Re: Impersonate() & ASPNET worker threads. Bug or undocumented feature?

From: Jonathan Folland (jfolland.nospam_at_earthlink.net)
Date: 06/06/03 

Date: Fri, 6 Jun 2003 14:29:38 -0500

I am guessing on this one, so if anyone else has the answer please chime in:

I think the Current principle needs to be replaced. See below:

public GenericPrincipal ReplaceCurrentPrincipal()
  {
   //In production code, replace the following line by either of the
following options
   //[1] Store user roles in a datbase table, use ADO.NET to retrieve.
   //[2] Store user roles in Active Directory user property, use
DirectoryServices (ADSI) to retrieve.
   //[3] Store user roles in XML file (web.config), use
ConfigurationSettings.AppSettings to retrieve.
   string[] roles =
System.Configuration.ConfigurationSettings.AppSettings[HttpContext.Current.U
ser.Identity.Name].Split( new Char[] {','});

   //Create GenericPrincipal and set CurrentPrincipal
   GenericIdentity objGenericIdentity = new
GenericIdentity(HttpContext.Current.User.Identity.Name +
"_GenericIdentity");
   GenericPrincipal objGenericPrincipal = new
GenericPrincipal(objGenericIdentity, roles); //roles is a string array of
all of this user's roles
   System.Threading.Thread.CurrentPrincipal = objGenericPrincipal;
   return objGenericPrincipal;
  }
In the above example, we are getting the roles from web.config. We replace
the roles on each page load where we are interested in the knowing the
security access. It is the first thing that we do. I think (but am not
certain) that this will resolve the issue if you were use the
WindowsPrincipal instead of the generic principal we used above.
HTH, Jonathan

"G.V." <gv@mail.lt> wrote in message
news:ei#ic0$KDHA.2188@TK2MSFTNGP09.phx.gbl...
> Hello,
>
> I tried to write an ASP.NET application, which impersonates user on
> Application_AuthenticateRequest event:
>
>
((System.Security.Principal.WindowsIdentity)Context.User.Identity).Impersona
> te()
>
> However, I've noticed, that
> System.Security.Principal.WindowsIdentity.GetCurrent()
>
> identity (which is used for COM access) returns pretty random results.
> FYI, I had disabled anonymous access to application, but did not turn
> impersonation on in web.config.
>
> In my oppinion ASPNET worker process even in one request scope switches
> threads. The consequences - if I impersonate user at the beggining of
> request for example in Application_AuthenticateRequest event,
> it is not guaranteed that subsequent Page_Load() event will be executed in
> the same impersonation context. Even worse - other requests might get this
> impersonation context, which was actually ment for another request.
>
> To demonstrate this, I've wrote a pretty simple demo. The demo consists of
> one page (Test.aspx) which displays current user name, and after that it
> Impersontes current user. Yes this is unrealistic scenario, but it
> demonstrates all the issues I've wrote above.
> Another page is just an HTML page (default.htm), consisting of 3 IFrames
> which reference to Test.aspx to simulate concurent requests.
> The anonymous access for application should be forbidden, Impersontion
> turned Off in web.config,
> and a line to web.config added:
> <authorization> <deny users="?" /> </authorization>
>
>
> The Results.
> If we look at code of Test.aspx (included below), we will see, that
> Impersonte() is called after identity name is printed,
> so we would expect to see ASPNET account user name.
> However, if we run test 2-10 times by refreshing browser window, we will
> see, that
> System.Security.Principal.WindowsIdentity.GetCurrent()
> gets pretty random results. In most cases it would be ASPNET user account,
> but
> sometimes it is impersonted user account.
> Btw, only System.Security.Principal.WindowsIdentity.GetCurrent() is
causing
> problems of this type.
> Context.User and System.Threading.Thread.CurrentPrincipal return values as
> expected. But
> System.Security.Principal.WindowsIdentity.GetCurrent() is used for COM
> access, so it is a problem.
>
> The conclusion is, that ASPNET worker might switch threads while executing
> one request.
> And impersonation context might "dissapear" or be randomly be passed to
> another request, if
> it happens to execute on the same thread as previous request. Something
like
> that.
>
> This is pretty ugly behaviour, because it is undocumented and unexpected.
> Is this a bug or an undocumented feature?
>
> Thank you for oppinions,
>
> Gundas Vilkelis
> Ps. I'm using .NET Framework v1.0, all latest patches applied.
>
> Here are the demo pages, to reproduce the strange behaviour. Test.aspx and
> Default.htm.
> The anonymous access for application should be forbidden, Impersontion
> turned Off in web.config,
> and a line to web.config added:
> <authorization> <deny users="?" /> </authorization>
>
> Test.aspx:
> <%@ Page language="c#" Codebehind="test.aspx.cs" AutoEventWireup="false"
> Inherits="Test.test" %>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
> <html>
> <head>
> <title>Test</title>
> <meta name="GENERATOR" Content="Microsoft Visual Studio 7.0">
> <meta name="CODE_LANGUAGE" Content="C#">
> <meta name="vs_defaultClientScript" content="JavaScript">
> <meta name="vs_targetSchema"
> content="http://schemas.microsoft.com/intellisense/ie5">
> </head>
> <body MS_POSITIONING="GridLayout">
> <form id="Test" method="post" runat="server">
> System.Security.Principal.WindowsIdentity:
> <%=System.Security.Principal.WindowsIdentity.GetCurrent().Name%><BR>
> </form>
> <%
>
>
((System.Security.Principal.WindowsIdentity)Context.User.Identity).Impersona
> te();
> %>
> </body>
> </html>
>
> Default.htm:
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
> <HTML>
> <HEAD>
> <META NAME="GENERATOR" Content="Microsoft Visual Studio 7.0">
> <TITLE></TITLE>
> </HEAD>
> <BODY>
> <IFrame src="test.aspx"></IFrame>
> <IFrame src="test.aspx"></IFrame>
> <IFrame src="test.aspx"></IFrame>
>
> </BODY>
> </HTML>
>
>
>

Relevant Pages

  • Re: Windows authentication for web service client??
    ... > Dim Response As System.Net.HttpWebResponse ... > make my http WEBDAV request here ... ... CredentialCache.DefaultCredentials will return the credentials that ... I have try the same approach using implicity impersonation, ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Forms Authentication and Impersonation
    ... On the IIS box, turn impersonation -off- in web.config so that asp.net ... Rewrite the page with your newfound knowledge of thread impersonation - ... recycle by allowing the request (this particular request of the aspx page ... so once the request to the file-accessing aspx page is ...
    (microsoft.public.inetserver.iis.security)
  • Can it work...? - ASP.NET Impersonation with Remoting
    ... I have an ASP.NET Web Page / Web Service that runs on IIS and uses ... Server expects a Principal token not a cheapo Impersonation token ... request it do the work (The Service will check the credentials and ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: Credentials and authentication
    ... you can if you use basic authenication. ... turn on impersonation in web config, and set the credials in the ... and fill in the credentials in the web request. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Trying to find the currently logged on user
    ... Since you are using impersonation you can get the user by means of: ... >>The user account, more specificallly the SQL Server login, that logs on ... which is a Windows user on my IIS machine. ... > This only returns an empty string, since I'm using anonymous access to ...
    (microsoft.public.dotnet.framework.adonet)