Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is Impersonation in ASP.NET?

Please explain impersonation for non-technical users.Then please explain it in the context of ASP.NET. Is Impersonation good or evil? Do we use it in the case of Forms-based Authentication?

like image 940
amutha Avatar asked Apr 01 '10 19:04

amutha


People also ask

What is impersonation in programming?

The term "Impersonation" in a programming context refers to a technique that executes the code under another user context than the user who originally started an application, i.e. the user context is temporarily changed once or multiple times during the execution of an application.

Why is impersonation used?

Criminals known as “pretexters” use the art of impersonation in many ways, playing the role of a trusted individual to deceive their victims and gain access to sensitive information.

What is impersonate in web config?

Impersonation is independent of the authentication mode configured using the authentication configuration element. The authentication element is used to determine the User property of the current HttpContext. Impersonation is used to determine the WindowsIdentity of the ASP.NET application.

What is identity impersonation?

Identity theft is when someone steals your personal information and uses it to access your banking, credit, or any other type of financial account. Impersonation is when someone pretends to be you. They may use social media to get information about you, then they use that information for their own purposes.


2 Answers

Web applications run through a web server. That web server runs as a user with different permissions than yourself. Impersonation allows the application to run as you (or any other user with different priveledges on the cmoputer), as if you were logged in to the computer running it itself.

It actually makes things quite good. It allows you another way to grant/restrict access to protected files on the computer.

And yes, you can apply it using Forms Authentication (but you don't have to).

like image 167
Justin Niessner Avatar answered Sep 28 '22 02:09

Justin Niessner


You should check out Keith Brown's description of impersonation. It is really a Windows concept.

When you have an application using forms authentication (FA) the IIS process is running under the credentials of a specific user setup in IIS.

Example: If you have a user called Bob logged on using FA and IIS setup to run as Network Service. Bob accesses a page which makes a web service call to another computer, the other computer will see the IIS user and not Bob. You can use impersonation to allow Bob to access the web service as a real Windows user and not Network Service.

Impersonation is not evil but it can be misused. You really need to understand the impact on your overall security model. It is also something that creates a lot of work for a developer to debug. This is especially the case if you do not have admin rights to the resource (eg. web service) you are trying to access.

like image 24
Brian Lyttle Avatar answered Sep 28 '22 03:09

Brian Lyttle