Solved

ASP.NET 2.0 - Impersonation - Windows Authentication - Active Directory Groups - 500 points

Posted on 2007-12-02
10
3,401 Views
Last Modified: 2013-11-06
I have created an website for our Intranet. The users can access the pages through windows authentication / active directory groups. Only if the Windows user is in the correct active directory group, does the access work.

In case a user is sitting at the desk with someone who doesn't have access to this intranet site, I have created a login page, which impersonates the current windows user. This works fine so far, but only within the current page.

How can I set this impersonation to work throughout the entire site?


Private Sub cmdImpersonate_Click(ByVal sender As Object, ByVal e As System.EventArgs)

            Dim myPrincipal As WindowsPrincipal = DirectCast(System.Threading.Thread.CurrentPrincipal, WindowsPrincipal)

            Dim iuser As New ImpersonateUser(Me.Name.Text, Me.Domain.Text, Me.Pwd.Text)

            Me.theNewUser = iuser.ImpersonationContext

            myPrincipal = DirectCast(System.Threading.Thread.CurrentPrincipal, WindowsPrincipal)

            Dim swr As System.IO.StreamWriter = Nothing

            Try

                TextBox1.Text = System.Security.Principal.WindowsIdentity.GetCurrent().Name

            Catch eXP As Exception

                Response.Write(eXP.ToString())

            Finally

                If swr IsNot Nothing Then

                    swr.Close()

                End If

            End Try

Open in new window

0
Comment
Question by:riffrack
  • 6
  • 4
10 Comments
 
LVL 16

Expert Comment

by:McExp
ID: 20392085
Site level impersonation shouldn't need any coding as it can all be configured from your web.config.


	<system.web>

		<authentication mode="Windows"/>

		<identity impersonate="true"/>

	</system.web>

Open in new window

0
 

Author Comment

by:riffrack
ID: 20392130
Hi Mc Exp

where can the user type in the username & password?
0
 
LVL 16

Accepted Solution

by:
McExp earned 500 total points
ID: 20392408
you should just be able to use the normal login dialog. If you log on as a user who has no access, the user name password dialog pops up, then they can type in credentials of a user that has permission.

The other option is to right click on the internet explorer icon and select "RunAs", then the correct credentials, this will run IE in the correct users context, and should also work just fine.
0
 

Author Comment

by:riffrack
ID: 20392494
For a technical user, the "RunAs" option is no problem. In my case many of the users will have trouble using the "RunAs" method.

Is there no way of including a username & password page, where the credentials can be entered manually?
0
 
LVL 16

Expert Comment

by:McExp
ID: 20392584
I don't have any easy solutions that would use windows integration, you might be able to do something with a custom membership provider, but nothing springs to mind that would be secure. Using plain Windows auth is far and away the preferred, as all the solutions I can think of involve storing the password in plain I don't think I would recommend it!

Did the first solution not work for you?
I've done a test here and found I don't need any of that If I have two users one the logged on (that has no auth) and a second that does, when I browse to the page using the first a dialog pops up to ask for a user name and password I then enter the info for the second and all is fine! IE then caches the credentials for the requests that follow in that session.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:riffrack
ID: 20392628
that sounds great - I have one question with that solution.

You have created 2 users, 1 with no auth and 1 with. In my case there is a third situation. There are admin users and normal users, what if I am logged on as a normal user and want to switch to admin user?

Can this be done with your suggestion?
0
 
LVL 16

Expert Comment

by:McExp
ID: 20392682
Ok, when I said auth I meant one was in an ad group the other wasn't. They where both configured to use Windows auth, I don't see any problems in your situation
0
 

Author Comment

by:riffrack
ID: 20394250
Can you explain to me how it would be possible to switch from admin to normal user?
0
 
LVL 16

Expert Comment

by:McExp
ID: 20397306
the basic solution will only work if the normal user tries to browse to a admin only page, this will then return the login dialog, after which the admin user will enter there details, since they are admin why not just runas, surely it's not that complicated a concept?
0
 
LVL 16

Expert Comment

by:McExp
ID: 20397324
Using windows auth was never really designed to work in the way you suggest. It is intended to simplify the auth such that the currently logged on user gets logged in automatically and everything should be transparent. The only other alternative would be to write your own Membership provider which extends the Windows Token Membership Provider (combines with the Forms Membership Provider)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
The viewer will learn how to use and create keystrokes in Netbeans IDE 8.0 for Windows.
The viewer will learn how to synchronize PHP projects with a remote server in NetBeans IDE 8.0 for Windows.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now