tags:

views:

155

answers:

2
Q: 

NTLM as SSO, and Performing Certain Actions as an Impersonated Administrator

I can't seem to stumble upon the correct combination of IIS / ASP.NET settings to accomplish the following:

  1. All users on an internal domain should be able to access IIS site (w/ NTLM authentication), and the ASP.NET application should be able to get the username of the current user (aka the user is authenticated as themselves).
  2. The running ASP.NET application should be able to execute certain actions under an Administrator account. For example, an Active Directory change, or writing files to restricted locations.

You could probably guess, but the point of the application is to be able to let "normal" users make specific "Administrative" changes via the web application. At the same time, the change should be logged with the "normal" user's account, so I don't want to lose the authenticated user's credentials.

Looking for the specific settings in IIS6 to accomplish #1 (any users on the domain to get to the site and be authenticated as themselves), along with the code for #2.

+1  A: 

There are atleast two options:

Common for both:

  • Your IIS setting should be set to windows authentication.
  • The Identity of the user can be read from the httpcontext.

Option 1:

  • Set impersonation = false
  • Set the identity of the application pool to a user that has the right to make AD Changes
  • Add the above user to the IIS_WPG group

Option 2:

  • When making the AD changes set the identity of the thread to that of a user that is allowed to make the AD changes

For option 2, here is a code example that uses impersonate user:

http://msdn.microsoft.com/en-us/library/system.security.principal.windowsimpersonationcontext.aspx

Shiraz Bhaiji  2009-10-30 21:04:30
Do you have the code to accomplish Option 2?
routeNpingme  2009-10-30 22:28:26
@routeNpingme, I updated the answer
Shiraz Bhaiji  2009-10-30 23:57:03
A: 

From a security point of view, the best approach would be to separate all the Administrative operations into its own Web service that does authenticate, but does not impersonate. Your Normalpart of the site would perform the administrative operations by calling the web service, just like any other client, even if is a localhost call.

This way you achieve isolation between the normal app pool (that impersonates) and the priviledged app pool (the administrative).

Finally, this is perhaps splitting hairs, but it should be Kerberos authentication, not NTLM, because NTLM does not allow for constrained delegation and your 'normal' application will need to be enabled for delegation if it accesses anything outside the local IIS host.

Remus Rusanu  2009-10-30 21:07:42

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps