Solved

ASP.NET 2.0 - Impersonation - Windows Authentication - Active Directory Groups - 500 points

Posted on 2007-12-02
10
3,406 Views
Last Modified: 2013-11-06
I have created an website for our Intranet. The users can access the pages through windows authentication / active directory groups. Only if the Windows user is in the correct active directory group, does the access work.

In case a user is sitting at the desk with someone who doesn't have access to this intranet site, I have created a login page, which impersonates the current windows user. This works fine so far, but only within the current page.

How can I set this impersonation to work throughout the entire site?


Private Sub cmdImpersonate_Click(ByVal sender As Object, ByVal e As System.EventArgs)
            Dim myPrincipal As WindowsPrincipal = DirectCast(System.Threading.Thread.CurrentPrincipal, WindowsPrincipal)
            Dim iuser As New ImpersonateUser(Me.Name.Text, Me.Domain.Text, Me.Pwd.Text)
            Me.theNewUser = iuser.ImpersonationContext
            myPrincipal = DirectCast(System.Threading.Thread.CurrentPrincipal, WindowsPrincipal)
            Dim swr As System.IO.StreamWriter = Nothing
            Try
                TextBox1.Text = System.Security.Principal.WindowsIdentity.GetCurrent().Name
            Catch eXP As Exception
                Response.Write(eXP.ToString())
            Finally
                If swr IsNot Nothing Then
                    swr.Close()
                End If
            End Try

Open in new window

0
Comment
Question by:riffrack
  • 6
  • 4
10 Comments
 
LVL 16

Expert Comment

by:McExp
ID: 20392085
Site level impersonation shouldn't need any coding as it can all be configured from your web.config.


	<system.web>
		<authentication mode="Windows"/>
		<identity impersonate="true"/>
	</system.web>

Open in new window

0
 

Author Comment

by:riffrack
ID: 20392130
Hi Mc Exp

where can the user type in the username & password?
0
 
LVL 16

Accepted Solution

by:
McExp earned 500 total points
ID: 20392408
you should just be able to use the normal login dialog. If you log on as a user who has no access, the user name password dialog pops up, then they can type in credentials of a user that has permission.

The other option is to right click on the internet explorer icon and select "RunAs", then the correct credentials, this will run IE in the correct users context, and should also work just fine.
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 

Author Comment

by:riffrack
ID: 20392494
For a technical user, the "RunAs" option is no problem. In my case many of the users will have trouble using the "RunAs" method.

Is there no way of including a username & password page, where the credentials can be entered manually?
0
 
LVL 16

Expert Comment

by:McExp
ID: 20392584
I don't have any easy solutions that would use windows integration, you might be able to do something with a custom membership provider, but nothing springs to mind that would be secure. Using plain Windows auth is far and away the preferred, as all the solutions I can think of involve storing the password in plain I don't think I would recommend it!

Did the first solution not work for you?
I've done a test here and found I don't need any of that If I have two users one the logged on (that has no auth) and a second that does, when I browse to the page using the first a dialog pops up to ask for a user name and password I then enter the info for the second and all is fine! IE then caches the credentials for the requests that follow in that session.
0
 

Author Comment

by:riffrack
ID: 20392628
that sounds great - I have one question with that solution.

You have created 2 users, 1 with no auth and 1 with. In my case there is a third situation. There are admin users and normal users, what if I am logged on as a normal user and want to switch to admin user?

Can this be done with your suggestion?
0
 
LVL 16

Expert Comment

by:McExp
ID: 20392682
Ok, when I said auth I meant one was in an ad group the other wasn't. They where both configured to use Windows auth, I don't see any problems in your situation
0
 

Author Comment

by:riffrack
ID: 20394250
Can you explain to me how it would be possible to switch from admin to normal user?
0
 
LVL 16

Expert Comment

by:McExp
ID: 20397306
the basic solution will only work if the normal user tries to browse to a admin only page, this will then return the login dialog, after which the admin user will enter there details, since they are admin why not just runas, surely it's not that complicated a concept?
0
 
LVL 16

Expert Comment

by:McExp
ID: 20397324
Using windows auth was never really designed to work in the way you suggest. It is intended to simplify the auth such that the currently logged on user gets logged in automatically and everything should be transparent. The only other alternative would be to write your own Membership provider which extends the Windows Token Membership Provider (combines with the Forms Membership Provider)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
THe viewer will learn how to use NetBeans IDE 8.0 for Windows to perform CRUD operations on a MySql database.
The viewer will learn how to use and create new code templates in NetBeans IDE 8.0 for Windows.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question