| Groups | Blog | Home |
asp.net security : Impersonation of forms-authenticated Active Directory user
Hello all
I wonder if the great and the good of this esteemed forum might shed some light on a problem of mine... Three servers in a domain: one Active Directory server, one SQL Server and one IIS. IIS hosts an ASP.NET Web Application which requires that users log on through a web form, are authenticated against their Active Directory account and then acquire the permissions on the SQL Server objects that their Active Directory group membership bestows. In the following code authentication through LDAP works and authTicket appears to be generated correctly. At this stage User.Identity is empty, but by loading the page a second time User.Identity contains the correct details. This is presumably as a result of reading the cookie, but how can I get the correct User.Identity from the authTicket without letting the cookie reader do it for me automagically? Anyway, even on the refresh when we have... User.Identity.Name=myuser User.Identity.IsAuthenticated=True User.Identity.AuthenticationType=Forms ....the code still fails on (System.Security.Principal.WindowsIdentity)User.Identity, producing 'specified cast is invalid'. Is this because its authentication type is Forms? If so, and given that form based login is a requirement, how can I "Impersonate the Authenticating User in Code". string adPath = "LDAP://ad1.mydomain.com/DC=mydomain,DC=com"; LdapAuthentication adAuth = new LdapAuthentication(adPath); if(true == adAuth.IsAuthenticated(txtDomainName.Text, txtUserName.Text, txtPassword.Text)) { FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, txtUserName.Text, DateTime.Now, DateTime.Now.AddMinutes(60), false, ""); string encryptedTicket = FormsAuthentication.Encrypt(authTicket); HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket); Response.Cookies.Add(authCookie); System.Security.Principal.WindowsImpersonationContext impersonationContext; impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate(); } As you may recognise, this code has been cribbed from http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306158 and it may help diagnosis to know that the code from the "Impersonate a Specific User in Code" section is working fine, but presumably this approach would require me to carry the username and password around, in the session say, and re-authenticate on every page_load. Once the user has logged I want every page to be executed in the context of their AD account, so should perhaps there's some altogether better way of achieving this that I'm missing. Cheers,
This isn't going to work. You can't cast a FormsPrincipal to a
WindowsPrincipal. In order to get a WindowsPrincipal, you must either use Windows auth in ASP.NET/IIS or explicitly call the LogonUser API with the user's credentials in order to create a token that you can then use to create a WindowsIdentity that you can impersonate. For the latter, the canonical example is here, but it can't be used easily on Win2K due to security restrictions: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsImpersonationContextClassTopic.asp?frame=true If you use Windows auth in ASP.NET, you will also need to be careful about impersonation and double hop issues. HTH, Joe K. [quoted text, click to view] "Mike Swift" <mikeswift@mailinator.com> wrote in message news:88fce4c8.0404280552.20fee3f6@posting.google.com... > Hello all > > I wonder if the great and the good of this esteemed forum might shed > some light on a problem of mine... > > Three servers in a domain: one Active Directory server, one SQL Server > and one IIS. IIS hosts an ASP.NET Web Application which requires that > users log on through a web form, are authenticated against their > Active Directory account and then acquire the permissions on the SQL > Server objects that their Active Directory group membership bestows. > > In the following code authentication through LDAP works and authTicket > appears to be generated correctly. At this stage User.Identity is > empty, but by loading the page a second time User.Identity contains > the correct details. This is presumably as a result of reading the > cookie, but how can I get the correct User.Identity from the > authTicket without letting the cookie reader do it for me > automagically? > > Anyway, even on the refresh when we have... > > User.Identity.Name=myuser > User.Identity.IsAuthenticated=True > User.Identity.AuthenticationType=Forms > > ...the code still fails on > (System.Security.Principal.WindowsIdentity)User.Identity, producing > 'specified cast is invalid'. Is this because its authentication type > is Forms? If so, and given that form based login is a requirement, how > can I "Impersonate the Authenticating User in Code". > > > string adPath = "LDAP://ad1.mydomain.com/DC=mydomain,DC=com"; > LdapAuthentication adAuth = new LdapAuthentication(adPath); > if(true == adAuth.IsAuthenticated(txtDomainName.Text, > txtUserName.Text, txtPassword.Text)) > { > FormsAuthenticationTicket authTicket = > new FormsAuthenticationTicket(1, > txtUserName.Text, > DateTime.Now, > DateTime.Now.AddMinutes(60), > false, ""); > string encryptedTicket = > FormsAuthentication.Encrypt(authTicket); > HttpCookie authCookie = > new HttpCookie(FormsAuthentication.FormsCookieName, > encryptedTicket); > Response.Cookies.Add(authCookie); > System.Security.Principal.WindowsImpersonationContext > impersonationContext; > impersonationContext = > ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate(); > } > > As you may recognise, this code has been cribbed from > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306158 and it > may help diagnosis to know that the code from the "Impersonate a > Specific User in Code" section is working fine, but presumably this > approach would require me to carry the username and password around, > in the session say, and re-authenticate on every page_load. > > Once the user has logged I want every page to be executed in the > context of their AD account, so should perhaps there's some altogether > better way of achieving this that I'm missing. > > Cheers, > Mike.
just wanted to find out why User.Identity is empty for the first time..
r u populating User.Identity with GenericPrinciple object for the first time just after validating from your login page? Av. [quoted text, click to view] "Mike Swift" <mikeswift@mailinator.com> wrote in message news:88fce4c8.0404280552.20fee3f6@posting.google.com... > Hello all > > I wonder if the great and the good of this esteemed forum might shed > some light on a problem of mine... > > Three servers in a domain: one Active Directory server, one SQL Server > and one IIS. IIS hosts an ASP.NET Web Application which requires that > users log on through a web form, are authenticated against their > Active Directory account and then acquire the permissions on the SQL > Server objects that their Active Directory group membership bestows. > > In the following code authentication through LDAP works and authTicket > appears to be generated correctly. At this stage User.Identity is > empty, but by loading the page a second time User.Identity contains > the correct details. This is presumably as a result of reading the > cookie, but how can I get the correct User.Identity from the > authTicket without letting the cookie reader do it for me > automagically? > > Anyway, even on the refresh when we have... > > User.Identity.Name=myuser > User.Identity.IsAuthenticated=True > User.Identity.AuthenticationType=Forms > > ...the code still fails on > (System.Security.Principal.WindowsIdentity)User.Identity, producing > 'specified cast is invalid'. Is this because its authentication type > is Forms? If so, and given that form based login is a requirement, how > can I "Impersonate the Authenticating User in Code". > > > string adPath = "LDAP://ad1.mydomain.com/DC=mydomain,DC=com"; > LdapAuthentication adAuth = new LdapAuthentication(adPath); > if(true == adAuth.IsAuthenticated(txtDomainName.Text, > txtUserName.Text, txtPassword.Text)) > { > FormsAuthenticationTicket authTicket = > new FormsAuthenticationTicket(1, > txtUserName.Text, > DateTime.Now, > DateTime.Now.AddMinutes(60), > false, ""); > string encryptedTicket = > FormsAuthentication.Encrypt(authTicket); > HttpCookie authCookie = > new HttpCookie(FormsAuthentication.FormsCookieName, > encryptedTicket); > Response.Cookies.Add(authCookie); > System.Security.Principal.WindowsImpersonationContext > impersonationContext; > impersonationContext = > > ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate(); > } > > As you may recognise, this code has been cribbed from > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306158 and it > may help diagnosis to know that the code from the "Impersonate a > Specific User in Code" section is working fine, but presumably this > approach would require me to carry the username and password around, > in the session say, and re-authenticate on every page_load. > > Once the user has logged I want every page to be executed in the > context of their AD account, so should perhaps there's some altogether > better way of achieving this that I'm missing. > > Cheers, > Mike.
Don't see what you're looking for? Try a search.
|
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |