«

Hi, I was wondering if the following was possible.

A user logs in using Forms Authentication which is aithenticated
against AD and is set a FormsAuthentication Cookie.

If the user is an admin user I would like to be able to impersonate
another user simply by passing through the username. I was hoping that
because the current user is an Admin user they could easily
impersonate another user without having to supply the others users
password.

The sceptic in me knows that this should probably not work as a user
should have to supply the existing username / password of a user if
the want to impersonate another user but I thought that I would just
ask

Thanks for any response / help
Markus

You can use protocol transition logon to get a WindowsIdentity for an
arbitrary user if you know their UPN. This token can be impersonated and
used to access local resources if the process that executes the
WindowsIdentity constructor has TCB privilege aka "act as part of the
operating system" (which usually you would not in a web app).

To use this constructor for WindowsIdentity, you must have a 2003+ server
and must have a 2003+ native forest mode AD.

If you can't use protocol transition, you'll need credentials for the user.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"MarkusJ_NZ" <> wrote in message
news:24cdbd35-4d60-4872-93a9-...
> Hi, I was wondering if the following was possible.
>
> A user logs in using Forms Authentication which is aithenticated
> against AD and is set a FormsAuthentication Cookie.
>
> If the user is an admin user I would like to be able to impersonate
> another user simply by passing through the username. I was hoping that
> because the current user is an Admin user they could easily
> impersonate another user without having to supply the others users
> password.
>
> The sceptic in me knows that this should probably not work as a user
> should have to supply the existing username / password of a user if
> the want to impersonate another user but I thought that I would just
> ask
>
> Thanks for any response / help
> Markus

On Jun 18, 3:09*am, "Joe Kaplan"
<joseph.e.kap...@removethis.accenture.com> wrote:
> You can use protocol transition logon to get a WindowsIdentity for an
> arbitrary user if you know their UPN. *This token can be impersonated and
> used to access local resources if the process that executes the
> WindowsIdentity constructor has TCB privilege aka "act as part of the
> operating system" (which usually you would not in a web app).
>
> To use this constructor for WindowsIdentity, you must have a 2003+ server
> and must have a 2003+ native forest mode AD.
>
> If you can't use protocol transition, you'll need credentials for the user.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net"MarkusJ_NZ" <markus...@gmail.com> wrote in message
>
> news:24cdbd35-4d60-4872-93a9-...
>
>
>
> > Hi, I was wondering if the following was possible.
>
> > A user logs in using Forms Authentication which is aithenticated
> > against AD and is set a FormsAuthentication Cookie.
>
> > If the user is an admin user I would like to be able to impersonate
> > another user simply by passing through the username. I was hoping that
> > because the current user is an Admin user they could easily
> > impersonate another user without having to supply the others users
> > password.
>
> > The sceptic in me knows that this should probably not work as a user
> > should have to supply the existing username / password of a user if
> > the want to impersonate another user but I thought that I would just
> > ask
>
> > Thanks for any response / help
> > Markus- Hide quoted text -
>
> - Show quoted text -

Thanks for the response Joe

best wishes
Markus