asp.net impersonation

Question

I am writing a web application that works with exchange, and so needs to impersonate an account that has admin rihgts to Exchange. This account is specified by the user on setup. What is the best way to get impersonation to use this account, obviously hard-coding this into the web.config won't work as it needs to be able to change, but I'm not sure of the best way to do it. Also, I actually only need to run as this administrative user for 1 class, is it possible to only impersonate for some methods?

Answer 1

The way I've done this in the past is to use LogonUser. The links below provide some guidance on how to go about this.

http://blogs.msdn.com/shawnfa/archive/2005/03/21/400088.aspx

http://www.guidanceshare.com/wiki/ASP.NET_2.0_Security_Guidelines_-_Impersonation/Delegation

You might also want to consider whether you can use Exchange impersonation and have your application run under a fixed identity that can impersonate in Exchange via Exchange Web Services.

Answer 2

You could do it as above, but in this scenario what's wrong with just modifying the web.config during your setup process?

Answer 3

I posted an answer on using impersonation to access a network file share, but it should work for you as well. It includes source for a c# class that can be used to manage the begin/end of impersonation and can be used by any class or method.

The source provided does assume that you are storing the username and password in the web.config.

See the original question and answer for more details.

Answer 4

In addition to LogonUser as others have noted, or the WindowsImpersonationContext class, you might also consider separating out the privileged code. For instance, running as an Enterprise Services object (running under COM+). This would allow you to have the OS manage the credentials, PLUS you have a builtin trust boundary around the privileged code.
Of course you would need to implement limits on who can call this object, but that's easily configurable...