tags:

views:

34

answers:

0
Q: 

Impersonate or RunAs

A little background on the situation:

Multiple users RDC to a 2003 Server. For workflow management each user logs onto the server under their own credentials.

Each user researches data for multiple clients. These external websites make heavy use of persistent cookies(IE and Flash) and sometimes certificates that require time consuming registration to establish. When one user is out of the office their workload is distributed between the other users.

To facilitate shared cookies, all of the browsers and scripts are launched under the context of a single user.

User separation is workflow related not security related.

Two apps are launched via a runAs process using a stored password one COM (Account Manager) another .Net 1.1(scripting). Both are passed the original username on the command line and use a MSMQ based on the username to communicate with each other. My intent is to work a major overhaul to the process. The new process would consolidate the multiple apps into a single .Net4.0 primary assembly with a few COM/.Net Dll.

Methods:

1) In my tests so far, impersonation with advapi32.dll's LogonUser and DuplicateToken calling a MarshalByRefObject, and some trials with creating Appdomains after impersonation don't seem to be getting me full access to user profile data like I get from a RunAs. I was hoping this would work as escalation to the common user would be done strictly as needed.

2) I can isolate the functions that don’t run sufficiently under impersonation to their own assemblies and call them as their own process via RunAs that would make sure the profiles are loaded. The problem is then what is the best way to marshal commands from the individual user scope to the common user scope. There are not a lot of parameters, but they could easily surpass command line argument limitations.

3) The other option is to continue to run the entire process as the common user (runas) pass the individual user via command line and manage all user preferences/assignments from the parameter and not from the user. KISS says this should be the way to go.

The Questions:

Is full profile data reachable by some fancy combination impersonation commands.

Is there a good way other then MSMQ to chat between assemblies under multiple users in multiple pairings.

Is there any argument that jumps out at anyone as to why any of these approaches "Work" better then another(assuming (1) can work).

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?