tags:

views:

108

answers:

2
+2  Q: 

Impersonate a User from Code Behind via Forms Authentication

Is it possible to Impersonate a user when using Forms Authentication?

The thing is that I want an external login for users and an internal site that just uses integrated windows security and the users need to be impersonated.

I've looked around and found that John's answer here is really good, but I don't quite get how I can mix it up with my Forms authentication.

Suggestions?

Edit

I want to have an <asp:Login /> control and this control will authenticate against an Active Directory which has the same set of users as the Windows Machine that I want to use impersonation on.

My problem is that I don't get how I can impersoante with the same username and pasword that is provided to the <asp:Login /> control.

+1  A: 

In order for that solution to work, you'll need access to the user's id and password. I don't believe that you can get this using the Login user control; you'll need to create your own login form and handle the login actions yourself. Keep the user's id and password, preferably in a secure string, in the session once you've authenticated and when you need to access the internal site on their behalf, use the Impersonator class from the referenced example to impersonate them using the credentials.

  using (var context = Impersonator.LogOn( username, password ))
  {
      try
      {
      ....
      }
      finally
      {
         context.Undo();
      }
  }
tvanfosson  2010-06-28 13:29:38
I was afraid that it had to be that way. Do you know if there is Any way at all I can turn the whole site into "Impersonation"-mode ?
Filip Ekberg  2010-06-28 13:33:21
@Filip - I don't think that impersonation works "out of the box" with forms authentication because there isn't guaranteed to be a windows security token with forms authentication. Do you really need impersonation or would delegation be enough -- i.e., give the account running the internal site enough rights to do things on behalf of every user and then simply tell it which user it should be working for.
tvanfosson  2010-06-28 14:14:37
@tvanfosson, unfortunatly delegation will not suffice. The under lying system that we are calling will use the Windows User that is logged in, therefore we need to impersonate the user. I could of course put the above impersonation around all calls, but it would still be a hassle..
Filip Ekberg  2010-06-28 14:18:34
@Filip - I really think that's the only way to go. Each thread is going to be handling, potentially, many users. The only way to make it work is have the thread impersonate the user only when it is doing some work on the user's behalf. This could be done for the entire request or you could build a service layer that impersonates for each call. Which would be the best depends on what else is going on -- you might want to guided by the principle of least privileges until you need something more performant.
tvanfosson  2010-06-28 14:39:23
Thanks! Just a quick other thought, is it safe to put the context.Undo() in the destrucotr of Impersonator?
Filip Ekberg  2010-06-28 14:57:38
@Filip -- no. The class doesn't retain a reference to a single impersonation context; it returns a new one each time you call LogOn. It's this context that needs to be undone (and disposed). I've updated my code sample to show how you'd guarantee that it's undone when finished. You could rewrite it to implement IDisposable and a factory method to create a new, non-static Impersonator that handles this for you so that you could simply do a `using (var impersonator = Impersonator.Impersonate("username","password"))`, but that would be a big change.
tvanfosson  2010-06-28 15:15:37
Might be worth refactoring to that though, I rather have something like: Impersonator.ImpersonateIfRequired(); which uses the HttpContext to get username / password and impersonate when it needs. I think I am "on my way" now, cheers!
Filip Ekberg  2010-06-28 15:36:35
One more thing.. Do i Need kerberos or something like that for this too work?
Filip Ekberg  2010-06-28 18:53:31
A: 

This example allows Impersonate a User from Code Behind within an ASP.NET website using Forms Authentication:

Imperatively Impersonate a User

You can set the Username, Domain and Password using a config file and then impersonate when you need increased permissions.

Lucifer  2010-10-16 11:09:35

related questions

How do I write private set auto-properties in VB 10?
Does Visual Studio 2010 Beta support .NET 2.0 projects? What about SQL 2005 DBs?
Impact of changes to the CAS policies in .NET 4.0?
If I didn't get along with Entity Framework until now, Is there a chance I will like the new EF in .Net 4.0
Have Microsoft rewritten Windows Workflow Foundation in .NET 4.0?
Good XMPP/Jabber client library for .NET 3.5 (or 4.0)
Workflow 4.0 Argument Errors
Will Visual Studio 2010 combine the express editions into a single product?
What will be the new features available in ASP.Net 4.0?
Can I develop asp.net 3.5/2.0 projects using Visual Studio 2010?
Getting NCover to work on .Net 4.0 Beta 1
whats new in C# 4 for a static-typed guy
.net framework 4.0 documentation
What features are people looking forward to in .Net 4.0 - 4.1
How mature is the Microsoft Code Contracts framework?
Is there anyway to access the DotNet 4.0 Class library without downloading the entire CTP VPC
How do I indicate that a method never returns a null using code contracts?
.NET 4.0 - The "dynamic" keyword
.NET 4.0 and Visual Studio release date
Has anyone heard of how .NET 4.0 may change/affect Asp.net MVC?
Parallel LINQ in WebApps?
Useful new .net(3.0,4.0) technology features.
Confirmed features of .NET 4.0?
What information has been released regarding the .NET Framework 4.0?
Will .Net 4.0 include a new CLR or keep with version 2.0