Re: Impersonation of forms-authenticated Active Directory user

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 04/28/04

  • Next message: avnrao: "Re: Impersonation of forms-authenticated Active Directory user" 
    Date: Wed, 28 Apr 2004 09:45:15 -0500

    This isn't going to work. You can't cast a FormsPrincipal to a
    WindowsPrincipal.

    In order to get a WindowsPrincipal, you must either use Windows auth in
    ASP.NET/IIS or explicitly call the LogonUser API with the user's credentials
    in order to create a token that you can then use to create a WindowsIdentity
    that you can impersonate. For the latter, the canonical example is here,
    but it can't be used easily on Win2K due to security restrictions:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsImpersonationContextClassTopic.asp?frame=true

    If you use Windows auth in ASP.NET, you will also need to be careful about
    impersonation and double hop issues.

    HTH,

    Joe K.

    "Mike Swift" <mikeswift@mailinator.com> wrote in message
    news:88fce4c8.0404280552.20fee3f6@posting.google.com...
    > Hello all
    >
    > I wonder if the great and the good of this esteemed forum might shed
    > some light on a problem of mine...
    >
    > Three servers in a domain: one Active Directory server, one SQL Server
    > and one IIS. IIS hosts an ASP.NET Web Application which requires that
    > users log on through a web form, are authenticated against their
    > Active Directory account and then acquire the permissions on the SQL
    > Server objects that their Active Directory group membership bestows.
    >
    > In the following code authentication through LDAP works and authTicket
    > appears to be generated correctly. At this stage User.Identity is
    > empty, but by loading the page a second time User.Identity contains
    > the correct details. This is presumably as a result of reading the
    > cookie, but how can I get the correct User.Identity from the
    > authTicket without letting the cookie reader do it for me
    > automagically?
    >
    > Anyway, even on the refresh when we have...
    >
    > User.Identity.Name=myuser
    > User.Identity.IsAuthenticated=True
    > User.Identity.AuthenticationType=Forms
    >
    > ...the code still fails on
    > (System.Security.Principal.WindowsIdentity)User.Identity, producing
    > 'specified cast is invalid'. Is this because its authentication type
    > is Forms? If so, and given that form based login is a requirement, how
    > can I "Impersonate the Authenticating User in Code".
    >
    >
    > string adPath = "LDAP://ad1.mydomain.com/DC=mydomain,DC=com";
    > LdapAuthentication adAuth = new LdapAuthentication(adPath);
    > if(true == adAuth.IsAuthenticated(txtDomainName.Text,
    > txtUserName.Text, txtPassword.Text))
    > {
    > FormsAuthenticationTicket authTicket =
    > new FormsAuthenticationTicket(1,
    > txtUserName.Text,
    > DateTime.Now,
    > DateTime.Now.AddMinutes(60),
    > false, "");
    > string encryptedTicket =
    > FormsAuthentication.Encrypt(authTicket);
    > HttpCookie authCookie =
    > new HttpCookie(FormsAuthentication.FormsCookieName,
    > encryptedTicket);
    > Response.Cookies.Add(authCookie);
    > System.Security.Principal.WindowsImpersonationContext
    > impersonationContext;
    > impersonationContext =
    >
    ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
    > }
    >
    > As you may recognise, this code has been cribbed from
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306158 and it
    > may help diagnosis to know that the code from the "Impersonate a
    > Specific User in Code" section is working fine, but presumably this
    > approach would require me to carry the username and password around,
    > in the session say, and re-authenticate on every page_load.
    >
    > Once the user has logged I want every page to be executed in the
    > context of their AD account, so should perhaps there's some altogether
    > better way of achieving this that I'm missing.
    >
    > Cheers,
    > Mike.

  • Next message: avnrao: "Re: Impersonation of forms-authenticated Active Directory user"

    Relevant Pages

    • Re: Network Credentials not passing in Authentication mode
      ... checked my IE6 SP1 settings and I do have send windows auth through. ... A trusted logon process has registered with the Local Security ... > account the server thinks is being used to attempt to access the page, ... > Kerberos authentication doesn't work through most firewalls (those are the ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Windows service
      ... I've actually done this before (we were hitting an Oracle DB that didn't support Windows Auth), using both the COM+ method recommend by the PAG group, and using the DPAPI method others have recommended. ... Windows Auth to the SQL Database is better in every way. ... I have not seen NT Authenticated user used for a means of connecting to a SQL Server database by any application, ... Some DBA's have a special sequence of characters to kind of encrypt the psw a kind of their own blend or take on the psw. ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Linked server and Windows authentication
      ... If Server B is using Windows Auth only, ... The error that login failed for user ... >Server A is running in Mixed mode(Both SQL and Windows auth). ... >WE don't have Active Directory setup in the production enviromnent. ...
      (microsoft.public.sqlserver.security)
    • Re: authenticated access prob. - cant login!
      ... any firewall/proxy between client machines and server? ... Windows auth support IE only and it doesn't work well ... >> Bernard Cheah ... >>> using the account) and switching to basic authentication doesn't help. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Loosing Windows Auth Credentials Over Multiple Web Services
      ... Otherwise, at each layer, in your code, you need to impersonate the calling ... > access to the Reporting Services Web Service, ... > The initial web site is set up to use windows auth and to impersonate. ...
      (microsoft.public.inetserver.iis.security)