ARTICLE

Authorization and Programmatic Impersonation

Posted by Sonu Chauhan in Articles | Security in .NET on February 03, 2006

Tags: .NET Security, Authorization, C#, Impersonate, Impersonation, Programmatic Impersonation

By default, ASP.NET applications usually do not impersonate the original caller for design, implementation, and scalability reasons. For example, impersonating prevents effective middle-tier connection pooling, which can have a severe impact on application scalability.

Tweet
17305
0

Reader Level: Advanced

If your application uses Forms or Passport authentication, you can impersonate the anonymous Internet user account associated by IIS with your application's virtual directory. You can impersonate the original caller, which might be the anonymous Internet user account or a fixed identity.

To impersonate the original caller (the IIS authenticated identity), use the following configuration:

To impersonate a fixed identity, use additional userName and password attributes on the <identity> element, but make sure you use Aspnet_setreg.exe to store encrypted credentials in the registry.

Using Programmatic Impersonation

If you do not want to impersonate an account for the entire request, you can use programmatic impersonation to impersonate for a portion of the request. For example, you want to use the ASP.NET process account to access you application's primary resources and downstream database, but you need to access an alternate resource, such as another remote database or a remote file share, using an alternate identity.

To do this, use IIS to configure the anonymous user account as the trusted alternate identity. Then use the following code to create an impersonation token using the anonymous account only while you execute your remote resource access code

HttpContext context = HttpContext.Current;
// Get the service provider from the context
IServiceProvider iServiceProvider = context as IServiceProvider;
//Get a Type which represents an HttpContext
Type httpWorkerRequestType = typeof(HttpWorkerRequest);
// Get the HttpWorkerRequest service from the service provider
// NOTE: When trying to get a HttpWorkerRequest type from the HttpContext
// unmanaged code permission is demanded.
HttpWorkerRequest httpWorkerRequest =
iServiceProvider.GetService(httpWorkerRequestType) as HttpWorkerRequest;
// Get the token passed by IIS
IntPtr ptrUserToken = httpWorkerRequest.GetUserToken();
// Create a WindowsIdentity from the token
WindowsIdentity winIdentity = new WindowsIdentity(ptrUserToken);
// Impersonate the user
Response.Write("Before impersonation: " +WindowsIdentity.GetCurrent().Name + "<br>");
WindowsImpersonationContext impContext = winIdentity.Impersonate();
Response.Write("Impersonating: " + WindowsIdentity.GetCurrent().Name + "<br>");
// Place resource access code here
// Stop impersonating
impContext.Undo();
Response.Write( "After Impersonating: " +WindowsIdentity.GetCurrent().Name + "<br>");

Note: This approach assumes Forms or Passport authentication where your application's virtual directory is configured in IIS to support anonymous access.

If you use this code, use the following <identity> configuration:

Note: The code demands the unmanaged code permission SecurityPermission (SecurityPermissionFlag.UnmanagedCode), which is granted only to fully trusted Web applications.

post comment

TOP LEADERS

View All

TRENDING UP

Learn .NET in 60 days – Part 1 (13 Labs) Learn MVC (Model view controller) Step by Step in 7 days – Day 3 Learn C# Corner - Home Using Border Radius and Gradients in CSS3: Part I Learn C# Corner - Footer Learn .NET and C# in 60 Days Lab13(Day 5): - Classes and objects iPhone 5 First Look Samsung Galaxy Note Review WCF - Authentication and Authorization in Enterprise Architecting How to write a good article on C# Corner

View All

Sponsored by

6 Months Free & No Setup Fees ASP.NET Hosting!

Become a Sponsor

MOST LIKED ARTICLE

Learn .NET in 60 days – Part 1 (13 Labs) Working with ProgressBar in C# Resizable TextBox in ASP.NET using AjaxControlToolKit Word Processing with an Extended Rich Text Box Control Notepad in C#

PREMIUM SPONSORS

Dynamic PDF

ceTE software specializes in components for dynamic PDF generation and manipulation. The DynamicPDF™ product line allows you to dynamically generate PDF documents, merge PDF documents and new content to existing PDF documents from within your applications. Visit DynamicPDF here

Introducing MaxV - one click. infinite control. Hyper-V Hosting from MaximumASP.

Finally – a virtual platform that delivers next-generation Windows Server 2008 Hyper-V virtualization technology from a managed hosting partner you can truly depend on. Visit www.maximumasp.com/max for a FREE 30 day trial. Hurry offer ends soon. Climb aboard the MaxV platform and take advantage of High Availability, Intelligent Monitoring, Recurrent Backups, and Scalability – with no hassle or hidden fees. As a managed hosting partner focused solely on Microsoft technologies since 2000, MaximumASP is uniquely qualified to provide the superior support that our business is built on. Unparalleled expertise with Microsoft technologies lead to working directly with Microsoft as first to offer IIS 7 and SQL 2008 betas in a hosted environment; partnering in the Go Live Program for Hyper-V; and product co-launches built on WS 2008 with Hyper-V technology.

LATEST JOBS

Applying for job Metro Style App Developer .NET Developer WPF or Silverlight exp Boston MA ASP .Net Developers Split Testing Designer .NET Developer Web Developer Application Engineer Expert .NET Developer Application Developer

View All Jobs |Post a New Job

Authorization and Programmatic Impersonation

Related Articles