I have an HTTPModule which authenticates a user against AD based on a cookie token and sets the HttpContext.User property to a WindowsIdentity created from a token generated by the logonuser WIN32 function.
This allows me to simulate Windows authentication through a forms based credentials process. This is used on a ASP.Net app and a SharePoint site.
The issue I have is this code executes fine if the pool account is in the local admin group. Otherwise it throws the following exception.
SecurityModule.FBAToNTIntegratedModule [(null)] - Authentication Request
System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at System.Security.Principal.WindowsIdentity.get_AuthenticationType()
at System.Web.Hosting.IIS7WorkerRequest.SetPrincipal(IPrincipal user, IntPtr pManagedPrincipal)
at System.Web.HttpContext.SetPrincipalNoDemand(IPrincipal principal, Boolean needToSetNativePrincipal)
at System.Web.HttpContext.set_User(IPrincipal value)
at SecurityModule.FBAToNTIntegratedModule.context_AuthenticateRequest(Object sender, EventArgs e) in
I do not want to add the pool account to the admin group but I can give it additional privileges to make this work. Is it possible to configure this account so this process will work? What privileges does the account need?
I have not found a way to fix this issue but I did want to reply with a workaround that I can live with.
I wrapped the code that sets the User on the Context object in a Impersonation block which impersonates a local user that is in the local Administrator group. This allows the code to execute properly without requiring the pool account to be a local administrator.
My code is below. In my real code I pull the credentials from encrypted values in a config file.
private void SetContextUser(HttpContext ctx, IPrincipal user)
{
try
{
bool impersonate = false;
WindowsImpersonationContext impContext = null;
WindowsIdentity user = null;
if (impCreds != null)
{
//Impersonate use to set user in context
impersonate = true;
}
if (impersonate)
{
//Impersonate User
IntPtr token = LogonUser("Username", "Domain", "Password");
//Get Identity from Token
if (token != IntPtr.Zero)
{
//Create the Identity
user = new WindowsIdentity(token);
CloseHandle(token);
}
impContext = adminUser.Impersonate();
}
//Set user while impersonating user with admin rights
ctx.User = user;
if (impersonate)
{
//Go back to original identity
impContext.Undo();
}
}
catch (Exception e)
{
//Log this
}
}
I am also having this issue. Described the
question on stackoverflow. I was able to get it working by changing the application pool's identity to LocalSystem but I can't leave that as a solution. Using local Administrators group doesn't help, so the temporary elevated permissions with an a user
that has admin rights doesn't work. Any help is appreciated.
I figured out the answer! You have to specify the AuthenticationType when constructing the WindowsIdentity object. I document the solution here: http://stackoverflow.com/a/11588736/265877.
zebra1024
Member
12 Points
2 Posts
UnauthorizedAccessException setting HttpContex.User
May 18, 2011 04:22 PM|LINK
I have an HTTPModule which authenticates a user against AD based on a cookie token and sets the HttpContext.User property to a WindowsIdentity created from a token generated by the logonuser WIN32 function.
This allows me to simulate Windows authentication through a forms based credentials process. This is used on a ASP.Net app and a SharePoint site.
The issue I have is this code executes fine if the pool account is in the local admin group. Otherwise it throws the following exception.
I do not want to add the pool account to the admin group but I can give it additional privileges to make this work. Is it possible to configure this account so this process will work? What privileges does the account need?
zebra1024
Member
12 Points
2 Posts
Re: UnauthorizedAccessException setting HttpContex.User
May 23, 2011 03:01 PM|LINK
I have not found a way to fix this issue but I did want to reply with a workaround that I can live with.
I wrapped the code that sets the User on the Context object in a Impersonation block which impersonates a local user that is in the local Administrator group. This allows the code to execute properly without requiring the pool account to be a local administrator.
My code is below. In my real code I pull the credentials from encrypted values in a config file.
private void SetContextUser(HttpContext ctx, IPrincipal user) { try { bool impersonate = false; WindowsImpersonationContext impContext = null; WindowsIdentity user = null; if (impCreds != null) { //Impersonate use to set user in context impersonate = true; } if (impersonate) { //Impersonate User IntPtr token = LogonUser("Username", "Domain", "Password"); //Get Identity from Token if (token != IntPtr.Zero) { //Create the Identity user = new WindowsIdentity(token); CloseHandle(token); } impContext = adminUser.Impersonate(); } //Set user while impersonating user with admin rights ctx.User = user; if (impersonate) { //Go back to original identity impContext.Undo(); } } catch (Exception e) { //Log this } }EagleWizard
Member
2 Points
1 Post
Re: UnauthorizedAccessException setting HttpContex.User
Nov 15, 2011 11:11 AM|LINK
I am having the same issue, but for me it doesn't help if I add the application pool user to the Administrators of the server.
Have you found an other way to fix this issue? Any suggestions on fixing this?
I really need a solution for this, but I not manage to find a user that has sufficient rights the perform this operation
AlexFeldman
Member
6 Points
3 Posts
Re: UnauthorizedAccessException setting HttpContex.User
Jul 20, 2012 11:29 PM|LINK
I am also having this issue. Described the question on stackoverflow. I was able to get it working by changing the application pool's identity to LocalSystem but I can't leave that as a solution. Using local Administrators group doesn't help, so the temporary elevated permissions with an a user that has admin rights doesn't work. Any help is appreciated.
AlexFeldman
Member
6 Points
3 Posts
Re: UnauthorizedAccessException setting HttpContex.User
Jul 21, 2012 01:20 AM|LINK
I figured out the answer! You have to specify the AuthenticationType when constructing the WindowsIdentity object. I document the solution here: http://stackoverflow.com/a/11588736/265877.