User impersonation with asp.net forms authentication

Question

I've written a small ASP.NET 3.5 application to allow users to update selected account attributes on their own.

Everything works fine when I use Basic Authentication, but because the dialog that is presented is less than ideal, I'd like to use forms authentication to give the users more instruction on how to log in.

My problem is that in order for the user to update their account information, I have to have the application impersonate them for the update actions.

I've scoured the internet trying to find a solution to my issue, but nothing fits or works. I have tried setting the web.config:

<identity impersonate="true">

but that doesn't seem to work. I also have the C# code using the WindowsImpersonationContext class, but still no luck.

protected void titleTextBox_TextChanged(object sender, EventArgs e)
{
    TextBox tb = (TextBox)sender;
    string fieldTitle = "job title";
    string fieldName = "title";

    if (userDirectoryEntry == null)
        CaptureUserIdentity();
    try
    {
        WindowsImpersonationContext impersonationContext = userWindowsIdentity.Impersonate();
        if (String.IsNullOrEmpty(tb.Text))
            userDirectoryEntry.Properties[fieldName].Clear();
        else
            userDirectoryEntry.InvokeSet(fieldName, tb.Text);
        userDirectoryEntry.CommitChanges();
        impersonationContext.Undo();
        PostBackMessages.Add(fieldTitle, "");
    }
    catch (Exception E)
    {
        PostBackMessages.Add(fieldTitle, E.Message);
    }
}

I also tried using the LogonUser method to create a user token and backend the authentication that way, and it doesn't work either.

IntPtr token = IntPtr.Zero;
bool result = LogonUser(userName, domainName, passwordTB.Text, LogonSessionType.Network, LogonProvider.Default, out token);

if (result)
{
     WindowsPrincipal wp = new WindowsPrincipal(new WindowsIdentity(token));
     System.Threading.Thread.CurrentPrincipal = wp;
     HttpContext.Current.User = wp;
     if (Request.QueryString["ReturnUrl"] != null)
     {
          FormsAuthentication.RedirectFromLoginPage(usernameTB.Text, false);
     }
     else
     {
          FormsAuthentication.SetAuthCookie(usernameTB.Text, false);
     }
}

I just can't help but think that I'm missing something incredibly simple...

Answer 1

Have you enabled Windows Authentication and disabled Anonymous Authentication in IIS?

If impersonation is enabled in an ASP.NET application then:
• If anonymous access is enabled in IIS, the request is made using the IUSR_machinename account.
• If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.