ASP.NET 2.0 - Impersonation - Windows Authentication - Active Directory Groups - 500 points

I have created an website for our Intranet. The users can access the pages through windows authentication / active directory groups. Only if the Windows user is in the correct active directory group, does the access work.

In case a user is sitting at the desk with someone who doesn't have access to this intranet site, I have created a login page, which impersonates the current windows user. This works fine so far, but only within the current page.

How can I set this impersonation to work throughout the entire site?

Private Sub cmdImpersonate_Click(ByVal sender As Object, ByVal e As System.EventArgs)
            Dim myPrincipal As WindowsPrincipal = DirectCast(System.Threading.Thread.CurrentPrincipal, WindowsPrincipal)
            Dim iuser As New ImpersonateUser(Me.Name.Text, Me.Domain.Text, Me.Pwd.Text)
            Me.theNewUser = iuser.ImpersonationContext
            myPrincipal = DirectCast(System.Threading.Thread.CurrentPrincipal, WindowsPrincipal)
            Dim swr As System.IO.StreamWriter = Nothing
                TextBox1.Text = System.Security.Principal.WindowsIdentity.GetCurrent().Name
            Catch eXP As Exception
                If swr IsNot Nothing Then
                End If
            End Try

Open in new window

Who is Participating?
McExpConnect With a Mentor Commented:
you should just be able to use the normal login dialog. If you log on as a user who has no access, the user name password dialog pops up, then they can type in credentials of a user that has permission.

The other option is to right click on the internet explorer icon and select "RunAs", then the correct credentials, this will run IE in the correct users context, and should also work just fine.
Site level impersonation shouldn't need any coding as it can all be configured from your web.config.

		<authentication mode="Windows"/>
		<identity impersonate="true"/>

Open in new window

riffrackAuthor Commented:
Hi Mc Exp

where can the user type in the username & password?
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

riffrackAuthor Commented:
For a technical user, the "RunAs" option is no problem. In my case many of the users will have trouble using the "RunAs" method.

Is there no way of including a username & password page, where the credentials can be entered manually?
I don't have any easy solutions that would use windows integration, you might be able to do something with a custom membership provider, but nothing springs to mind that would be secure. Using plain Windows auth is far and away the preferred, as all the solutions I can think of involve storing the password in plain I don't think I would recommend it!

Did the first solution not work for you?
I've done a test here and found I don't need any of that If I have two users one the logged on (that has no auth) and a second that does, when I browse to the page using the first a dialog pops up to ask for a user name and password I then enter the info for the second and all is fine! IE then caches the credentials for the requests that follow in that session.
riffrackAuthor Commented:
that sounds great - I have one question with that solution.

You have created 2 users, 1 with no auth and 1 with. In my case there is a third situation. There are admin users and normal users, what if I am logged on as a normal user and want to switch to admin user?

Can this be done with your suggestion?
Ok, when I said auth I meant one was in an ad group the other wasn't. They where both configured to use Windows auth, I don't see any problems in your situation
riffrackAuthor Commented:
Can you explain to me how it would be possible to switch from admin to normal user?
the basic solution will only work if the normal user tries to browse to a admin only page, this will then return the login dialog, after which the admin user will enter there details, since they are admin why not just runas, surely it's not that complicated a concept?
Using windows auth was never really designed to work in the way you suggest. It is intended to simplify the auth such that the currently logged on user gets logged in automatically and everything should be transparent. The only other alternative would be to write your own Membership provider which extends the Windows Token Membership Provider (combines with the Forms Membership Provider)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.