Please explain impersonation for non-technical users.Then please explain it in the context of ASP.NET. Is Impersonation good or evil? Do we use it in the case of Forms-based Authentication?
The term "Impersonation" in a programming context refers to a technique that executes the code under another user context than the user who originally started an application, i.e. the user context is temporarily changed once or multiple times during the execution of an application.
Criminals known as “pretexters” use the art of impersonation in many ways, playing the role of a trusted individual to deceive their victims and gain access to sensitive information.
Impersonation is independent of the authentication mode configured using the authentication configuration element. The authentication element is used to determine the User property of the current HttpContext. Impersonation is used to determine the WindowsIdentity of the ASP.NET application.
Identity theft is when someone steals your personal information and uses it to access your banking, credit, or any other type of financial account. Impersonation is when someone pretends to be you. They may use social media to get information about you, then they use that information for their own purposes.
Web applications run through a web server. That web server runs as a user with different permissions than yourself. Impersonation allows the application to run as you (or any other user with different priveledges on the cmoputer), as if you were logged in to the computer running it itself.
It actually makes things quite good. It allows you another way to grant/restrict access to protected files on the computer.
And yes, you can apply it using Forms Authentication (but you don't have to).
You should check out Keith Brown's description of impersonation. It is really a Windows concept.
When you have an application using forms authentication (FA) the IIS process is running under the credentials of a specific user setup in IIS.
Example: If you have a user called Bob logged on using FA and IIS setup to run as Network Service. Bob accesses a page which makes a web service call to another computer, the other computer will see the IIS user and not Bob. You can use impersonation to allow Bob to access the web service as a real Windows user and not Network Service.
Impersonation is not evil but it can be misused. You really need to understand the impact on your overall security model. It is also something that creates a lot of work for a developer to debug. This is especially the case if you do not have admin rights to the resource (eg. web service) you are trying to access.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With