Re: Impersonation using WindowsIdentity( upn ) ctor

From: Alberto Ortega (beto_at_NOSPAMTOMEsouthworks.net)
Date: 02/23/05 

Date: Wed, 23 Feb 2005 10:41:38 -0300

Ok, now, what if I use the LogonUser API ?

Thanks a lot.
Beto.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:OIhXppQGFHA.2156@TK2MSFTNGP09.phx.gbl...
> The problem is fairly subtle and is related to how Kerberos S4U, or
> "protocol transition", works. That is the new Windows 2003 feature that
you
> are using under the hood when you use the WindowsIdentity "UPN" ctor.
>
> With S4U, the token returned by the API will either be an Impersonation
> level token or an Identity level token. The level depends on whether or
not
> the account creating the token has the "Act as part of the operating
system"
> privilege. Only accounts with with that privilege can create an
> Impersonation level token with S4U. By default, only the SYSTEM account
has
> this privilege. Everything else will create an Identify level token.
>
> As you probably guessed, a token has to be Impersonation level in order to
> impersonate it. An identify-level token can only be used to do things
like
> check group membership and such. This is the error that you are seeing.
>
> This limitation is actually a security feature. When you think about it,
> you wouldn't really want any old account having the ability to create a
> token for a user at random with no credentials for that user and then
start
> executing code on their behalf!
>
> If you have a situation where you absolutely need to do this, you need to
> run the code with an account with the act as part of the operating system
> privilege. If you do that, you probably want to think very very carefully
> about how you are going to secure this as you are potentially opening a
> massive security hole by doing this. Tread very lightly here.
>
> Joe K.
>
> "Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
> news:%23YF4FaQGFHA.3612@TK2MSFTNGP09.phx.gbl...
> > I'm trying to impersonate a user using the WindowsIdentity ctor. This is
> > what I'm doing
> >
> > WindowsIdentity id = new WindowsIdentity( "test@dev1.domain-dev.net" );
> > WindowsImpersonationContext wic = id.Impersonate();
> > try
> > {
> > DoSome();
> > }
> > finally
> > {
> > wic.Undo();
> > }
> >
> > I'm getting this exception
> >
> > Access is denied.
> > Description: An unhandled exception occurred during the execution of the
> > current web request. Please review the stack trace for more information
> > about the error and where it originated in the code.
> >
> > Exception Details: System.ApplicationException: Access is denied.
> >
> > [ApplicationException: Access is denied.
> > ]
> > System.Security.Principal.WindowsIdentity._ResolveIdentity(IntPtr
> > userToken) +0
> > System.Security.Principal.WindowsIdentity.get_Name() +70
> > ImpersonationTest.WebForm1.DoSome() in
> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:71
> > ImpersonationTest.WebForm1.ImpersonateWinId() in
> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:41
> > ImpersonationTest.WebForm1.Page_Load(Object sender, EventArgs e) in
> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:29
> > System.Web.UI.Control.OnLoad(EventArgs e) +67
> > System.Web.UI.Control.LoadRecursive() +35
> > System.Web.UI.Page.ProcessRequestMain() +750
> >
> >
> >
> > The configuration is:
> >
> > * IIS: Anonynous checkbox ON and Integrated Security checkbox ON
> >
> > * Web.config: <identity impersonate="true"> and <authentication
> > mode="Forms"> (auth mode forms is a requisite non negotiable on my app)
> >
> > * The app pool for the virtual dir is configured with Network Service
> >
> > Running on Win2K3 Domain Controller
> >
> > Any idea of what I should do to make the impersonation work?
> >
> > Thanks,
> > Beto
> >
> >
>
>

Relevant Pages

  • Re: Impersonation and UNC network resources
    ... need the "Act as part of the operating system" privilege to call it under ... only the SYSTEM account has this. ... privilege to any account you want to, but be very careful about that as it ... Another option for you would be using impersonation with Kerberos delegation ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... are using under the hood when you use the WindowsIdentity "UPN" ctor. ... the token returned by the API will either be an Impersonation ... Only accounts with with that privilege can create an ... only the SYSTEM account has ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... are using under the hood when you use the WindowsIdentity "UPN" ctor. ... the token returned by the API will either be an Impersonation ... Only accounts with with that privilege can create an ... only the SYSTEM account has ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... Ok, now, what if I use the LogonUser API? ... the token returned by the API will either be an Impersonation ... Only accounts with with that privilege can create an ... By default, only the SYSTEM account ...
    (microsoft.public.dotnet.security)
  • Re: Active Directory and asp.net....
    ... Actualy if you enable impersonation on forms authentication, ... impersonates IIS account. ... > LogonUser api to change the current user from the default asp account to ...
    (microsoft.public.dotnet.framework.aspnet.security)