All I wanted to do was use the Windows authenticated credentials of the logged in user to access network resources, particularly a network share that is home to my input data. Yeah, I know, it’s supposed to be easy. And maybe it is, once you get all the settings right. Here’s a short summary. First, make sure you have the following parameters set in your web.config file:
<authentication mode="Windows" />
<identity impersonate="true" />
Don’t forget to turn off anonymous access to your web site and enables Windows authentication. Next, import or use the .NET Principal class:
Finally, here’s the code sample and yes it is very easy once you quit fooling around on a development box and try it out on a machine in the correct domain where the User credentials actually have access to the desired share:
' Operate under the logged in credentials rather than
' ASP.NET inspired credentials (like IUSR_machinename)
Dim wiContext As WindowsImpersonationContext
wiContext = CType(User.Identity, WindowsIdentity).Impersonate
' Do your network access here
Don’t forget to “undo” the context as soon as possible. Letting your ASP.NET applications tromp around masquerading as the logged in client any longer than absolutely necessary is considered very bad form these days, not to mention potentially dangerous.
Now that I think about it, you might be able to get access to the desired User Identity using ”wiContext = WindowsIdentity.GetCurrent().Impersonate” but I haven’t tested that since I turned off anonymous access and started testing on the box inside the domain.
The only reason I’m posting this is because I did a lot of web spelunking and did not hit the right search terms until after I had found out way more than I needed about Impersonation. Of course, I also had a funky test environment that led me astray.
Security, authentication and permissions – isn’t that whole topic just wonderful? Oh well, if this stuff was easy, nobody would need developers.
Here’s the rest of the story
Well gentle reader, it’s no longer working as advertised. When I actually got into production, impersonation was working. After floundering around for a bit, checking for whatever it was that I didn’t change that broke the code, I called for help. Dan T sez “I don’t do that.” Eric N sez “I use web.config and hard code that puppy”. Just call me “Hard Code Harry”, ‘cause plugging it into the web.config was the only way I could get it to go.
Now if I can just figure out how to get that silly .BAT to fire…