ASP.NET Impersonation

[Matt Tapia]

How can I temporaily impersonate another windows user within my asp.net
application to run a line of code? Do I need to know both the user name and
password?

 

[jongalloway]

See Scott Galloway's code for temporary impersonation in an ASP.NET
app:
http://www.mostlylucid.co.uk/archive/2003/12/05/662.aspx

The basic idea is to call into LogonUser and DuplicateToken.

However, you may run into problem with a scenario called the Single Hop
problem.
http://blogs.geekdojo.net/ryan/archive/2003/12/10/427.aspx
http://blogs.geekdojo.net/justin/archive/2003/12/10/430.aspx

To quote Justin Rudd from his post referenced above:
<quote>
This is what is commonly referred to in the NTLM world as the "one hop"
problem. For example, you are on machine A. You have a process that is
running as you and it calls a DCOM process on Machine B. Depending on
how the DCOM server is setup, it assumes your credentials (think
ASP.NET impersonation). Now if that DCOM server makes a call out to
another DCOM server, the credentials that go across the wire are the
credentials that the process is running as.

In IIS when you use Windows Authentication, you use your single hop as
soon as you connect to the web server. So if you have some code in
ASP.NET try to access a network resource, it will use the ASP.NET
worker process' credentials.
</quote>

You may need to have your ASP.NET application impersonate at the
application level (that's what I've had to fall back on):
http://msdn.microsoft.com/library/d.../en-us/cpgenref/html/gngrfIdentitySection.asp

This just involves a setting in web.config, as you probably know:
<identity impersonate="true|false" userName="domain\username"
password="password"/>

Other alternatives are serviced components and delegation:
http://msdn.microsoft.com/library/d...y/en-us/vsent7/html/vxconaspnetdelegation.asp
- Jon
http://weblogs.asp.net/jgalloway