Impersonation in ASP.NET MVC

Question

I have a MVC web application on an intranet and want to be able to create files on our FTP server to send to outside partners.

The code for impersonation uses the WindowsImpersonationContext.

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

StreamWriter sw = System.IO.File.CreateText("PathOnFTPServer");
sw.Write("data");

impersonationContext.Undo();

Here's what's happening and the reason for my question:

Pre Impersonation

User.Identity.Name: [my windows credentials]

System.Security.Principal.WindowsIdentity.GetCurrent().Name: NT AUTHORITY\NETWORK SERVICE

Post Impersonation

User.Identity: [my windows credentials]

GetCurrent.Name: [my windows credentials]

Impersonate Undo

User.Identity: [my windows credentials]

GetCurrent.Name: NT AUTHORITY\NETWORK SERVICE

So, before I impersonate, the current user is the System Account but after impersonation, it is using my windows domain account which has permission to create text files on the FTP server. The code works locally using the visual studio web server but not when I deploy it on IIS on our test server.

I'm getting an access denied error. What would be the reason for the error when the correct user is being impersonated?

Answer 1

Impersonation allows machine to machine impersonation, so the client browser and the server are on the same page when it comes to the impersonation. When you then attempt to access the network share, the computer doesn't trust the impersonated credentials.

You need to enable delegation for the IIS machine in Active Directory. Go to Active Directory Users and Computers, find the computer, click properties, and 'Trust computer for delegation'. (You might need to restart IIS for this to work, I don't remember).

There is way more theory than this that I don't fully understand, but this should work. Whether it is right or not someone else could comment on!

Also, the reason it works on your development machine is that the development server runs as the developer, not (Local)\Network Service.

---

A decent link:

http://msdn.microsoft.com/en-us/library/cc949004.aspx

What is the difference between impersonation and delegation?

Impersonation flows the original caller’s identity to back-end resources on the same computer. Delegation flows the original caller’s identity to back-end resources on computers other than the computer running the service.

For example, if a service is running within IIS without impersonation, the service will access resources using the ASP.NET account in IIS 5.0, or the Network Service account in IIS 6.0. With impersonation, if the client is connecting using the original caller’s account, the service will access resources such as a SQL Server database on the same machine using the original caller’s account instead of the system ASP.NET account. Delegation is similar except that the SQL Server database could be on a different machine that is remote to the service.