tags:

views:

1760

answers:

4
+3  Q: 

Impersonate using Forms Authentication

I have an ASP.NET site that must use Forms Authentication and not Windows Authentication to access a ActiveDirectoryMembershipProvider. The site must use forms because they need a designed input form instead of the browser authentication popup that Windows authentication uses.

The site needs to impersonate the user logged in via Active Directory to access user specific files.

However, the WindowsIdentity.GetCurrent() is not the same as the HttpContext.Current.User.Identity although my web.config contains:

<authentication mode="Forms">
    <forms loginUrl="login.aspx" timeout="480"/>
</authentication>
<identity impersonate="true" />

I cannot use LoginUser() and the WindowsIdentity.Impersonate() because I need to impersonate as the AD user to get their specific permissions, and I don't know the user's password because Forms takes care of logging in.

Is it possible maybe from the login.aspx.cs, to take the System.Web.UI.WebControls.Login.Password, then save the LoginUser() token in a session variable for WindowsIdentity.Impersonate() later? Or maybe a much more secure method of Impersonating the right way?

I'm confused why Forms authentication can't automatically <identity impersonate="true" />

I've read this http://msdn.microsoft.com/en-us/library/ms998351.aspx but it uses Windows Authentication.

A: 

If your users are using IE then you can turn on integrated security for the website and your users will be authenticated silently (no login dialog, no login page). Your impersonation will then work. If you need to target other browsers then this may not work (the user will probably be presented with a login dialog).

Your current impersonation will never work because your users are logging in using an account other than their domain account. You can't expect the site to impersonate a user which hasn't supplied his credentials. That would go against basic security principals.

AdamRalph  2009-06-30 22:24:23
It's an extranet, so the users access internal files using AD accounts from outside the LAN.When using an ActiveDirectoryMembershipProvider the users are logging in using their domain account. The actual user store is AD, they can log in using Forms or Windows authentication successfully, but cannot access the files when using Forms, only when using Windows because Forms uses the IUSR_* account.
Robert  2009-06-30 22:33:36
+1  A: 

http://stackoverflow.com/questions/1067263/asp-net-windows-authentication-logout/1067362#1067362

tribus  2009-07-01 12:04:05
tribus's comment on the other post about this one is:"Windows authentication works at the IIS level by passing your Windows authentication token. Since authentication occurs at the IIS level you cannot actually log out from application code. However, there seems to be an answer to your problem here. It is the second question addressed and essentially involves using Forms Authentication and the LogonUser Windows api."Linking to: http://visualstudiomagazine.com/articles/2004/05/01/activate-windows-impersonation-selectively.aspx
Robert  2009-07-06 19:34:20
After doing the runaround from the VisualStudioMagazine.com article of adding stuff to the global.asax, importing the Win32 LogonUser() function and saving the WindowsPrincipal in the Session, Impersonate() would return successful, but the impersonation rights were not granted to the filesystem. And as soon as an exception was thrown, the principal expired. The article looked promising, but did not provide a working solution.
Robert  2009-07-07 07:35:24
A: 

You may find this useful:

EDIT

On reading your question more closely, I am not sure if that approach would work with your scenario though; when you login using Forms Authentication and Impersonate Active Directory user

kristof  2009-07-01 12:10:29
+1  A: 

"Forms" authentication cannot automatically impersonate.

If you know the username and password you can hack an impersonation.

Robert  2009-10-09 19:09:15
There many other questions about this here on SO. Anyways you should check this link out: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.setauthcookie.aspx.Since impersonation is possible using this method.
Raúl Roa  2009-10-09 19:11:24
@Raul, the SetAuthCookie() function only authorizes the login, it does not impersonate.
Robert  2009-10-12 22:36:30

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps