Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Impersonation in ASP.NET MVC

Tags:

I have a MVC web application on an intranet and want to be able to create files on our FTP server to send to outside partners.

The code for impersonation uses the WindowsImpersonationContext.

System.Security.Principal.WindowsImpersonationContext impersonationContext; impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();  StreamWriter sw = System.IO.File.CreateText("PathOnFTPServer"); sw.Write("data");  impersonationContext.Undo(); 

Here's what's happening and the reason for my question:

Pre Impersonation

User.Identity.Name: [my windows credentials]

System.Security.Principal.WindowsIdentity.GetCurrent().Name: NT AUTHORITY\NETWORK SERVICE

Post Impersonation

User.Identity: [my windows credentials]

GetCurrent.Name: [my windows credentials]

Impersonate Undo

User.Identity: [my windows credentials]

GetCurrent.Name: NT AUTHORITY\NETWORK SERVICE

So, before I impersonate, the current user is the System Account but after impersonation, it is using my windows domain account which has permission to create text files on the FTP server. The code works locally using the visual studio web server but not when I deploy it on IIS on our test server.

I'm getting an access denied error. What would be the reason for the error when the correct user is being impersonated?

like image 248
Jason Kemp Avatar asked Sep 10 '09 14:09

Jason Kemp


People also ask

What is impersonation in MVC?

With impersonation, if the client is connecting using the original caller's account, the service will access resources such as a SQL Server database on the same machine using the original caller's account instead of the system ASP.NET account.

What is impersonate in web config?

Web.Config Impersonation is the concept of the application pretending to be a different account than the underlying account running the application – ie. ASPNET or NETWORK SERVICE.

How do I impersonate a user in C#?

Using the code To use the code, you simply construct the Impersonator class and pass the username , the domain and the password to the constructor. If you place an instance of the class inside a using -block, you need no further steps. ... using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) ) { ...

What is impersonation in VB net?

I want the user to be able to upload, open, and delete a document on a network drive that they cannot access normally. With this in mind, I stumbled upon Impersonation, where the user can impersonate a user account that has full rights to the drive, then dispose of that after the code has been executed.


1 Answers

Impersonation allows machine to machine impersonation, so the client browser and the server are on the same page when it comes to the impersonation. When you then attempt to access the network share, the computer doesn't trust the impersonated credentials.

You need to enable delegation for the IIS machine in Active Directory. Go to Active Directory Users and Computers, find the computer, click properties, and 'Trust computer for delegation'. (You might need to restart IIS for this to work, I don't remember).

There is way more theory than this that I don't fully understand, but this should work. Whether it is right or not someone else could comment on!

Also, the reason it works on your development machine is that the development server runs as the developer, not (Local)\Network Service.


A decent link:

http://msdn.microsoft.com/en-us/library/cc949004.aspx

What is the difference between impersonation and delegation?

Impersonation flows the original caller’s identity to back-end resources on the same computer. Delegation flows the original caller’s identity to back-end resources on computers other than the computer running the service.

For example, if a service is running within IIS without impersonation, the service will access resources using the ASP.NET account in IIS 5.0, or the Network Service account in IIS 6.0. With impersonation, if the client is connecting using the original caller’s account, the service will access resources such as a SQL Server database on the same machine using the original caller’s account instead of the system ASP.NET account. Delegation is similar except that the SQL Server database could be on a different machine that is remote to the service.

like image 191
anonymous Avatar answered Oct 14 '22 18:10

anonymous