ansaurus

Question

Answer 1

A:

how about just doing runas for internet explorer with a user account you can test with...

klabranche 2009-08-06 01:03:59

With FormsAuthentication i just create a ticket with the user name. I do not need to know the password of that user to impersonate him. (This is being done for technical support reasons). Just doing runas on the browser window requires me knowing the password, which I could just enter into the HTTP authentication prompt.

Vasili Sviridov 2009-08-18 19:57:02

But you can't generate the NTLM ticket either without the password so I'm not sure you will be able to do as desired. What we do here is create a user on the network that we know the password and setup the credentials as a user we are trying to mimic and test that way.

klabranche 2009-08-18 20:04:27

Answer 2

+1 A:

Let say you have Forms authentication enabled ASP.NET app with login form login.aspx and your users are stored in DB. Now you'd like to support both, Forms and Windows authentication. That's what I do:

For forms auth I use SQL DB with, let say, Users table. I add to this table new column named WindowsUserName in which I'll save Windows user's name in form COMPUTER\User

In login.aspx form I add a method, which will send a response that will shows login window:

private void ActivateWindowsLogin()
{
    Response.StatusCode = 401;
    Response.StatusDescription = "Unauthorized";
    Response.End();
}

Somewhere I have a link like <a href="login.aspx?use=windows">Admin</a>

In login.aspx Page_Load I have added:

if (Request.QueryString["use"] == "windows")
{
    var windowsuser = Request.ServerVariables["LOGON_USER"];
    if (windowsuser.Length == 0)
        ActivateWindowsLogin();
    else
    {
        // get userId from DB for Windows user that was authenticated by IIS
        // I use userId in .ASPXAUTH cookie
        var userId = GetUserIdForWindowsUser(windowsuser);
        if (userId > 0) //user found
        {
            // here we get User object to check roles or other stuff
            var user = GetApplicationUser(userId);
            // perform additional checks here and call ActivateWindowsLogin()
            // to show login again or redirect to access denied page.
            // If everythig is OK, set cookie and redirect
            FormsAuthentication.SetAuthCookie(userId.ToString(), false);
            Response.Redirect(FormsAuthentication.GetRedirectUrl(userId.ToString(), false), true);
        }
        else //user not found
            ActivateWindowsLogin();
    }
}
else
{
    //your Forms auth routine
}

GetUserIdForWindowsUser and GetApplicationUser are my methods just for sample.

Viktor Jevdokimov 2009-08-06 12:34:48

Thing is, two authentication schemes govern two different parts of the web site, and I cannot mix them. I do plan to separate them into two different applications though. Once done - I can use Forms AuthCookie, but still validate with Domain accounts.

Vasili Sviridov 2009-08-18 19:55:27

ansaurus

tags:

views:

answers:

Impersonating users through NTLM

related questions