httplistener, custom hosting and authentication/impersonation

Hi,
I've developed in .net 2.0 a custom web server that hosts asp.net sites
using the httplistener and applicationhost.createapplicationhost.
When I tell to the httplistener to require authenticathion it does work,
however in the the asp.net site EVEN IF I require authentication=windows /
impersonate=true
System.security.prinvipal.windowsidentity.getcurrent() returns the identity
of the hosting process, not of the caller .. and
system.threading.currentprincipal.identity.name is empty.
(all works fine if I publish the same dir to IIS)
What wiring am I missing to have the identity flow from the httplistener to
the asp.net stack ?

i managed to solve it doing an explicit impersonate before forwarding the
call to the asp.net runtime , however i guess there is a better way to do it

Thank you

you are confusing two concepts with asp.net. authentication (how the
user is) and thread identity (impersonation).

authentication=windows inpersonate=true

is telling asp.net that the windows authenication was used, and to
impersonate the hosts identity.

you are coding it the same way as iis does. it impersonates the
webclient before accessing any resources (such as asp.net or the file
system).

-- bruce (sqlwork.com)



Enrico Sabbadin wrote:
> Hi,
> I've developed in .net 2.0 a custom web server that hosts asp.net sites
> using the httplistener and applicationhost.createapplicationhost.
> When I tell to the httplistener to require authenticathion it does work,
> however in the the asp.net site EVEN IF I require authentication=windows
> / impersonate=true
> System.security.prinvipal.windowsidentity.getcurrent() returns the
> identity of the hosting process, not of the caller .. and
> system.threading.currentprincipal.identity.name is empty.
> (all works fine if I publish the same dir to IIS)
> What wiring am I missing to have the identity flow from the httplistener
> to the asp.net stack ?
>
> i managed to solve it doing an explicit impersonate before forwarding
> the call to the asp.net runtime , however i guess there is a better way
> to do it
>
> Thank you
>
>

i'm not confusing the 2 concepts , i know the difference..
i'm just asking if authentication=windows inpersonate=true is something i
should take care in custom web hosting , or it's something out of the box if
i code properly

"bruce barker" <nospam@nospam.com> wrote in message
news:%23wUXQ%23JyHHA.4928@TK2MSFTNGP03.phx.gbl...
> you are confusing two concepts with asp.net. authentication (how the user
> is) and thread identity (impersonation).
>
> authentication=windows inpersonate=true
>
> is telling asp.net that the windows authenication was used, and to
> impersonate the hosts identity.
>
> you are coding it the same way as iis does. it impersonates the webclient
> before accessing any resources (such as asp.net or the file system).
>
> -- bruce (sqlwork.com)
>
>
>
> Enrico Sabbadin wrote:
>> Hi,
>> I've developed in .net 2.0 a custom web server that hosts asp.net sites
>> using the httplistener and applicationhost.createapplicationhost.
>> When I tell to the httplistener to require authenticathion it does work,
>> however in the the asp.net site EVEN IF I require authentication=windows
>> / impersonate=true
>> System.security.prinvipal.windowsidentity.getcurrent() returns the
>> identity of the hosting process, not of the caller .. and
>> system.threading.currentprincipal.identity.name is empty.
>> (all works fine if I publish the same dir to IIS)
>> What wiring am I missing to have the identity flow from the httplistener
>> to the asp.net stack ?
>>
>> i managed to solve it doing an explicit impersonate before forwarding the
>> call to the asp.net runtime , however i guess there is a better way to do
>> it
>>
>> Thank you
>>

i found the solution here
http://www.leastprivilege.com/HttpL...nAndASPNET.aspx

"Enrico Sabbadin" <x> wrote in message
news:uK3RavQyHHA.4824@TK2MSFTNGP02.phx.gbl...
> i'm not confusing the 2 concepts , i know the difference..
> i'm just asking if authentication=windows inpersonate=true is something i
> should take care in custom web hosting , or it's something out of the box
> if
> i code properly
>
> "bruce barker" <nospam@nospam.com> wrote in message
> news:%23wUXQ%23JyHHA.4928@TK2MSFTNGP03.phx.gbl...
>> you are confusing two concepts with asp.net. authentication (how the user
>> is) and thread identity (impersonation).
>>
>> authentication=windows inpersonate=true
>>
>> is telling asp.net that the windows authenication was used, and to
>> impersonate the hosts identity.
>>
>> you are coding it the same way as iis does. it impersonates the webclient
>> before accessing any resources (such as asp.net or the file system).
>>
>> -- bruce (sqlwork.com)
>>
>>
>>
>> Enrico Sabbadin wrote:
>>> Hi,
>>> I've developed in .net 2.0 a custom web server that hosts asp.net sites
>>> using the httplistener and applicationhost.createapplicationhost.
>>> When I tell to the httplistener to require authenticathion it does work,
>>> however in the the asp.net site EVEN IF I require authentication=windows
>>> / impersonate=true
>>> System.security.prinvipal.windowsidentity.getcurrent() returns the
>>> identity of the hosting process, not of the caller .. and
>>> system.threading.currentprincipal.identity.name is empty.
>>> (all works fine if I publish the same dir to IIS)
>>> What wiring am I missing to have the identity flow from the httplistener
>>> to the asp.net stack ?
>>>
>>> i managed to solve it doing an explicit impersonate before forwarding
>>> the call to the asp.net runtime , however i guess there is a better way
>>> to do it
>>>
>>> Thank you
>>>