Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > How can I impersonate a user in code?

Reply
Thread Tools

How can I impersonate a user in code?

 
 
Friso Wiskerke
Guest
Posts: n/a
 
      02-15-2006
Hi all,

I'm trying to save an uploaded file to a share on another computer in the
domain. If I use the <identity impersonate ..... /> tag in the web.config
and enter the credentials of a domain user which has sufficient rights on
that share it works fine.

However I don't need (and want) to run the complete site under this user, I
only need to impersonate the moment I'm trying to save the file. I've tried
to achieve this is code by creating a WindowsIdentity object and
impersonating it but that isn't working (NotSupported Exception). The code
works fine in a sample winapp but apparantly a webapp doesn't like it.

Does anyone have an idea on how I can achieve the impersonation in code?

TIA,
Friso Wiskerke


 
Reply With Quote
 
 
 
 
MikeS
Guest
Posts: n/a
 
      02-15-2006
You might use a location tag to specify that only the page you post to
impersonates.

<location path="upload.aspx">
<system.web>
<identity impersonate="true" userName="UID"
password="PWD"></identity>
</system.web>
</location>

 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      02-15-2006
You can also use the LogonUser API to do this. That's the typical way.

http://msdn.microsoft.com/library/de...asp?frame=true

Note that if you were trying to use the WindowsIdentity constructor that
takes a UPN, there are bunch of restrictions on how it can be used. That is
the "protocol transition" constructor. PT only works if your AD forest is
2003 native mode and the client OS is 2003 or higher. Also, you can only
use the returned WindowsIdentity for impersonation to access local resources
if the calling account has "act as part of the operating system" privilege.
Only SYSTEM has this by default.

HTH,

Joe K.

"MikeS" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> You might use a location tag to specify that only the page you post to
> impersonates.
>
> <location path="upload.aspx">
> <system.web>
> <identity impersonate="true" userName="UID"
> password="PWD"></identity>
> </system.web>
> </location>
>



 
Reply With Quote
 
Friso Wiskerke
Guest
Posts: n/a
 
      02-16-2006
Joe,

this is the example I tried to use in the web application but failed with a
NotSupported exception when calling the newId.Impersonate method. There's no
problem executing the code in a windows application though.

I think the best way for me at the moment is to use the web.config and
specifically specify the page(s) that the impersonation applies to as stated
in MikeS reply.

Thanx non the less...

Cheers,
Friso Wiskerke


"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
in message news:(E-Mail Removed)...
> You can also use the LogonUser API to do this. That's the typical way.
>
> http://msdn.microsoft.com/library/de...asp?frame=true
>
> Note that if you were trying to use the WindowsIdentity constructor that
> takes a UPN, there are bunch of restrictions on how it can be used. That
> is the "protocol transition" constructor. PT only works if your AD forest
> is 2003 native mode and the client OS is 2003 or higher. Also, you can
> only use the returned WindowsIdentity for impersonation to access local
> resources if the calling account has "act as part of the operating system"
> privilege. Only SYSTEM has this by default.
>
> HTH,
>
> Joe K.
>
> "MikeS" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
>> You might use a location tag to specify that only the page you post to
>> impersonates.
>>
>> <location path="upload.aspx">
>> <system.web>
>> <identity impersonate="true" userName="UID"
>> password="PWD"></identity>
>> </system.web>
>> </location>
>>

>
>



 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      02-16-2006
That NotSupportedException is pretty weird. I'm not sure what might cause
that. Can you show the full stack trace for the exception? I'd like to
know where it is coming from.

Joe K.

"Friso Wiskerke" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Joe,
>
> this is the example I tried to use in the web application but failed with
> a NotSupported exception when calling the newId.Impersonate method.
> There's no problem executing the code in a windows application though.
>
> I think the best way for me at the moment is to use the web.config and
> specifically specify the page(s) that the impersonation applies to as
> stated in MikeS reply.
>
> Thanx non the less...
>
> Cheers,
> Friso Wiskerke
>
>
> "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
> in message news:(E-Mail Removed)...
>> You can also use the LogonUser API to do this. That's the typical way.
>>
>> http://msdn.microsoft.com/library/de...asp?frame=true
>>
>> Note that if you were trying to use the WindowsIdentity constructor that
>> takes a UPN, there are bunch of restrictions on how it can be used. That
>> is the "protocol transition" constructor. PT only works if your AD
>> forest is 2003 native mode and the client OS is 2003 or higher. Also,
>> you can only use the returned WindowsIdentity for impersonation to access
>> local resources if the calling account has "act as part of the operating
>> system" privilege. Only SYSTEM has this by default.
>>
>> HTH,
>>
>> Joe K.
>>
>> "MikeS" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) oups.com...
>>> You might use a location tag to specify that only the page you post to
>>> impersonates.
>>>
>>> <location path="upload.aspx">
>>> <system.web>
>>> <identity impersonate="true" userName="UID"
>>> password="PWD"></identity>
>>> </system.web>
>>> </location>
>>>

>>
>>

>
>



 
Reply With Quote
 
Friso Wiskerke
Guest
Posts: n/a
 
      02-17-2006
Joe,

I've cracked it !

In the call to the LogonUser API function I used values which are stored in
the web.config as follows:

bRetval =
LogonUser(ConfigurationSettings.AppSettings("imper sonate_username"),
ConfigurationSettings.AppSettings("impersonate_dom ain"),
ConfigurationSettings.AppSettings("impersonate_pas sword"), 2, 0, token)

When I change the retrieval from the web.config to:
ConfigurationSettings.AppSettings("impersonate_use rname").ToString the call
does work. Apparantly the API tries to do something with ths string
variables and that failes.

I'd placed this code in a separate function also called ImpersonateUser,
that's why I thought that the WindowsIdentity.ImpersonateUser() call
generated the error.

Cheers,
Friso


"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
in message news:%(E-Mail Removed)...
> That NotSupportedException is pretty weird. I'm not sure what might cause
> that. Can you show the full stack trace for the exception? I'd like to
> know where it is coming from.
>
> Joe K.
>
> "Friso Wiskerke" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Joe,
>>
>> this is the example I tried to use in the web application but failed with
>> a NotSupported exception when calling the newId.Impersonate method.
>> There's no problem executing the code in a windows application though.
>>
>> I think the best way for me at the moment is to use the web.config and
>> specifically specify the page(s) that the impersonation applies to as
>> stated in MikeS reply.
>>
>> Thanx non the less...
>>
>> Cheers,
>> Friso Wiskerke
>>
>>
>> "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)>
>> wrote in message news:(E-Mail Removed)...
>>> You can also use the LogonUser API to do this. That's the typical way.
>>>
>>> http://msdn.microsoft.com/library/de...asp?frame=true
>>>
>>> Note that if you were trying to use the WindowsIdentity constructor that
>>> takes a UPN, there are bunch of restrictions on how it can be used.
>>> That is the "protocol transition" constructor. PT only works if your AD
>>> forest is 2003 native mode and the client OS is 2003 or higher. Also,
>>> you can only use the returned WindowsIdentity for impersonation to
>>> access local resources if the calling account has "act as part of the
>>> operating system" privilege. Only SYSTEM has this by default.
>>>
>>> HTH,
>>>
>>> Joe K.
>>>
>>> "MikeS" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed) oups.com...
>>>> You might use a location tag to specify that only the page you post to
>>>> impersonates.
>>>>
>>>> <location path="upload.aspx">
>>>> <system.web>
>>>> <identity impersonate="true" userName="UID"
>>>> password="PWD"></identity>
>>>> </system.web>
>>>> </location>
>>>>
>>>
>>>

>>
>>

>
>



 
Reply With Quote
 
MikeS
Guest
Posts: n/a
 
      02-17-2006
I took a minute and created a class wrapper for a version of the code
in the article too so I can use it like below. Seems to work fine.
Can I secure the credentials in appSettings like I can using
aspnet_setreg and the location tag?

Try
With New UserProxy(uid, pwd, domain)
.Impersonate()
Try
' do privileged operation...
Catch ex As Exception
Throw New Exception(ex.Message)
Finally
.Undo()
End Try
End With
Catch ex As Exception
' Handle proxy creation, impersonate or operation error
End Try

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Impersonate User asp.net =?Utf-8?B?cmljaGk=?= ASP .Net 7 08-24-2007 03:14 PM
Impersonate NT user from Anonymous login ajamrozek ASP .Net 8 02-04-2005 03:39 PM
Impersonate a user Sorin Sandu ASP .Net 1 08-16-2004 12:21 PM
DirectoryEntry Impersonate or WindowsIdentity Impersonate? Bill Belliveau ASP .Net Security 3 01-31-2004 04:19 AM



Advertisments