tags:

views:

43

answers:

1
+1  Q: 

ASP.NET Impersonation by Role

I modified the ASP.NET login control to also allow specifying UserRole ('Employee' or 'Volunteer'). Users are authenticated via a call to a webservice written by our client, which accepts username/password/role and returns true or false.

  • If role is 'Employee' it represents an active directory user. The application should impersonate the user with the given username/password.
  • If role is 'Volunteer' the application should run under a set Windows account whose username/password are known in advance (i.e. hard-coded in web.config file).

The server runs on Windows Server 2003. I am confused by the myriad of configuration choices and trying to understand my options;

Is it possible to have multiple scenarios as described?

Should I specify the impersonation programmatically or can it be done through the config file? If so, is it required to use LogonUser or WindowsIdentity?

What config file setup should I use? (i.e. Forms authentication, impersonate=true, etc..)

Thank you in advance.

+2  A: 

Because the decision about which identity to impersonate is based on run-time data, you'll likely have to deal with impersonation programmatically.

I use a combination of interop and WindowsIdentity to handle impersonation. The steps I follow are:

  1. Log on using the interop LogonUserA(), which fills a handle to an IntPtr (token).
  2. Duplicate the token with the interop DuplicateToken().
  3. Create a new windows identity, a la: var identity = new WindowsIdentity(tokenDuplicate);.
  4. Create an impersonation context via: var context = identity.Impersonate();
  5. Close both tokens with the interop CloseHandle()
  6. When finished impersonating, undo the impersonation context via: context.Undo();

I keep a disposable class around to handle the details. Steps 1-5 occur in a constructor, and step 6 occurs in the dispose routine. This helps ensure that I properly revert even in the face of an exception.

With this approach, since you are passing credentials via a service method, the web.config authentication scheme is not entirely forced. If, however, you are using integrated Windows auth, you could programmatically impersonate the current user from HttpContext.Current.User.Identity.Impersonate(), without passing credentials in a service method.

On an aside, and you may already know, PInvoke.net is a valuable resource for configuring signatures for interop methods.

kbrimington  2010-09-07 17:34:23

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps