asp.net - Impersonate using Forms Authentication -


i have asp.net site must use forms authentication , not windows authentication access activedirectorymembershipprovider. site must use forms because need designed input form instead of browser authentication popup windows authentication uses.

the site needs impersonate user logged in via active directory access user specific files.

however, windowsidentity.getcurrent() not same httpcontext.current.user.identity although web.config contains:

<authentication mode="forms">     <forms loginurl="login.aspx" timeout="480"/> </authentication> <identity impersonate="true" /> 

i cannot use loginuser() , windowsidentity.impersonate() because need impersonate ad user specific permissions, , don't know user's password because forms takes care of logging in.

is possible maybe login.aspx.cs, take system.web.ui.webcontrols.login.password, save loginuser() token in session variable windowsidentity.impersonate() later? or maybe more secure method of impersonating right way?

i'm confused why forms authentication can't automatically <identity impersonate="true" />

i've read http://msdn.microsoft.com/en-us/library/ms998351.aspx uses windows authentication.

impersonating user using forms authentication can done. following code does work.

the visual studio magazine article referred robert excellent resource. there issues example code in article, i've included working code below.

note: if using visual studio, make sure launch "run administrator" avoid problems uac blocking impersonation.

// in login page (hook onauthenticate event) protected void logincontrol_authenticate(object sender, authenticateeventargs e) {     int token;     // replace "yourdomain" actual domain name     e.authenticated = logonuser(loginuser.username,"yourdomain",loginuser.password,8,0,out token);     if (e.authenticated) {         session.add("principal", new windowsprincipal(new windowsidentity(new intptr(token))));     } }  [dllimport("advapi32.dll", setlasterror = true)] public static extern bool logonuser(string lpszusername, string lpszdomain, string lpszpassword,     int dwlogontype, int dwlogonprovider, out int tokenhandle);   // in global.asax.cs void application_prerequesthandlerexecute(object send, eventargs e) {     if (thread.currentprincipal.identity.isauthenticated == true && httpcontext.current.session != null) {         windowsprincipal windowsprincipal = (windowsprincipal)session["principal"];         session["principal"] = (genericprincipal)thread.currentprincipal;         thread.currentprincipal = windowsprincipal;         httpcontext.current.user = windowsprincipal;         httpcontext.current.items["identity"] = ((windowsidentity)windowsprincipal.identity).impersonate();     } }  // in global.asax.cs void application_postrequesthandlerexecute(object send, eventargs e) {     if (httpcontext.current.session != null && session["principal"] genericprincipal != null) {         genericprincipal genericprincipal = (genericprincipal)session["principal"];         session["principal"] = (windowsprincipal)thread.currentprincipal;         thread.currentprincipal = genericprincipal;         httpcontext.current.user = genericprincipal;         ((windowsimpersonationcontext)httpcontext.current.items["identity"]).undo();     } }  // test impersonation working (add , asp:label test page) protected void page_load(object sender, eventargs e) {     try {         // replace yourserver , yourdb actual server , database names         string connstring = "data source=yourserver;initial catalog=yourdb;integrated security=true";         using (sqlconnection conn = new sqlconnection(connstring)) {             conn.open();             sqlcommand cmd = new sqlcommand("select suser_name()", conn);             using (sqldatareader rdr = cmd.executereader()) {                 rdr.read();                 label1.text = "suser_name() = " + rdr.getstring(0);             }         }     }     catch {     } } 

update:

you should handle application_endrequest, because calls response.end() bypass application_postrequesthandlerexecute.

another issue windowsidentity may garbage collected, should create new windowsidentity , windowsprincipal logon token on every request.

update2:

i'm not sure why getting downvoted, because works. i've added pinvoke signature , test code. again, launch visual studio using "run administrator". google how if don't know how.


Comments

Popular posts from this blog

css - SVG using textPath a symbol not rendering in Firefox -

Java 8 + Maven Javadoc plugin: Error fetching URL -

order - Notification for user in user account opencart -