| Groups | Blog | Home |
asp.net security : How can I impersonate a user in code?
Hi all,
I'm trying to save an uploaded file to a share on another computer in the domain. If I use the <identity impersonate ..... /> tag in the web.config and enter the credentials of a domain user which has sufficient rights on that share it works fine. However I don't need (and want) to run the complete site under this user, I only need to impersonate the moment I'm trying to save the file. I've tried to achieve this is code by creating a WindowsIdentity object and impersonating it but that isn't working (NotSupported Exception). The code works fine in a sample winapp but apparantly a webapp doesn't like it. Does anyone have an idea on how I can achieve the impersonation in code? TIA, Friso Wiskerke
You might use a location tag to specify that only the page you post to
impersonates. <location path="upload.aspx"> <system.web> <identity impersonate="true" userName="UID" password="PWD"></identity> </system.web> </location>
You can also use the LogonUser API to do this. That's the typical way.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsImpersonationContextClassTopic.asp?frame=true Note that if you were trying to use the WindowsIdentity constructor that takes a UPN, there are bunch of restrictions on how it can be used. That is the "protocol transition" constructor. PT only works if your AD forest is 2003 native mode and the client OS is 2003 or higher. Also, you can only use the returned WindowsIdentity for impersonation to access local resources if the calling account has "act as part of the operating system" privilege. Only SYSTEM has this by default. HTH, Joe K. [quoted text, click to view] "MikeS" <michael.spencer@gmail.com> wrote in message news:1140009603.544490.327090@g44g2000cwa.googlegroups.com... > You might use a location tag to specify that only the page you post to > impersonates. > > <location path="upload.aspx"> > <system.web> > <identity impersonate="true" userName="UID" > password="PWD"></identity> > </system.web> > </location> >
Joe,
this is the example I tried to use in the web application but failed with a NotSupported exception when calling the newId.Impersonate method. There's no problem executing the code in a windows application though. I think the best way for me at the moment is to use the web.config and specifically specify the page(s) that the impersonation applies to as stated in MikeS reply. Thanx non the less... Cheers, Friso Wiskerke [quoted text, click to view] "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:ukylI8kMGHA.2604@TK2MSFTNGP09.phx.gbl... > You can also use the LogonUser API to do this. That's the typical way. > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsImpersonationContextClassTopic.asp?frame=true > > Note that if you were trying to use the WindowsIdentity constructor that > takes a UPN, there are bunch of restrictions on how it can be used. That > is the "protocol transition" constructor. PT only works if your AD forest > is 2003 native mode and the client OS is 2003 or higher. Also, you can > only use the returned WindowsIdentity for impersonation to access local > resources if the calling account has "act as part of the operating system" > privilege. Only SYSTEM has this by default. > > HTH, > > Joe K. > > "MikeS" <michael.spencer@gmail.com> wrote in message > news:1140009603.544490.327090@g44g2000cwa.googlegroups.com... >> You might use a location tag to specify that only the page you post to >> impersonates. >> >> <location path="upload.aspx"> >> <system.web> >> <identity impersonate="true" userName="UID" >> password="PWD"></identity> >> </system.web> >> </location> >> > >
That NotSupportedException is pretty weird. I'm not sure what might cause
that. Can you show the full stack trace for the exception? I'd like to know where it is coming from. Joe K. [quoted text, click to view] "Friso Wiskerke" <friso@pestaartje.nl> wrote in message news:%23BrDhDuMGHA.3272@tk2msftngp13.phx.gbl... > Joe, > > this is the example I tried to use in the web application but failed with > a NotSupported exception when calling the newId.Impersonate method. > There's no problem executing the code in a windows application though. > > I think the best way for me at the moment is to use the web.config and > specifically specify the page(s) that the impersonation applies to as > stated in MikeS reply. > > Thanx non the less... > > Cheers, > Friso Wiskerke > > > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote > in message news:ukylI8kMGHA.2604@TK2MSFTNGP09.phx.gbl... >> You can also use the LogonUser API to do this. That's the typical way. >> >> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsImpersonationContextClassTopic.asp?frame=true >> >> Note that if you were trying to use the WindowsIdentity constructor that >> takes a UPN, there are bunch of restrictions on how it can be used. That >> is the "protocol transition" constructor. PT only works if your AD >> forest is 2003 native mode and the client OS is 2003 or higher. Also, >> you can only use the returned WindowsIdentity for impersonation to access >> local resources if the calling account has "act as part of the operating >> system" privilege. Only SYSTEM has this by default. >> >> HTH, >> >> Joe K. >> >> "MikeS" <michael.spencer@gmail.com> wrote in message >> news:1140009603.544490.327090@g44g2000cwa.googlegroups.com... >>> You might use a location tag to specify that only the page you post to >>> impersonates. >>> >>> <location path="upload.aspx"> >>> <system.web> >>> <identity impersonate="true" userName="UID" >>> password="PWD"></identity> >>> </system.web> >>> </location> >>> >> >> > >
I took a minute and created a class wrapper for a version of the code
in the article too so I can use it like below. Seems to work fine. Can I secure the credentials in appSettings like I can using aspnet_setreg and the location tag? Try With New UserProxy(uid, pwd, domain) .Impersonate() Try ' do privileged operation... Catch ex As Exception Throw New Exception(ex.Message) Finally .Undo() End Try End With Catch ex As Exception ' Handle proxy creation, impersonate or operation error End Try
Joe,
I've cracked it ! In the call to the LogonUser API function I used values which are stored in the web.config as follows: bRetval = LogonUser(ConfigurationSettings.AppSettings("impersonate_username"), ConfigurationSettings.AppSettings("impersonate_domain"), ConfigurationSettings.AppSettings("impersonate_password"), 2, 0, token) When I change the retrieval from the web.config to: ConfigurationSettings.AppSettings("impersonate_username").ToString the call does work. Apparantly the API tries to do something with ths string variables and that failes. I'd placed this code in a separate function also called ImpersonateUser, that's why I thought that the WindowsIdentity.ImpersonateUser() call generated the error. Cheers, Friso [quoted text, click to view] "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:%23Wx6X3wMGHA.3460@TK2MSFTNGP15.phx.gbl... > That NotSupportedException is pretty weird. I'm not sure what might cause > that. Can you show the full stack trace for the exception? I'd like to > know where it is coming from. > > Joe K. > > "Friso Wiskerke" <friso@pestaartje.nl> wrote in message > news:%23BrDhDuMGHA.3272@tk2msftngp13.phx.gbl... >> Joe, >> >> this is the example I tried to use in the web application but failed with >> a NotSupported exception when calling the newId.Impersonate method. >> There's no problem executing the code in a windows application though. >> >> I think the best way for me at the moment is to use the web.config and >> specifically specify the page(s) that the impersonation applies to as >> stated in MikeS reply. >> >> Thanx non the less... >> >> Cheers, >> Friso Wiskerke >> >> >> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> >> wrote in message news:ukylI8kMGHA.2604@TK2MSFTNGP09.phx.gbl... >>> You can also use the LogonUser API to do this. That's the typical way. >>> >>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsImpersonationContextClassTopic.asp?frame=true >>> >>> Note that if you were trying to use the WindowsIdentity constructor that >>> takes a UPN, there are bunch of restrictions on how it can be used. >>> That is the "protocol transition" constructor. PT only works if your AD >>> forest is 2003 native mode and the client OS is 2003 or higher. Also, >>> you can only use the returned WindowsIdentity for impersonation to >>> access local resources if the calling account has "act as part of the >>> operating system" privilege. Only SYSTEM has this by default. >>> >>> HTH, >>> >>> Joe K. >>> >>> "MikeS" <michael.spencer@gmail.com> wrote in message >>> news:1140009603.544490.327090@g44g2000cwa.googlegroups.com... >>>> You might use a location tag to specify that only the page you post to >>>> impersonates. >>>> >>>> <location path="upload.aspx"> >>>> <system.web> >>>> <identity impersonate="true" userName="UID" >>>> password="PWD"></identity> >>>> </system.web> >>>> </location> >>>> >>> >>> >> >> > >
Don't see what you're looking for? Try a search.
|
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |