We are trying to create a web interface allowing local user accounts to be created on the web server. Only local administrators can have this right. It cannot be delegated under the local security policy.
These are approaches we have tried so far:
Running the Application Pool as a local administrator: this does work, but its not an acceptable solution.
Impersonating the logged-in user: Using with either basic or kerberos authentication works on a webforms implementation, but we can’t get it to work in one specific virtual sub-folder with an MVC controller. Even if we use WebForms for this page, this is really not an elegant solution because it requires a second login. Authentication is being set through IIS Manager. The web.config in the folder is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Administrators" />
<add accessType="Deny" users="*" />
<add accessType="Deny" users="?" />
</authorization>
</security>
</system.webServer>
</configuration>
Programatic Impersonation: Using System.Security.Principal.WindowsIdentity. When programatically impersonating an administrator account, we can see that Environment.UserName is getting switched, but creating a user fails with a System.UnauthorizedAccessException.
Is there any reason programatic impersonation shouldn't work for creating local users through ASP.NET? We are using Windows 7 and IIS7 to test. Is there a way to impersonate the logged-in user for a single controller or action in MVC 1.0? We don’t want to use impersonation for any other areas of the application, just for a single admin page.