Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET CORE 1.0, Impersonation

I'm writing an Intranet application. Target framework in project.json is dnx451. That's my publishing command:

dnu publish --runtime dnx-clr-win-x86.1.0.0-rc1-update1 --no-source

Database Connection string:

Server=name;Database=name;Trusted_Connection=True;

I'm trying to impersonate the database access but it's not working. When I start the application my windows user is recognized and it says Hello, Domain\Username on top right. As soon as I try to access the database I get the error "Login failed for user Domain\Computername". If I run the application pool under my user then everything works fine.

IIS: .NET CLR Versio is v4.0, Managed Pipline Mode Classic and Identity is ApplicationPoolIdentity. Website authentications: ASP.NET Impersonation and Windows Authentication are enabled.

What do I need to change that impersonation is finally working?

like image 899
Dani Avatar asked Feb 03 '16 15:02

Dani


People also ask

What is ASP.NET impersonation?

Impersonation is the process of executing code in the context of another user identity. By default, all ASP.NET code is executed using a fixed machine-specific account. To execute code using another identity we can use the built-in impersonation capabilities of ASP.NET.

How do I impersonate a user in C#?

Impersonate method to retrieve a WindowsImpersonationContext object. This object implements IDisposable , so generally should be called from a using block. using (WindowsImpersonationContext context = WindowsIdentity. Impersonate(userHandle)) { // do whatever you want as this user. }

How do I enable impersonation in Web config?

In the application's Web. config file, set the impersonate attribute in the identity element to true. Set the NTFS access control list (ACL) for the ManagerInformation directory to allow access to only those identities that are in the Windows Manager group and any required system accounts.


2 Answers

Core does not support impersonation because all web code is out of proc, hosted by Kestrel. If you want to do it you need to take the current Principal, as a WindowsPrincipal, then manually impersonate at the point where you need it.

One thing to note is that in RC1 you don't get a WindowsPrincipal, so you can't do this right now. It'll be fixed in RC2.

like image 102
blowdart Avatar answered Sep 23 '22 05:09

blowdart


If you want every page request to impersonate the user, you can configure your own Middleware to run before MVC;

public class Impersonate
{
    private readonly RequestDelegate next;
    public Impersonate(RequestDelegate next) {
        this.next = next;
    }
    public async Task Invoke(HttpContext context) {
        var winIdent = context.User.Identity as WindowsIdentity;
        if (winIdent == null) {
            await next.Invoke(context);
        }else {
            WindowsIdentity.RunImpersonated(winIdent.AccessToken, () => {
                next.Invoke(context).Wait();
            });
        }
    }
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) {
    ....
    app.UseMiddleware<Impersonate>();
    app.UseMvc(...);
    ...
}
like image 27
Jeremy Lakeman Avatar answered Sep 20 '22 05:09

Jeremy Lakeman