WindowsPrincipal and WindowsIdentity.

  • Thread starter Thread starter Kevin Burton
  • Start date Start date
K

Kevin Burton

This is more of a solution that raised a question.

I have a Web service that does not allow anonymous users.
For debugging I put in the following lines in my Web
Service:

WindowsIdentity wi = WindowsIdentity.GetCurrent();
WindowsPrincipal wp = Thread.CurrentPrincipal as
WindowsPrincipal;
wi = wp.Identity as WindowsIdentity;
wi.Impersonate();

My question was the the first WindowsIdentity returned
from GetCurrent shows MACHINE\ASPNET (MACHINE is the name
of the machine) yet the WindowsIdentity returned from
CurrentPrincipal shows DOMAIN\kburton (DOMAIN is the name
of the domain I am logged in as a domain user when I am
running this). The Web service needs to access a database
and the ASPNET account cannot be used to access the
database. It seems that Impersonate() makes the
identity "correct". My question is why is GetCurrent and
CurrentPrincipal different? Under what conditions will
they be different? Why does Impersonate make them the
same?

Thank you for your help in understanding this.

Kevin Burton
(e-mail address removed)
 
asp.net broke out the authenication identity (who called this page -
Principle) from the security identity used by the thread servicing the page.
the default is for the page threads to run under the asp.net account.

you can achieve the same result without code by specifing in you web.config:

<identity impersonate="true" />

note: if the user hitting the site is is not logged on the local machine
(try hitting you site from another box) the Impersonated identity is not a
primmary token, so can not be used to access resources (say a sqlserver) on
another box.

-- bruce (sqlwork.com)
 
Thank you for your reply. It was most helpful.

One more question.

If I just have the <identitiy> token in the web.config I
still get an error:

WebException: 'The request failed with HTTP status 401:
Access Denied.'
Status: 'ProtocolError'
at
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadR
esponse(SoapClie
ntMessage message, WebResponse response, Stream
responseStream, Boolean asyncCal
l)

Unless before the Web Service call I add credentials as:

WService webService = new WService();
webService.Credentials =
CredentialCache.DefaultCredentials;

I don't quite understand the reason for this.

Kevin
 
More permission questions.

If I change IIS to allow anonymous login and I change the
<identity> token to the following:

<identity impersonate="true"
userName="domain\domainuser"
password="0123456"
/>

I get an HTML error:

<b> Parser Error Message: </b>Could not
create Windows user token fr
om the credentials specified in the config file. Error
from the operating system
'A required privilege is not held by the client.
'<br><br>

I have checked and the user name, domain, and password
are all correct. Do I need some extra permission just to
impersonate?

Thank you.

Kevin
 
Back
Top