Last post Aug 26, 2015 10:19 AM by deadtroll
Aug 25, 2015 04:20 PM|ckJustReading|LINK
I have a simple MVC application (.net 4.5.1) that leverages ADFS for access to the site. The purpose of the site is to allow the logged on user to add/remove members from active directory groups they own (using System.DirectoryServices).
Rather than running the site off an app pool that is tied to a domain service account with privileges to all groups, I would like the site to impersonate the logged on user while performing the add/remove members processes.
From what I've read, I have to enable Kerberos delegation for the web server computer object and ensure its SPNs are set appropriately (both of which are true). The wrinkle I'm hitting is that all the examples I have seen require that the site use Windows
Integrated Authentication, which I cannot do since it the site uses federated logins via ADFS. Is there a way to impersonate the logged on user to perform a DirectoryServices operation in this scenario?
Aug 25, 2015 04:22 PM|DeadTroll|LINK
None that I know of with out having them supply their password.
Aug 26, 2015 02:31 AM|Weibo Zhang|LINK
As you want to
impersonate the logged on user to perform as a
domain user, I think the following article would be useful to you. In this article, you could have a try to do some settings in the web.config( for more things, you could refer
to the following second link) or you could just impersonate a specific user only when you run a particular section of code.
I hope it’s useful to you.
Aug 26, 2015 09:32 AM|ckJustReading|LINK
I appreciate the follow up, but the option to put an account in the web.config is not something I would do (if I wanted to use a service account I would just set an identity on the app pool).
Regarding code-block impersonation, that I what I am attempting, unsuccessfully, to do. The impersonation itself is working fine, it is just the double-hop issue you encounter when leveraging DirectoryServices that I am trying to overcome. Since I am
using claims authentication, I am (I believe) unable to use Kerberos delegation (at least the "normal" way). I am just looking for confirmation of that and (hopefully) alternative strategies to impersonate the logged on user in a claims auth app.
Aug 26, 2015 10:19 AM|DeadTroll|LINK
What you are trying to do will require you to use a users password. Its done this way intentionally otherwise it would be VERY easy to overtake a network by simply finding someone with admin rights and impersonating that account.
What I have done in the past is provided the UI with what the want to do and when they submit their request to change something in AD I require a password as well. I would make sure this request is sent over SSL and if possible you could encrypt it on the
client side and decrypt it on the server.