Re: Impersonation using WindowsIdentity( upn ) ctor

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 02/23/05 

Date: Wed, 23 Feb 2005 09:17:20 -0600

You can definitely impersonate a token created with LogonUser.

I'd use the sample code in the .NET SDK docs for
WindowsImpersonationContext. They have a one of the best ones I've seen.

Joe K.

"Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
news:%23oVdy1aGFHA.208@TK2MSFTNGP12.phx.gbl...
> Ok, now, what if I use the LogonUser API ?
>
> Thanks a lot.
> Beto.
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:OIhXppQGFHA.2156@TK2MSFTNGP09.phx.gbl...
>> The problem is fairly subtle and is related to how Kerberos S4U, or
>> "protocol transition", works. That is the new Windows 2003 feature that
> you
>> are using under the hood when you use the WindowsIdentity "UPN" ctor.
>>
>> With S4U, the token returned by the API will either be an Impersonation
>> level token or an Identity level token. The level depends on whether or
> not
>> the account creating the token has the "Act as part of the operating
> system"
>> privilege. Only accounts with with that privilege can create an
>> Impersonation level token with S4U. By default, only the SYSTEM account
> has
>> this privilege. Everything else will create an Identify level token.
>>
>> As you probably guessed, a token has to be Impersonation level in order
>> to
>> impersonate it. An identify-level token can only be used to do things
> like
>> check group membership and such. This is the error that you are seeing.
>>
>> This limitation is actually a security feature. When you think about it,
>> you wouldn't really want any old account having the ability to create a
>> token for a user at random with no credentials for that user and then
> start
>> executing code on their behalf!
>>
>> If you have a situation where you absolutely need to do this, you need to
>> run the code with an account with the act as part of the operating system
>> privilege. If you do that, you probably want to think very very
>> carefully
>> about how you are going to secure this as you are potentially opening a
>> massive security hole by doing this. Tread very lightly here.
>>
>> Joe K.
>>
>> "Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
>> news:%23YF4FaQGFHA.3612@TK2MSFTNGP09.phx.gbl...
>> > I'm trying to impersonate a user using the WindowsIdentity ctor. This
>> > is
>> > what I'm doing
>> >
>> > WindowsIdentity id = new WindowsIdentity( "test@dev1.domain-dev.net" );
>> > WindowsImpersonationContext wic = id.Impersonate();
>> > try
>> > {
>> > DoSome();
>> > }
>> > finally
>> > {
>> > wic.Undo();
>> > }
>> >
>> > I'm getting this exception
>> >
>> > Access is denied.
>> > Description: An unhandled exception occurred during the execution of
>> > the
>> > current web request. Please review the stack trace for more information
>> > about the error and where it originated in the code.
>> >
>> > Exception Details: System.ApplicationException: Access is denied.
>> >
>> > [ApplicationException: Access is denied.
>> > ]
>> > System.Security.Principal.WindowsIdentity._ResolveIdentity(IntPtr
>> > userToken) +0
>> > System.Security.Principal.WindowsIdentity.get_Name() +70
>> > ImpersonationTest.WebForm1.DoSome() in
>> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:71
>> > ImpersonationTest.WebForm1.ImpersonateWinId() in
>> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:41
>> > ImpersonationTest.WebForm1.Page_Load(Object sender, EventArgs e) in
>> > c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:29
>> > System.Web.UI.Control.OnLoad(EventArgs e) +67
>> > System.Web.UI.Control.LoadRecursive() +35
>> > System.Web.UI.Page.ProcessRequestMain() +750
>> >
>> >
>> >
>> > The configuration is:
>> >
>> > * IIS: Anonynous checkbox ON and Integrated Security checkbox ON
>> >
>> > * Web.config: <identity impersonate="true"> and <authentication
>> > mode="Forms"> (auth mode forms is a requisite non negotiable on my app)
>> >
>> > * The app pool for the virtual dir is configured with Network Service
>> >
>> > Running on Win2K3 Domain Controller
>> >
>> > Any idea of what I should do to make the impersonation work?
>> >
>> > Thanks,
>> > Beto
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Re: Impersonation and UNC network resources
    ... need the "Act as part of the operating system" privilege to call it under ... only the SYSTEM account has this. ... privilege to any account you want to, but be very careful about that as it ... Another option for you would be using impersonation with Kerberos delegation ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... are using under the hood when you use the WindowsIdentity "UPN" ctor. ... the token returned by the API will either be an Impersonation ... Only accounts with with that privilege can create an ... only the SYSTEM account has ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... are using under the hood when you use the WindowsIdentity "UPN" ctor. ... the token returned by the API will either be an Impersonation ... Only accounts with with that privilege can create an ... only the SYSTEM account has ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... Ok, now, what if I use the LogonUser API? ... the token returned by the API will either be an Impersonation ... Only accounts with with that privilege can create an ... By default, only the SYSTEM account ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... Ok, now, what if I use the LogonUser API? ... the token returned by the API will either be an Impersonation ... Only accounts with with that privilege can create an ... By default, only the SYSTEM account ...
    (microsoft.public.dotnet.framework.aspnet.security)