Solved

ASP .NET/IIS6 NT User Impersonation problems..

Posted on 2008-10-23
5
1,614 Views
Last Modified: 2013-11-05
Hi guys,

I've never really done this type of project before, but basically I want to have a site on our company's intranet website that will automatically utilize the visitor's NT domain credentials when they visit the page.

Now this little code snippet, if it works I should be golden:

currentWindowsIdentity = CType(User.Identity, System.Security.Principal.WindowsIdentity) impersonationContext = currentWindowsIdentity.Impersonate() strUser = currentWindowsIdentity.Name.ToString.Substring(currentWindowsIdentity.Name.ToString.IndexOf("\") + 1) Response.Write("You are validated on this page as: <B>" & strUser & "</B><BR>")

This works great when debugging through the ASP .NET Development Server on my work machine. It'll report my username and everything's good. However, when I move to production, it fails. Here's the error:

System.InvalidOperationException: An anonymous identity cannot perform an impersonation. at System.Security.Principal.WindowsIdentity.Impersonate(StackCrawlMark& stackMark) at System.Security.Principal.WindowsIdentity.Impersonate() at CCIWSignIn._Default.Page_Load(Object sender, EventArgs e)

Now, I'm thinking this might have something to do with the way IIS works through the anonymous IUSR_servername account? So I disabled anonymous access for that page in IIS, and enabled "Integrated Windows Authentication", which just prompts me for a username and password that is doesn't seem to want to accept in the DOMAIN/Username fashion. So I've unchecked that and tried "Digest authentication for Windows domain servers". This prompts me for authentication, which I provide, and the code above works, but is there a way to just use my already entered login credentials and not get prompted for them by the site?

Any insight would be appreciated...
0
Comment
Question by:Tabris42
  • 3
5 Comments
 
LVL 37

Expert Comment

by:samtran0331
Comment Utility
>>seem to want to accept in the DOMAIN/Username fashion

I'm not sure if that is a typo in your post or that's what you actually tried, but just to make sure... it should be a backslash and not a forward slash...

DOMAIN\Username
0
 

Author Comment

by:Tabris42
Comment Utility
Yes, that was just a typo...
0
 

Author Comment

by:Tabris42
Comment Utility
I have found a workaround that works rather well... probably terrible for security though. This is to set "Basic authentication" for the folder in IIS. It still prompts for the username and password, however, so advice on how to avoid that and use the NT credentials already provided would be appreciated.
0
 
LVL 11

Accepted Solution

by:
AnthonyP9618 earned 500 total points
Comment Utility
Did you ensure that your user account actually has NTFS permissions to the files on the Web server?  It's probably trying to use Integrated, but failing because your account doesn't have the proper permissions.  Can you check the Security Event Logs of the web server and review failed audit events for your user account?

You can always SSL enable the site and use Basic... at least that would encrypt the credentials :)
0
 

Author Comment

by:Tabris42
Comment Utility
Good idea about the SSL. I've configured it for that and am still using the basic authentication... fiddled with the NTFS permissions but still get prompted every time.

If I can't get away with letting the user login automatically... is there at least a way I can make the User field fill out with their domain\username? Then they just need to enter their password?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Creating an analog clock UserControl seems fairly straight forward.  It is, after all, essentially just a circle with several lines in it!  Two common approaches for rendering an analog clock typically involve either manually calculating points with…
The ECB site provides FX rates for major currencies since its inception in 1999 in the form of an XML feed. The files have the following format (reducted for brevity) (CODE) There are three files available HERE (http://www.ecb.europa.eu/stats/exch…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now