Framework v1.1 & LogonUser workaround

From: Bill Belliveau (anonymous_at_discussions.microsoft.com)
Date: 01/27/04

Next message: William Newsom: "Impersonate doesnt pass to separate sql server"
Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Running an assembly in different User"
Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Framework v1.1 & LogonUser workaround"
Reply: Joe Kaplan \(MVP - ADSI\): "Re: Framework v1.1 & LogonUser workaround"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 26 Jan 2004 15:01:07 -0800

Greetings.
I am working on a project that can be configured to use Windows or Forms authentication. Occasionally the process may need to impersonate the calling user.

Using Windows Authentication was fairly easy:
-- ms code snippet --
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

----
To handle a forms logon:
-- code snippet --
IntPtr token = IntPtr.Zero;
if(LogonUser(txtUserName.Text, txtDomainName.Text, txtPassword.Text,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0) 
{
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = System.Security.Principal.WindowsIdentity.Impersonate(token);
}
Of course LogonUser requires that the process have “Act as part of the operating system” permissions, which by default the ASPNET process does not.  My confusion comes from reading Microsoft’s patterns and practices, “Building Secure Microsoft ASP.NET Application”.  LogonUser is mentioned many times and usually has a warning block stating the above issue and that the .NET Framework v1.1 will work around the issue by having the IIS process perform the logon instead.  That doesn’t appear to be the case however.  Can anyone confirm if a workaround was in fact implemented?
Thanks,
Bill

Next message: William Newsom: "Impersonate doesnt pass to separate sql server"
Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Running an assembly in different User"
Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Framework v1.1 & LogonUser workaround"
Reply: Joe Kaplan \(MVP - ADSI\): "Re: Framework v1.1 & LogonUser workaround"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: ASP.NET Process Identity???
... Under Windows 2000, a thread need to have the "Act As Part of the Operating ... > Private ImpersonationContext As WindowsImpersonationContext ... > ByRef phToken As IntPtr) As Integer ... > Public Function Personificar() As Boolean ...
(microsoft.public.dotnet.security)
Re: Windows Authentication for ASP.NET
... With Windows integrated authentication, you don't get the plain text ... This is very common with WIA. ...
(microsoft.public.dotnet.framework.aspnet.security)