Re: Where is the user impersonation token stored?

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 10/10/05 

Date: Mon, 10 Oct 2005 01:29:46 -0700

Hello Gery,

1) The outcome os IIS authentication is stored in a blob called ISAP Extension
Control Block - the ASPNET_ISAPI extension passes the token to ASP.NET (via
WorkerRequest). This token is availabe in ASP.NET 2.0 using the Request.LogonUserIdentity

2) There is some caching involved in IIS - but ASP.NET grabs the impersonation
token on each request from IIS to populate Context.User.

HTH
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> When a user visits a web site and is authenticated through the popup
> dialog box (Windows authentication) he enters his username and
> password. Evidently this creates the users impersonation token that is
> used on subsequent requests to secured web pages. On subsequent
> requests the WindowsAuthenticationModule is what authenticates on each
> request. The code that does this looks like this:
>
> WindowsIdentity wi = new
> WindowsIdentity(ctx.WorkerRequest.GetUserToken(),
> text2, WindowsAccountType.Normal, true);
> Context.User = new WindowsPrincipal(wi);
> The questions are:
> 1. Where did the initial Windows authentication put the user
> impersonation
> token?
> 2. Where is the user impersonation token stored as the user makes web
> page
> requests(or is it generated on each request and if so how?)?
> Thanks,
> Gery
> EnQue Corporation
> www.EnQue.com
> www.ImagingHardware.com

Relevant Pages

  • Re: Where is the user impersonation token stored?
    ... Can you explain a little more with respect to IIS? ... User requests a restricted page and the Windows popup dialog appears so ... When an HTTP request is finished and the response is sent back to the client ... Where does IIS (or some ISAPI authentication filter/extension) get ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IIS 5.0 Windows Authenticion/NT Challenge Response
    ... The first response looks like it was for a request made to a vdir that has ... anonymous authentication enabled on IIS. ... you could have anonymous authentication enabled. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Where is the user impersonation token stored?
    ... It looks like this is an IIS question now. ... > bounces back a 401 to the client along with the possible authentication ... > header to the server on each request. ... >> 1) User requests a restricted page and the Windows popup dialog ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Windows Authentication Access Denied Error
    ... It confirms that the issue has nothing to do with IIS and is specific ... or at least apply different group policies for servers. ... using Windows Authentication. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 5.0 Windows Authenticion/NT Challenge Response
    ... And so IIS returned 400, which says absolutely nothing about your question ... concerning authentication ... "Windows Authentication" works but not Basic or Anonymous. ... to auto-login to the web server, ...
    (microsoft.public.inetserver.iis.security)