If you want to impersonate a WindowsIdentity in ASP.NET you can use the Win32 LogonUser API and construct a WindowsIdentity obeject from the token and attach the token to the current thread:
try
{
// Create a token
bool result = LogonUser("User", "Domain",
"Password",
LogonSessionType.Network,
LogonProvider.Default,
out token);
if (result)
{
WindowsIdentity id = new WindowsIdentity(token);
// Begin impersonation
impersonatedUser = id.Impersonate();
// Resource access here uses the impersonated identity
}
}
finally
{
// Stop impersonation and revert to the process identity
if (impersonatedUser != null)
impersonatedUser.Undo();
// Free the token
if (token != IntPtr.Zero)
CloseHandle(token);
}
// Verify the old process identity
}
Can I use this to open a folder on a remote server?
You need to do delegation. This means you need to configure the web server (app pool) to run under a domain account, setup a SPN for http for that account and then confgure that account in AD to be trusted to perform constrained delegation to the target
server where the file share is.
SPN is a service principal name -- it's a domain config setting so a client knows the identity of the web server so that we know how to create the kerb ticket for authentication.
kjmcad
Member
352 Points
219 Posts
ASP.NET Impersonation
Apr 06, 2012 06:37 PM|LINK
I am trying to impersonation a user in my C# code to open a file share in Windows Explorer. BUT IT IS NOT WORKING! My code is below.
Impersonator i = new Impersonator(); using (new Impersonator("userA", "domainA", "pa$$word", LogonType.LOGON32_LOGON_INTERACTIVE, LogonProvider.LOGON32_PROVIDER_DEFAULT)) { Process.Start(@"c:\windows\explorer.exe", @"\\fileshare\abc"); Response.Write("Impersonated User: " + WindowsIdentity.GetCurrent().Name + "<br />"); Response.Write("Logon User: " + Request.ServerVariables["LOGON_USER"] + "<br />"); Response.Write("Authenticated User: " + Request.ServerVariables["AUTH_USER"] + "<br />"); }I am using the code to do the impersonation from this site:
http://platinumdogs.wordpress.com/2008/10/30/net-c-impersonation-with-network-credentials/
I am thinking it is because the Logon & Authenticated is my windows login because I am using Windows Authentication?
The account I am impersonating is a domain account and has full account to the file share.
Please help
ADDITIONAL:
I also tried using this code but it did not work. I got an "Access Denied" error
string target = "'_blank'"; string script = "window.open(" + @"'file://fileshare/abc'" + "," + target + "," + "'status=no, menubar=yes, toolbar=yes');"; Page.ClientScript.RegisterStartupScript(this.GetType(), "someUniqueId", script, true);mm10
Contributor
6455 Points
1187 Posts
Re: ASP.NET Impersonation
Apr 06, 2012 10:30 PM|LINK
If you want to impersonate a WindowsIdentity in ASP.NET you can use the Win32 LogonUser API and construct a WindowsIdentity obeject from the token and attach the token to the current thread:
// Declare signatures for Win32 LogonUser and CloseHandle APIs
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool LogonUser(
string principal,
string authority,
string password,
LogonSessionType logonType,
LogonProvider logonProvider,
out IntPtr token);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool CloseHandle(IntPtr handle);
enum LogonSessionType : uint
{
Interactive = 2,
Network,
Batch,
Service,
NetworkCleartext = 8,
NewCredentials
}
enum LogonProvider : uint
{
Default = 0, // default for platform (use this!)
WinNT35, // sends smoke signals to authority
WinNT40, // uses NTLM
WinNT50 // negotiates Kerb or NTLM
}
protected void Impersonate(object sender, EventArgs e)
{
IntPtr token = IntPtr.Zero;
WindowsImpersonationContext impersonatedUser = null;
try
{
// Create a token
bool result = LogonUser("User", "Domain",
"Password",
LogonSessionType.Network,
LogonProvider.Default,
out token);
if (result)
{
WindowsIdentity id = new WindowsIdentity(token);
// Begin impersonation
impersonatedUser = id.Impersonate();
// Resource access here uses the impersonated identity
}
}
finally
{
// Stop impersonation and revert to the process identity
if (impersonatedUser != null)
impersonatedUser.Undo();
// Free the token
if (token != IntPtr.Zero)
CloseHandle(token);
}
// Verify the old process identity
}
BrockAllen
All-Star
28052 Points
4996 Posts
MVP
Re: ASP.NET Impersonation
Apr 07, 2012 01:40 AM|LINK
If you're using windows authentication and you want to impersonate the current user, just do this:
public void DoWorkWithClientCreds() { // grab client identity WindowsIdentity id = (WindowsIdentity)Context.User.Identity; // impersonation is automatically undone by // WindowsImpersonationContext.Dispose() using (WindowsImpersonationContext wic = id.Impersonate()) { // access resource using client credentials using (TextReader tr = File.OpenText("foo.txt")) { } } }DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
kjmcad
Member
352 Points
219 Posts
Re: ASP.NET Impersonation
Apr 16, 2012 12:53 PM|LINK
Can I use this to open a folder on a remote server?
BrockAllen
All-Star
28052 Points
4996 Posts
MVP
Re: ASP.NET Impersonation
Apr 16, 2012 03:31 PM|LINK
You need to do delegation. This means you need to configure the web server (app pool) to run under a domain account, setup a SPN for http for that account and then confgure that account in AD to be trusted to perform constrained delegation to the target server where the file share is.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
kjmcad
Member
352 Points
219 Posts
Re: ASP.NET Impersonation
Apr 16, 2012 04:22 PM|LINK
Excuse my ignorance. What is SPN?
BrockAllen
All-Star
28052 Points
4996 Posts
MVP
Re: ASP.NET Impersonation
Apr 16, 2012 04:30 PM|LINK
SPN is a service principal name -- it's a domain config setting so a client knows the identity of the web server so that we know how to create the kerb ticket for authentication.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/