I am overriding Application_AuthenticateRequest
to replace the windows authenticated user with another user that I programmatically retrieve with a call to LogonUser
. As I assign the resulting WindowsPrinciple to Context.User I get the following exception. I don't get this exception on my development machine (everything works perfectly), only on my QA machine. Both machines are Windows Server 2008 R2. Something is different on the QA machine, but I don't know what it is.
Here is the full description of what I'm trying to accomplish.
[UnauthorizedAccessException: Attempted to perform an unauthorized operation.]
System.Security.Principal.WindowsIdentity.get_AuthenticationType() +317
System.Web.Hosting.IIS7WorkerRequest.SetPrincipal(IPrincipal user, IntPtr pManagedPrincipal) +106
System.Web.HttpContext.SetPrincipalNoDemand(IPrincipal principal, Boolean needToSetNativePrincipal) +9022044
System.Web.HttpContext.SetPrincipalNoDemand(IPrincipal principal) +6
System.Web.HttpContext.set_User(IPrincipal value) +36
MyProj.MvcApplication.OverrideLoginUser() in C:\Data\Project\MyProj\Global.asax.cs:317
MyProj.MvcApplication.Application_AuthenticateRequest(Object sender, EventArgs e) in C:\Data\Project\MyProj\Global.asax.cs:305
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75
I resolved the error on the QA machine by changing the application pool's identity from "ApplicationPoolIdentity" to "LocalSystem". On my Dev box the setting is ApplicationPoolIdentity, so why are the privileges different? What permissions does the failing functionality require?
I've exhausted all my options. Even using a user account in a local Administrators group doesn't help. The only thing that works is running the application pool as LocalSystem. Some other people have also had this problem (documented here) Any ideas are appreciated. Thanks.
Ok. It only took me 5 hours but I found a solution. I narrowed down the problem to Identity.AuthenticationType
call by calling the property of the newly created identity BEFORE assigning the principal object to Context.User
. This time I got the unauthorized error on my Dev box as well. I guess that means that for some reason the property wasn't being executed on my dev box during Context.User
assignment but was being executed on my QA box. Anyway, after googling around a bit I found this documentation which showed how to specify the AuthenticationType during WindowsIdentity construction. After I did that my problem was solved! Here's the code:
// Construct a WindowsIdentity object using the input account token
// and the specified authentication type.
var foo = new WindowsIdentity(logonToken, "WindowsAuthentication");
That's it! No more authentication error on both of my servers!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With