Re: Impersonation using WindowsIdentity( upn ) ctor

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 02/22/05 

Date: Tue, 22 Feb 2005 12:14:55 -0600

The problem is fairly subtle and is related to how Kerberos S4U, or
"protocol transition", works. That is the new Windows 2003 feature that you
are using under the hood when you use the WindowsIdentity "UPN" ctor.

With S4U, the token returned by the API will either be an Impersonation
level token or an Identity level token. The level depends on whether or not
the account creating the token has the "Act as part of the operating system"
privilege. Only accounts with with that privilege can create an
Impersonation level token with S4U. By default, only the SYSTEM account has
this privilege. Everything else will create an Identify level token.

As you probably guessed, a token has to be Impersonation level in order to
impersonate it. An identify-level token can only be used to do things like
check group membership and such. This is the error that you are seeing.

This limitation is actually a security feature. When you think about it,
you wouldn't really want any old account having the ability to create a
token for a user at random with no credentials for that user and then start
executing code on their behalf!

If you have a situation where you absolutely need to do this, you need to
run the code with an account with the act as part of the operating system
privilege. If you do that, you probably want to think very very carefully
about how you are going to secure this as you are potentially opening a
massive security hole by doing this. Tread very lightly here.

Joe K.

"Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
news:%23YF4FaQGFHA.3612@TK2MSFTNGP09.phx.gbl...
> I'm trying to impersonate a user using the WindowsIdentity ctor. This is
> what I'm doing
>
> WindowsIdentity id = new WindowsIdentity( "test@dev1.domain-dev.net" );
> WindowsImpersonationContext wic = id.Impersonate();
> try
> {
> DoSome();
> }
> finally
> {
> wic.Undo();
> }
>
> I'm getting this exception
>
> Access is denied.
> Description: An unhandled exception occurred during the execution of the
> current web request. Please review the stack trace for more information
> about the error and where it originated in the code.
>
> Exception Details: System.ApplicationException: Access is denied.
>
> [ApplicationException: Access is denied.
> ]
> System.Security.Principal.WindowsIdentity._ResolveIdentity(IntPtr
> userToken) +0
> System.Security.Principal.WindowsIdentity.get_Name() +70
> ImpersonationTest.WebForm1.DoSome() in
> c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:71
> ImpersonationTest.WebForm1.ImpersonateWinId() in
> c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:41
> ImpersonationTest.WebForm1.Page_Load(Object sender, EventArgs e) in
> c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:29
> System.Web.UI.Control.OnLoad(EventArgs e) +67
> System.Web.UI.Control.LoadRecursive() +35
> System.Web.UI.Page.ProcessRequestMain() +750
>
>
>
> The configuration is:
>
> * IIS: Anonynous checkbox ON and Integrated Security checkbox ON
>
> * Web.config: <identity impersonate="true"> and <authentication
> mode="Forms"> (auth mode forms is a requisite non negotiable on my app)
>
> * The app pool for the virtual dir is configured with Network Service
>
> Running on Win2K3 Domain Controller
>
> Any idea of what I should do to make the impersonation work?
>
> Thanks,
> Beto
>
>

Relevant Pages

  • Re: Problem with Protocol Transition
    ... I set up a domain account called DPool and gave it act as part of the ... then the token is impersonation level. ... Joe Kaplan-MS MVP Directory Services Programming ... I'm just setting httpcontext.current.user to be a new WindowsIdentity ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... are using under the hood when you use the WindowsIdentity "UPN" ctor. ... the token returned by the API will either be an Impersonation ... Only accounts with with that privilege can create an ... only the SYSTEM account has ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation and UNC network resources
    ... need the "Act as part of the operating system" privilege to call it under ... only the SYSTEM account has this. ... privilege to any account you want to, but be very careful about that as it ... Another option for you would be using impersonation with Kerberos delegation ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Hybrid sql server and asp.net windows authentication
    ... With Windows authentication, impersonation will just make whoever ... changing the process account is done by changing the ... To impersonate any WindowsIdentity, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Issue With Programmatically Impersonating a User in a Web-Par
    ... To start impersonating the Sharepoint domain service account: ... WindowsIdentity objOriginalUser = WindowsIdentity.GetCurrent; ... private static extern bool LogonUser(String lpszUsername, ... administrator privelages, the impersonation works, Prints out the ...
    (microsoft.public.sharepoint.portalserver.development)