In this MSDN article on "How to implement impersonation in an ASP.NET application" they list 4 different ways to change the account that's used to execute the web request. Unfortunately, it doesn't describe the differences between these alternatives.
I'm trying to impersonate the IIS authenticated user to copy some files off their local machine. It works when I use the WIN32 api LogonUserA and impersonate a specific user. But I need the webapp to work with many users (I don't have an account that can access everyone's files).
I thought simply setting Impersonate = "true" and configuring IIS should work but something is different. When I check Environment.UserName it appears to be impersonating the correct account but I am getting "Access is denied" errors.
Anyone know the difference between these impersonation methods? Is it possible to impersonate the IIS authenticated user and then do some file operations with it?
Update: From the feedback I've been getting I need to be more clear about what I'm facing.
Environment setup:
IIS: disable anonymous authentication, enable integrated windows authentication
ASP.Net's web.config: authentication mode = "windows", impersonate = true, deny anonymous users
Suppose I'm accessing the page as "userA":
Scenario 1: impersonate the IIS Authenticated user
try{
File.Copy(srcFile, destFile); // Access Denied even though userA has access to srcFile.
} catch(Exception ex) {
...
}
Scenario 2: impersonate userA with LogonUser
try{
// Impersonater is a wrapper around the WIN32 LogonUser API
using(Impersonater imp = new Impersonator("domain", "userA", "pwd"))
{
File.Copy(srcFile, destFile); // Works
}
} catch(Exception ex) {
...
}
In both cases, I'm impersonating "userA".
Q: Anyone know the difference between these impersonation methods?
A: First some background on how IIS handles request.
There is a specific system user called IUSR_computername (default in IIS6) which the IIS-server uses to handle file access. And there is a process running on the IIS server called Aspnet_wp.exe which runs under an account called ASPNET or NetworkService.
So when a request is made to the server, the IIS reacts and if the request is to a ASP.NET application it passes the request to that process.
This means that if the IIS-server is setup to use the IUSR_computername (anonymous) access method. The server will use that account to process the request, and if it sees that it is an ASP.NET application it will transfer the request to the ASP.NET process.
By default impersonation is disabled, this means that the request will run under the ASPNET or NetworkService account when the ASP.NET process handles the request.
Now to the difference between the impersonation methods:
Impersonate the IIS authenticated account or user
Uses an account that the IIS is setup to use. Usually IUSR_computername.
Usage: <identity impersonate="true" />
Impersonation enabled for a specific identity
Uses a specific account that is specified.
Usage: <identity impersonate="true" userName="accountname" password="password" />
The third option is the default state, which is to disable impersonation.
Q: Is it possible to impersonate the IIS authenticated user and then do some file operations with it?
A: Depends on the priviliges of the IIS authenticated user. If the account has permission to manipulate files (NTFS permission in Windows), the answer would be yes.
Read more here:
IIS Authentication
ASP.NET Authentication
I believe you've run into the "double hop" issue described here. Basically, the connection between the client and IIS is one hop, the connection between IIS and the network share is the second one and with impersonation double hops are not allowed by default. That means in your first example the user should be able to access resources local to the IIS machine but not remote ones.
When the credentials are entered on the IIS programmatically, there's no second hop. That's the difference you're looking for.
To support your requirements, you need to implement delegation rather than impersonation. Please have a look at MSDN for more info.
Related
Is it possible to have the c# code for my asp website to run as the user who is authenticated through windows authentication?
After spending a bit of time researching I understand I would need impersonation, but when I configure impersonation for example like this: <identity impersonate="true" /> I get an error from IIS about how the web config is setup wrong for integrated pipeline. Bypassing the error with: does work but the code is not executed as the authenticated user but instead as the defaultAppPool and so the IIS user.
I know this is probably not the best question, I just can't wrap my head around impersonation with windows authentication.
You can verify user with LDAP/AD combination. This means user enters username and password from his own windows account and sends this data t server that can check if this data right. Of course this will work for Local networks with single LDAP server.
Try following links for info: https://www.codeproject.com/Articles/18742/Simple-Active-Directory-Authentication-Using-LDAP
https://msdn.microsoft.com/en-us/library/ff649227.aspx
I would not want elevated rights in IIS. I would hand all data needed to do the job to another service that really does this work (as the right user).
I'm having a strange problem while using impersonation with ASP.NET MVC. I have a site that checks the status of different servers by reading some configurations files on each one of them. The app can also modify such files. Because the app will be used by several people (all of them with administrative grants in the servers),I need to have a log of all the changes done. I enabled Windows authentication to my site in IIS7 and also enabled id impersonation by adding the following to my web.config file.
<identity impersonate="true"/>
Just to be sure that the impersonation is working correctly, every time a user logged in I use the following to obtain the user that will be sending all the requests.
System.Security.Principal.WindowsIdentity.GetCurrent().Name;
When I enter the site from my Visual Studio environment, everything works correctly, the user logged is my NT id rather than the NETWORK SERVICE user and I'm able to access the remote files without problems. However, when I publish the site to our server it stops working. Even though it does seem that the impersonation is working because the NT id of the logged user is shown as the windows identity, I cannot access the files. What I found even weirder is that if I access the site directly on the server's browser, everything works ok, so I'm not sure where's the problem. In resume, here's what I'm dealing with.
Id impersonation works from development environment
Id impersonation works browsing directly in the server where the site is.
Id impersonation doesn't work when accessing the site from a browser outside the server. Even though the logged user name corresponds to the impersonated user profile, the site can not access the remote files.
Does anybody have an idea of what might be wrong? I'm kind of lost with this one...
In order to access remote files on behalf of an impersonated client, your server needs to be trusted for delegation. See this KB article for more info, or just google "trusted for delegation".
Please consider this scenario:
I have a web site that host behind IIS 7.0 . Almost every IIS setting are defaulr settings. I have a folder for upload files that ASP.Net user had write access to it.currently IIS manager cancel this write access and he want to add a local user in Windows Server that this user can has write access to that folder. Now my question is how I can Impersonate user in asp.net and if this method is secure? I want all the request execute on server according to default IIS user but I want just impersonate for upload a file.
thanks
What you need is partial impersonation. you don't need all request to be impersonated but only a few call should be impersonated. i think you must have a look at this article.
http://support.microsoft.com/kb/306158
this is how it impersonate a piece of code under logged in user's credentials while rest of the call will be processed using default app Pool identity
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//Insert your code that runs under the security context of the authenticating user here.
impersonationContext.Undo();
I have an asp.net website that is hosted in IIS 7.5
The website has to use windows authentication. The users are added to an AD group. The AD user group has full control on the web folder in which the website is published. Server/IIS_IUSRS has full control on the web folder too.
The data that the website is required to use is stored in another server. The AD group has Full control on the folder in which the data is stored.
I am using Classic mode because Integrated breaks it.
What should be the website authentication and APP Pool settings?
Personally I have become a fan of setting the app pool identity to an AD service account and then allowing the app to access the database and other resources using those credentials. No need to pass the credentials on the connection string or try to impersonate the users (EDIT: Should note that this applies to resources which use windows integrated security). Also no need to try to give the users direct access to the datastore or other resources, just the app credentials need to have access. It is a bit more trouble to set up initially but much easier to manage in the long run.
Here is the checklist I send to our server group whenever I ask them to set up a new site for me: (note this is based on Win Serv2003 and IIS 6, things may be different in the newer versions.)
Set up a separate App Pool for the
application
Configure the App pool to run as the
service account
Add the service account to the
IIS_WPG group on the server
Make sure the IIS_WPG group has Read,
Read & Execute, and List Folder
Contents permissions for the website
directory and Read and List Folder
Contents to the C:\Windows\Temp
folder (or equivalent).
Grant User Rights “Adjust Memory
Quotas for a Process”, “Replace a
Process Level Token”, and “Log On as
Service” to the service account
Don't mix up IIS autorization and ASP.NET autorization :
IIS autorization
IP/DNS Address Restrictions
Web Permissions (Read, Write, Script Source Access...)
NTFS Permissions (non ASP.NET ISAPI extension only : .htm, .jpg...)
ASP.NET autorization
URL Authorization (<authorization> element)
File Authorization (ASP.NET ISAPI extension only : .aspx, .ascx...)
Principal Permissions (Demands)
.NET Roles
Restrict access to your web :
Uncheck anonymous access
Configure NTFS rights
Give access to your data folder, few solutions :
Use a service account for your application pool, allow it on your folder and manage access control in your application
Use default IIS 7 ASP.NET account, and impersonate the user locally in your code when accessing your data folder
System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//Insert your code that runs under the
security context of the authenticating
user here.
impersonationContext.Undo();
Activate impersonation globally (<identity impersonate="true"/>) ; dont like this one
I am using impersonation is used to access file on UNC share as below.
var ctx = ((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate();
string level = WindowsIdentity.GetCurrent().ImpersonationLevel);
On two Windows 2003 servers using IIS6, I am getting different impersonation levels: Delegation on one server and Impersonation on the other server.
This causes issues where I am unable to access the UNC share on the server with 'Impersonation' level.
What could be causing this difference? I searched through machine.config and IIS settings for the app pool, site and virtual directories - but aren't able to find the cause of this problem.
It sounds like one of the computer is trusted for delegation by your Active Directory, but the other is not. If the app pool identity is Network Service, make sure the Computer Account is marked "Trusted for Delegation" in AD.
You may need to ask your AD admin to force a replication and then log out/in to your workstation to refresh your Kerberos ticket cache.
If your testing with localhost as webserver and its working but when deployed you receive errors you could be running into the double-hop issue....outlined in this blog post
For one of our applications where we did Impersonate() we found that we had to modify the local security policy for the application pool owner and add that account to the following policies/groups:
Act as part of the operating system privilege.
Impersonate a client after authentication.
On the server(s), run Start > All Programs > Administration Tools > Local Security Policy then navigate to Local Security Policies > User Rights Assignment and look for the two policies above.