a web service call from my web application
>> using the credentials of the authenticated user. After I call "context =
>> USER.identity.impersonate", I call "MyWebServiceProxyInstance.Credentials
>> =
>> System.Net.CredentialCache.DefaultCredentials" to add the authenticated
>> user's credentials to the web service proxy. However, the
>> DefaultCredentials
>> are null.
>>
>> Do you know how I can pass the credentials of the authenticated user to
>> the
>> web service proxy?
>>
>> Thank you again.
>
>