Bill Jones Jr. MVP Visual Basic

Charlotte NC - MCP C# and VB.Net - Founder and President of the Enterprise Developers Guild (.Net User Group)
  Home  |   Contact  |   Syndication    |   Login
  32 Posts | 0 Stories | 53 Comments | 32 Trackbacks

News

My wife, my pastor, my company, my boss, my friends and all my user group members reserve the inalienable right to disavow anything published here. My children will just to have to get over it. The cat doesn't speak to me anyway.

Enterprise Developers Guild - Charlotte MSDN .NET User Group

Archives

Post Categories

Impersonation

All I wanted to do was use the Windows authenticated credentials of the logged in user to access network resources, particularly a network share that is home to my input data.   Yeah, I know, it’s supposed to be easy.  And maybe it is, once you get all the settings right.  Here’s a short summary.  First, make sure you have the following parameters set in your web.config file:

 

    <authentication mode="Windows" />

    <identity impersonate="true" />

 

Don’t forget to turn off anonymous access to your web site and enables Windows authentication.  Next, import or use the .NET Principal class:

 

Imports System.Security.Principal

 

Finally, here’s the code sample and yes it is very easy once you quit fooling around on a development box and try it out on a machine in the correct domain where the User credentials actually have access to the desired share:

 

        ' Operate under the logged in credentials rather than

        ' ASP.NET inspired credentials (like IUSR_machinename)

        Dim wiContext As WindowsImpersonationContext

        wiContext = CType(User.Identity, WindowsIdentity).Impersonate

 

        ' Do your network access here

 

        wiContext.Undo()

 

Don’t forget to “undo” the context as soon as possible.  Letting your ASP.NET applications tromp around masquerading as the logged in client any longer than absolutely necessary is considered very bad form these days, not to mention potentially dangerous.

 

Now that I think about it, you might be able to get access to the desired User Identity using ”wiContext = WindowsIdentity.GetCurrent().Impersonate” but I haven’t tested that since I turned off anonymous access and started testing on the box inside the domain.

 

The only reason I’m posting this is because I did a lot of web spelunking and did not hit the right search terms until after I had found out way more than I needed about Impersonation.  Of course, I also had a funky test environment that led me astray. 

 

Security, authentication and permissions – isn’t that whole topic just wonderful?  Oh well, if this stuff was easy, nobody would need developers.

 

Here’s the rest of the story

Well gentle reader, it’s no longer working as advertised.  When I actually got into production, impersonation was working.  After floundering around for a bit, checking for whatever it was that I didn’t change that broke the code, I called for help.  Dan T sez “I don’t do that.”  Eric N sez “I use web.config and hard code that puppy”.  Just call me “Hard Code Harry”, ‘cause plugging it into the web.config was the only way I could get it to go.

 

Now if I can just figure out how to get that silly .BAT to fire…

 

  Bill J

  Charlotte NC

 

posted on Sunday, May 01, 2005 4:48 PM