Re: Impersonation using WindowsIdentity( upn ) ctor
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 02/23/05
- Previous message: Gilles: "Re: (Bug?) IIS Sends response to wrong client"
- In reply to: Alberto Ortega: "Re: Impersonation using WindowsIdentity( upn ) ctor"
- Next in thread: Dominick Baier [DevelopMentor]: "Re: Impersonation using WindowsIdentity( upn ) ctor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Feb 2005 09:17:20 -0600
You can definitely impersonate a token created with LogonUser.
I'd use the sample code in the .NET SDK docs for
WindowsImpersonationContext. They have a one of the best ones I've seen.
Joe K.
"Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
news:%23oVdy1aGFHA.208@TK2MSFTNGP12.phx.gbl...
> Ok, now, what if I use the LogonUser API ?
>
> Thanks a lot.
> Beto.
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:OIhXppQGFHA.2156@TK2MSFTNGP09.phx.gbl...
>> The problem is fairly subtle and is related to how Kerberos S4U, or
>> "protocol transition", works. That is the new Windows 2003 feature that
> you
>> are using under the hood when you use the WindowsIdentity "UPN" ctor.
>>
>> With S4U, the token returned by the API will either be an Impersonation
>> level token or an Identity level token. The level depends on whether or
> not
>> the account creating the token has the "Act as part of the operating
> system"
>> privilege. Only accounts with with that privilege can create an
>> Impersonation level token with S4U. By default, only the SYSTEM account
> has
>> this privilege. Everything else will create an Identify level token.
>>
>> As you probably guessed, a token has to be Impersonation level in order
>> to
>> impersonate it. An identify-level token can only be used to do things
> like
>> check group membership and such. This is the error that you are seeing.
>>
>> This limitation is actually a security feature. When you think about it,
>> you wouldn't really want any old account having the ability to create a
>> token for a user at random with no credentials for that user and then
> start
>> executing code on their behalf!
>>
>> If you have a situation where you absolutely need to do this, you need to
>> run the code with an account with the act as part of the operating system
>> privilege. If you do that, you probably want to think very very
>> carefully
>> about how you are going to secure this as you are potentially opening a
>> massive security hole by doing this. Tread very lightly here.
>>
>> Joe K.
>>
>> "Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
>> news:%23YF4FaQGFHA.3612@TK2MSFTNGP09.phx.gbl...
>> > I'm trying to impersonate a user using the WindowsIdentity ctor. This
>> > is
>> > what I'm doing
>> >
>> > WindowsIdentity id = new WindowsIdentity( "test@dev1.domain-dev.net" );
>> > WindowsImpersonationContext wic = id.Impersonate();
>> > try
>> > {
>> > DoSome();
>> > }
>> > finally
>> > {
>> > wic.Undo();
>> > }
>> >
>> > I'm getting this exception
>> >
>> > Access is denied.
>> > Description: An unhandled exception occurred during the execution of
>> > the
>> > current web request. Please review the stack trace for more information
>> > about the error and where it originated in the code.
>> >
>> > Exception Details: System.ApplicationException: Access is denied.
>> >
>> > [ApplicationException: Access is denied.
>> > ]
>> > System.Security.Principal.WindowsIdentity._ResolveIdentity(IntPtr
>> > userToken) +0
>> > System.Security.Principal.WindowsIdentity.get_Name() +70
>> > ImpersonationTest.WebForm1.DoSome() in
>> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:71
>> > ImpersonationTest.WebForm1.ImpersonateWinId() in
>> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:41
>> > ImpersonationTest.WebForm1.Page_Load(Object sender, EventArgs e) in
>> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:29
>> > System.Web.UI.Control.OnLoad(EventArgs e) +67
>> > System.Web.UI.Control.LoadRecursive() +35
>> > System.Web.UI.Page.ProcessRequestMain() +750
>> >
>> >
>> >
>> > The configuration is:
>> >
>> > * IIS: Anonynous checkbox ON and Integrated Security checkbox ON
>> >
>> > * Web.config: <identity impersonate="true"> and <authentication
>> > mode="Forms"> (auth mode forms is a requisite non negotiable on my app)
>> >
>> > * The app pool for the virtual dir is configured with Network Service
>> >
>> > Running on Win2K3 Domain Controller
>> >
>> > Any idea of what I should do to make the impersonation work?
>> >
>> > Thanks,
>> > Beto
>> >
>> >
>>
>>
>
>
- Previous message: Gilles: "Re: (Bug?) IIS Sends response to wrong client"
- In reply to: Alberto Ortega: "Re: Impersonation using WindowsIdentity( upn ) ctor"
- Next in thread: Dominick Baier [DevelopMentor]: "Re: Impersonation using WindowsIdentity( upn ) ctor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
