Web service Impersonatation?

  • Thread starter Thread starter Frank Wisniewski
  • Start date Start date
F

Frank Wisniewski

When I set up impersonation in the web.config file and specify a user and
password I get strange results. This line of code will get me the user
account I set to impersonate:
System.Security.Principal.WindowsIdentity.GetCurrent().Name

This line of code will get me my user account ever time:

System.Threading.Thread.CurrentPrincipal.Identity.Name

What's the difference? shouldn't they both be the user I am trying to
impersonate?

Thanks


Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @ h o t m a i l . c o m
 
Frank,

No, they should not. When you impersonate through the WindowsIdentity
object, it does not change the current principal on the thread. The reason
for this is that you can have different implementations of IPrincipal which
don't necessarily map to windows users and groups. To that end, having
WindowsIdentity change the current thread's principal would be wrong.

Hope this helps.
 
Thanks Nicholas,

But how do you know which Principal is being used by your code. Lets say I
have a routine that writes a file to the local directory, how do I ensure
that code is using my impersonated users rights?

--
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @ h o t m a i l . c o m
Nicholas Paldino said:
Frank,

No, they should not. When you impersonate through the WindowsIdentity
object, it does not change the current principal on the thread. The reason
for this is that you can have different implementations of IPrincipal which
don't necessarily map to windows users and groups. To that end, having
WindowsIdentity change the current thread's principal would be wrong.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Frank Wisniewski said:
When I set up impersonation in the web.config file and specify a user and
password I get strange results. This line of code will get me the user
account I set to impersonate:
System.Security.Principal.WindowsIdentity.GetCurrent().Name

This line of code will get me my user account ever time:

System.Threading.Thread.CurrentPrincipal.Identity.Name

What's the difference? shouldn't they both be the user I am trying to
impersonate?

Thanks


Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @ h o t m a i l . c o m
Click to expand...
Click to expand...
 
Frank,

The code will use the rights of whomever the thread is currently running
under. If you always want to base this on the Windows identity, you can
call the static GetCurrent method on the WindowsIdentity type, passing true
for the ifImpersonating parameter.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Frank Wisniewski said:
Thanks Nicholas,

But how do you know which Principal is being used by your code. Lets say
I
have a routine that writes a file to the local directory, how do I ensure
that code is using my impersonated users rights?

--
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @ h o t m a i l . c o m
in
message news:%[email protected]...
Frank,

No, they should not. When you impersonate through the
WindowsIdentity
object, it does not change the current principal on the thread. The reason
for this is that you can have different implementations of IPrincipal which
don't necessarily map to windows users and groups. To that end, having
WindowsIdentity change the current thread's principal would be wrong.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Frank Wisniewski said:
When I set up impersonation in the web.config file and specify a user and
password I get strange results. This line of code will get me the user
account I set to impersonate:
System.Security.Principal.WindowsIdentity.GetCurrent().Name

This line of code will get me my user account ever time:

System.Threading.Thread.CurrentPrincipal.Identity.Name

What's the difference? shouldn't they both be the user I am trying to
impersonate?

Thanks


Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @ h o t m a i l . c o m
Click to expand...
Click to expand...
Click to expand...
 
asp.net seperates the thread identity from the authenicated user identity.
when the user is authenicated (not anonymous), your have three options:

1) the thread runs as the asp.net account (default)
2) the thread impersonates the authenication account (must use windows
authenication). set impersonate=true in web config
3) the thread impersonates the account specified in the web config.

you picked the third option, so the CurrentPrincipal is the authenicated
account and WindowsIdentity is the thread identity.

note: CurrentPrincipal is a WindowsIdentity only if windows authenication is
used.

-- bruce (sqlwork.com)



| When I set up impersonation in the web.config file and specify a user and
| password I get strange results. This line of code will get me the user
| account I set to impersonate:
| System.Security.Principal.WindowsIdentity.GetCurrent().Name
|
| This line of code will get me my user account ever time:
|
| System.Threading.Thread.CurrentPrincipal.Identity.Name
|
| What's the difference? shouldn't they both be the user I am trying to
| impersonate?
|
| Thanks
|
|
| Frank Wisniewski MCSE 4.0, MCP+I, A+
| f p w 2 3 @ h o t m a i l . c o m
|
|
 
I am running it from my local machine which is part of the domain, is that
what you are asking?
 
no, in order for impersonation to work, the server must be trusted for
delegation within active directory
 
Back
Top