?
Solved

ASP.NET 2.0 - Impersonation - Windows Authentication - Active Directory Groups - 500 points

Posted on 2007-12-02
10
Medium Priority
?
3,408 Views
Last Modified: 2013-11-06
I have created an website for our Intranet. The users can access the pages through windows authentication / active directory groups. Only if the Windows user is in the correct active directory group, does the access work.

In case a user is sitting at the desk with someone who doesn't have access to this intranet site, I have created a login page, which impersonates the current windows user. This works fine so far, but only within the current page.

How can I set this impersonation to work throughout the entire site?


Private Sub cmdImpersonate_Click(ByVal sender As Object, ByVal e As System.EventArgs)
            Dim myPrincipal As WindowsPrincipal = DirectCast(System.Threading.Thread.CurrentPrincipal, WindowsPrincipal)
            Dim iuser As New ImpersonateUser(Me.Name.Text, Me.Domain.Text, Me.Pwd.Text)
            Me.theNewUser = iuser.ImpersonationContext
            myPrincipal = DirectCast(System.Threading.Thread.CurrentPrincipal, WindowsPrincipal)
            Dim swr As System.IO.StreamWriter = Nothing
            Try
                TextBox1.Text = System.Security.Principal.WindowsIdentity.GetCurrent().Name
            Catch eXP As Exception
                Response.Write(eXP.ToString())
            Finally
                If swr IsNot Nothing Then
                    swr.Close()
                End If
            End Try

Open in new window

0
Comment
Question by:riffrack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 16

Expert Comment

by:McExp
ID: 20392085
Site level impersonation shouldn't need any coding as it can all be configured from your web.config.


	<system.web>
		<authentication mode="Windows"/>
		<identity impersonate="true"/>
	</system.web>

Open in new window

0
 

Author Comment

by:riffrack
ID: 20392130
Hi Mc Exp

where can the user type in the username & password?
0
 
LVL 16

Accepted Solution

by:
McExp earned 2000 total points
ID: 20392408
you should just be able to use the normal login dialog. If you log on as a user who has no access, the user name password dialog pops up, then they can type in credentials of a user that has permission.

The other option is to right click on the internet explorer icon and select "RunAs", then the correct credentials, this will run IE in the correct users context, and should also work just fine.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:riffrack
ID: 20392494
For a technical user, the "RunAs" option is no problem. In my case many of the users will have trouble using the "RunAs" method.

Is there no way of including a username & password page, where the credentials can be entered manually?
0
 
LVL 16

Expert Comment

by:McExp
ID: 20392584
I don't have any easy solutions that would use windows integration, you might be able to do something with a custom membership provider, but nothing springs to mind that would be secure. Using plain Windows auth is far and away the preferred, as all the solutions I can think of involve storing the password in plain I don't think I would recommend it!

Did the first solution not work for you?
I've done a test here and found I don't need any of that If I have two users one the logged on (that has no auth) and a second that does, when I browse to the page using the first a dialog pops up to ask for a user name and password I then enter the info for the second and all is fine! IE then caches the credentials for the requests that follow in that session.
0
 

Author Comment

by:riffrack
ID: 20392628
that sounds great - I have one question with that solution.

You have created 2 users, 1 with no auth and 1 with. In my case there is a third situation. There are admin users and normal users, what if I am logged on as a normal user and want to switch to admin user?

Can this be done with your suggestion?
0
 
LVL 16

Expert Comment

by:McExp
ID: 20392682
Ok, when I said auth I meant one was in an ad group the other wasn't. They where both configured to use Windows auth, I don't see any problems in your situation
0
 

Author Comment

by:riffrack
ID: 20394250
Can you explain to me how it would be possible to switch from admin to normal user?
0
 
LVL 16

Expert Comment

by:McExp
ID: 20397306
the basic solution will only work if the normal user tries to browse to a admin only page, this will then return the login dialog, after which the admin user will enter there details, since they are admin why not just runas, surely it's not that complicated a concept?
0
 
LVL 16

Expert Comment

by:McExp
ID: 20397324
Using windows auth was never really designed to work in the way you suggest. It is intended to simplify the auth such that the currently logged on user gets logged in automatically and everything should be transparent. The only other alternative would be to write your own Membership provider which extends the Windows Token Membership Provider (combines with the Forms Membership Provider)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
The viewer will learn how to use NetBeans IDE 8.0 for Windows to connect to a MySQL database. Open Services Panel: Create a new connection using New Connection Wizard: Create a test database called eetutorial: Create a new test tabel called ee…
THe viewer will learn how to use NetBeans IDE 8.0 for Windows to perform CRUD operations on a MySql database.

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question