Home Browse Net

Browse Topics

	BSD (4)
	DATABASE (11)
	DEVELOPMENT (40)
	LINUX (54)
	NETWORQMEDIA (11)
	OTHER (1)
	PERSONAL (5)
	WINDOWS (37)

Topic Contributors

mreschke

Matthew Reschke

Site Developer

Created: Feb 29th, 2008

Updated: Nov 27th, 2010

Topic Organization

	DEVELOPMENT (40)
	WINDOWS (37)
	.net (14)
	asp.net (7)
	c.net (1)

Impersonate entire website with web.config[-][- -][++]

Script Snippet


<%
<identity> Web.config section

The <identity> Web.config section defines what identity (Windows
account) to use when accessing the ASP.NET application. Here is the
generic syntax of the <identity> section of the Web.config:

<identity impersonate="true|false" userName="username" password="password"/>  

By default the ASPNET Windows account is used to access ASP.NET
resources through the Aspnet_wp.exe process. This account is less
powerful, compared to the IUSR_ machinename guest Internet account used
by classic ASP for example. In certain situations you might want to use
the anonymous IUSR_ machinename account, as the account accessing your
ASP.NET application and you can do that by using the following code in
your Web.config file:

<system.web>
  <identity impersonate="true" />
</system.web>  

In this case we use impersonation. In short impersonation is the act of
ASP.NET executing code in the context of an authenticated client
(Windows account).

If you want you can specify a particular account Windows account to be
used instead of the ASPNET Windows account. You can do it like this: 

<system.web>
  <identity impersonate="true" userName="WindowsDomain\YourUserName" password="YourPassword" />
</system.web>

Impersonate in the Code Behind (ASP.NET)[-][- -][++]

Imports[-][- -][++]

Code Snippet

Imports System.Runtime.InteropServices
Imports System.Security.Principal
Imports System.Web.Security

Script[-][- -][++]

Script Snippet


<%
    Public LOGON32_LOGON_INTERACTIVE As Integer = 2
    Public LOGON32_PROVIDER_DEFAULT As Integer = 0

    Public impersonationContext As WindowsImpersonationContext

    Declare Function LogonUserA Lib "advapi32.dll" (ByVal lpszUsername As String, _
                            ByVal lpszDomain As String, _
                            ByVal lpszPassword As String, _
                            ByVal dwLogonType As Integer, _
                            ByVal dwLogonProvider As Integer, _
                            ByRef phToken As IntPtr) As Integer

    Declare Auto Function DuplicateToken Lib "advapi32.dll" ( _
                            ByVal ExistingTokenHandle As IntPtr, _
                            ByVal ImpersonationLevel As Integer, _
                            ByRef DuplicateTokenHandle As IntPtr) As Integer

    Declare Auto Function RevertToSelf Lib "advapi32.dll" () As Long
    Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal handle As IntPtr) As Long

    Public Sub New()

    End Sub

    Public Function impersonateValidUser(ByVal userName As String, _
  ByVal domain As String, ByVal password As String) As Boolean

        Dim tempWindowsIdentity As WindowsIdentity
        Dim token As IntPtr = IntPtr.Zero
        Dim tokenDuplicate As IntPtr = IntPtr.Zero
        impersonateValidUser = False

        If RevertToSelf() Then
            If LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE, _
                         LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
                If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
                    tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
                    impersonationContext = tempWindowsIdentity.Impersonate()
                    If Not impersonationContext Is Nothing Then
                        impersonateValidUser = True
                    End If
                End If
            End If
        End If
        If Not tokenDuplicate.Equals(IntPtr.Zero) Then
            CloseHandle(tokenDuplicate)
        End If
        If Not token.Equals(IntPtr.Zero) Then
            CloseHandle(token)
        End If
    End Function

    Public Sub undoImpersonation()
        impersonationContext.Undo()
    End Sub
End Class

Impersonate in the Code Behind (C++.NET)[-][- -][++]

Imports[-][- -][++]

Code Snippet

using System.Runtime.InteropServices;
using System.Security.Principal;

Script[-][- -][++]

Script Snippet


<%
        public const int LOGON32_LOGON_INTERACTIVE = 2;
        public const int LOGON32_PROVIDER_DEFAULT = 0;

        WindowsImpersonationContext impersonationContext; 

        [DllImport("advapi32.dll")]
        public static extern int LogonUserA(String lpszUserName, 
            String lpszDomain,
            String lpszPassword,
            int dwLogonType, 
            int dwLogonProvider,
            ref IntPtr phToken);
        [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
        public static extern int DuplicateToken(IntPtr hToken, 
            int impersonationLevel,  
            ref IntPtr hNewToken);
                          
        [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
        public static extern bool RevertToSelf();

        [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
        public static extern  bool CloseHandle(IntPtr handle);

        private bool impersonateValidUser(String userName, String domain, String password)
        {
            WindowsIdentity tempWindowsIdentity;
            IntPtr token = IntPtr.Zero;
            IntPtr tokenDuplicate = IntPtr.Zero;

            if(RevertToSelf())
            {
                if(LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE, 
                    LOGON32_PROVIDER_DEFAULT, ref token) != 0)
                {
                    if(DuplicateToken(token, 2, ref tokenDuplicate) != 0) 
                    {
                        tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                        impersonationContext = tempWindowsIdentity.Impersonate();
                        if (impersonationContext != null)
                        {
                            CloseHandle(token);
                            CloseHandle(tokenDuplicate);
                            return true;
                        }
                    }
                } 
            }
            if(token!= IntPtr.Zero)
                CloseHandle(token);
            if(tokenDuplicate!=IntPtr.Zero)
                CloseHandle(tokenDuplicate);
            return false;
        }

        private void undoImpersonation()
        {
            impersonationContext.Undo();
        }

Calling Impersonate[-][- -][++]

Code Snippet

Whatever chunk you want to impersonate, just use

if(impersonateValidUser("administrator", "dyna-web2", "password"))
{
    //do stuff with impersonated users here
}
undoImpersonation();

networqmedia presents mReschke.com powered by the all new mrcore4