Re: Impersonation using WindowsIdentity( upn ) ctor

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 02/23/05 

Date: Wed, 23 Feb 2005 12:51:16 -0800

Hello Alberto,

you need the password when calling LogonUser - how will you safely store
that in your app??

dominick baier - DevelopMentor
www.leastprivilege.com

> Ok, now, what if I use the LogonUser API ?
>
> Thanks a lot.
> Beto.
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
> wrote in message news:OIhXppQGFHA.2156@TK2MSFTNGP09.phx.gbl...
>
>> The problem is fairly subtle and is related to how Kerberos S4U, or
>> "protocol transition", works. That is the new Windows 2003 feature
>> that
>>
> you
>
>> are using under the hood when you use the WindowsIdentity "UPN" ctor.
>>
>> With S4U, the token returned by the API will either be an
>> Impersonation level token or an Identity level token. The level
>> depends on whether or
>>
> not
>
>> the account creating the token has the "Act as part of the operating
>>
> system"
>
>> privilege. Only accounts with with that privilege can create an
>> Impersonation level token with S4U. By default, only the SYSTEM
>> account
>>
> has
>
>> this privilege. Everything else will create an Identify level token.
>>
>> As you probably guessed, a token has to be Impersonation level in
>> order to impersonate it. An identify-level token can only be used to
>> do things
>>
> like
>
>> check group membership and such. This is the error that you are
>> seeing.
>>
>> This limitation is actually a security feature. When you think about
>> it, you wouldn't really want any old account having the ability to
>> create a token for a user at random with no credentials for that user
>> and then
>>
> start
>
>> executing code on their behalf!
>>
>> If you have a situation where you absolutely need to do this, you
>> need to run the code with an account with the act as part of the
>> operating system privilege. If you do that, you probably want to
>> think very very carefully about how you are going to secure this as
>> you are potentially opening a massive security hole by doing this.
>> Tread very lightly here.
>>
>> Joe K.
>>
>> "Alberto Ortega" <beto@NOSPAMTOMEsouthworks.net> wrote in message
>> news:%23YF4FaQGFHA.3612@TK2MSFTNGP09.phx.gbl...
>>
>>> I'm trying to impersonate a user using the WindowsIdentity ctor.
>>> This is what I'm doing
>>>
>>> WindowsIdentity id = new WindowsIdentity( "test@dev1.domain-dev.net"
>>> );
>>> WindowsImpersonationContext wic = id.Impersonate();
>>> try
>>> {
>>> DoSome();
>>> }
>>> finally
>>> {
>>> wic.Undo();
>>> }
>>> I'm getting this exception
>>>
>>> Access is denied.
>>> Description: An unhandled exception occurred during the execution of
>>> the
>>> current web request. Please review the stack trace for more
>>> information
>>> about the error and where it originated in the code.
>>> Exception Details: System.ApplicationException: Access is denied.
>>>
>>> [ApplicationException: Access is denied.
>>> ]
>>> System.Security.Principal.WindowsIdentity._ResolveIdentity(IntPtr
>>> userToken) +0
>>> System.Security.Principal.WindowsIdentity.get_Name() +70
>>> ImpersonationTest.WebForm1.DoSome() in
>>> c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:71
>>> ImpersonationTest.WebForm1.ImpersonateWinId() in
>>> c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:41
>>> ImpersonationTest.WebForm1.Page_Load(Object sender, EventArgs e) in
>>> c:\inetpub\wwwroot\impersonationtest\webform1.aspx.cs:29
>>> System.Web.UI.Control.OnLoad(EventArgs e) +67
>>> System.Web.UI.Control.LoadRecursive() +35
>>> System.Web.UI.Page.ProcessRequestMain() +750
>>> The configuration is:
>>>
>>> * IIS: Anonynous checkbox ON and Integrated Security checkbox ON
>>>
>>> * Web.config: <identity impersonate="true"> and <authentication
>>> mode="Forms"> (auth mode forms is a requisite non negotiable on my
>>> app)
>>>
>>> * The app pool for the virtual dir is configured with Network
>>> Service
>>>
>>> Running on Win2K3 Domain Controller
>>>
>>> Any idea of what I should do to make the impersonation work?
>>>
>>> Thanks,
>>> Beto

Relevant Pages

  • Re: Impersonation using WindowsIdentity( upn ) ctor
    ... >> Impersonation level token or an Identity level token. ... >> privilege. ... you wouldn't really want any old account having the ability to ... >> executing code on their behalf! ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ASP.NET Impersonation / delegation
    ... If your security guys will not even allow delegation, ... Bruce - I think this is a major right to grant to the ASPNet account. ... I have included a description on SE_TCB_NAME privilege from one of the MS ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: ASP.NET Impersonation / delegation
    ... there will not be any security risk? ... The MS documention does not recommend SE_TCB_NAME privilege to a any account other than the default LocalSystem. ... Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. ... best alternative for impersonating an account that is specially created for ...
    (microsoft.public.win2000.developer)
  • Re: Adding a Privilege via LsaAddAccountRights()
    ... > Security snapin. ... This privilege was introduced with SP4. ... You can add ASPNET account there as well. ...
    (microsoft.public.platformsdk.security)
  • Re: impersonation fails on 2K server
    ... On W2K you need "Act as part of the Operating System" privilege to call ... Note that granting this level of privilege to a webserver identity is ... something you should consider with great care as it gives the account ... > details below and modify your configuration file appropriately. ...
    (microsoft.public.dotnet.framework)