impersonation in a sub thread

[Christian]

When you create a new thread it inherits the original
security context of the parent process.
E.g. when a webapplication that is set to impersonate
some domain account creates a new thread, the new thread
runs as the original user (e.g. localmachine\ASPNET) not
the user the application is impersonating.

Does anyone know how to create a thread and make it
impersonate the same user as the parent process is
impersonating?

I tried making the child thread explicitely impersonate
the domain user, but it was not able/allowed to.

Basically I am doing

WindowsIdentity _winID;
public static void StartThread()
{
// runs as domain user set to impersonate in web.config
// or IIS control
_winID = WindowsIdentity.GetCurrent();
Thread _thread = new Thread(_threadStart);

_thread.Start();
}

private static void DoWork()
{
//runs as localbox\ASPNET

// fails with "Unable to impersonate user"
_winID.Impersonate();

// more code supposed to run as impersonated user
}


It succeeds when I set asp to run as SYSTEM. (in set
<processModel userName="SYSTEM"> in machine.config)

[url]http://support.microsoft.com/default.aspx?scid=kb;en-[/url]
us;Q306158

indicates that the process would need the "act as part of
the OS" privilege.
After giving that privilege to ASPNET, it still
impersonation still fails.

Anybody know how I can get the subthread to execute as the
same (impersonated) user as the web app? Additional
privileges required for ASPNET? is there a way to start
the subthread off with the right user?

Thanks
Christian

[charlie]

Christian,

I am quite aware of your pain with this issue. This is a problem for which
I was unable to find a solution while working within the context of the web
server (the ASPNET process).

If you want to solve this issue quickly and with the desired effect, I would
point you in the same direction some others on this group pointed me - COM+.
A COM+ server runs outside the ASPNET context and can assume any identity
you would like it to assume. It is very robust and has good security
associated with it. I was able to solve in one day a problem I had been
battling for more than a week by just taking my code out of the services
application and creating a COM+ application.

Charlie
"Christian" <anonymous@discussions.microsoft.com> wrote in message
news:04b701c3a259$b40b89f0$a501280a@phx.gbl...

> When you create a new thread it inherits the original
> security context of the parent process.
> E.g. when a webapplication that is set to impersonate
> some domain account creates a new thread, the new thread
> runs as the original user (e.g. localmachine\ASPNET) not
> the user the application is impersonating.
>
> Does anyone know how to create a thread and make it
> impersonate the same user as the parent process is
> impersonating?
>
> I tried making the child thread explicitely impersonate
> the domain user, but it was not able/allowed to.
>
> Basically I am doing
>
> WindowsIdentity _winID;
> public static void StartThread()
> {
> // runs as domain user set to impersonate in web.config
> // or IIS control
> _winID = WindowsIdentity.GetCurrent();
> Thread _thread = new Thread(_threadStart);
>
> _thread.Start();
> }
>
> private static void DoWork()
> {
> //runs as localbox\ASPNET
>
> // fails with "Unable to impersonate user"
> _winID.Impersonate();
>
> // more code supposed to run as impersonated user
> }
>
>
> It succeeds when I set asp to run as SYSTEM. (in set
> <processModel userName="SYSTEM"> in machine.config)
>
> [url]http://support.microsoft.com/default.aspx?scid=kb;en-[/url]
> us;Q306158
>
> indicates that the process would need the "act as part of
> the OS" privilege.
> After giving that privilege to ASPNET, it still
> impersonation still fails.
>
> Anybody know how I can get the subthread to execute as the
> same (impersonated) user as the web app? Additional
> privileges required for ASPNET? is there a way to start
> the subthread off with the right user?
>
> Thanks
> Christian
>

[Christian]

To answer my own question (and thanks for the com+
suggestion):

I didn't actually necessary need a separate thread.
An asynchronous method call worked just as well, and then
the subthread (created by the .net framework to run the
asynchronous call) IS able to impersonate.

e.g.

public MyClass
{
private delegate void MyDelegate(WindowsIdentity winID);

public static void Start()
{
MyDelegate del = new MyDelegate(DBCleanup);
del.BeginInvoke(WindowsIdentity.GetCurrent(), null,
null);
}
}

private static void DBCleanup(WindowsIdentity winID)
{
WindowsImpersonationContext ctx = winID.Impersonate
();

// do stuff as impersonated user.
if (ctx != null)
ctx.Undo();
}
}

So somehow by calling it as a delegate I am able to create
a thread that can impersonate an authenticated winID.
But I still don't know how to do it if I were to for
whatever reason to create my own Thread. I don't need to
right now, but would still like to find out just for
future reference.

>-----Original Message-----
>When you create a new thread it inherits the original
>security context of the parent process.
>E.g. when a webapplication that is set to impersonate
>some domain account creates a new thread, the new thread
>runs as the original user (e.g. localmachine\ASPNET) not
>the user the application is impersonating.
>
>Does anyone know how to create a thread and make it
>impersonate the same user as the parent process is
>impersonating?
>
>I tried making the child thread explicitely impersonate
>the domain user, but it was not able/allowed to.
>
>Basically I am doing
>
>WindowsIdentity _winID;
>public static void StartThread()
>{
>// runs as domain user set to impersonate in web.config
>// or IIS control
> _winID = WindowsIdentity.GetCurrent();
> Thread _thread = new Thread(_threadStart);
>
> _thread.Start();
>}
>
>private static void DoWork()
> {
>//runs as localbox\ASPNET
>
>// fails with "Unable to impersonate user"
> _winID.Impersonate();
>
>// more code supposed to run as impersonated user
> }
>
>
>It succeeds when I set asp to run as SYSTEM. (in set
><processModel userName="SYSTEM"> in machine.config)
>
> [url]http://support.microsoft.com/default.aspx?scid=kb;en-[/url]
>us;Q306158
>
>indicates that the process would need the "act as part of
>the OS" privilege.
>After giving that privilege to ASPNET, it still
>impersonation still fails.
>
>Anybody know how I can get the subthread to execute as

the

>same (impersonated) user as the web app? Additional
>privileges required for ASPNET? is there a way to start
>the subthread off with the right user?
>
>Thanks
> Christian
>.
>

[news.microsoft.com]

May be this article help you:
[url]http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158[/url]

may be not :)


"Christian" <anonymous@discussions.microsoft.com> wrote in message
news:00a101c3a7b6$4070da10$a401280a@phx.gbl...

> To answer my own question (and thanks for the com+
> suggestion):
>
> I didn't actually necessary need a separate thread.
> An asynchronous method call worked just as well, and then
> the subthread (created by the .net framework to run the
> asynchronous call) IS able to impersonate.
>
> e.g.
>
> public MyClass
> {
> private delegate void MyDelegate(WindowsIdentity winID);
>
> public static void Start()
> {
> MyDelegate del = new MyDelegate(DBCleanup);
> del.BeginInvoke(WindowsIdentity.GetCurrent(), null,
> null);
> }
> }
>
> private static void DBCleanup(WindowsIdentity winID)
> {
> WindowsImpersonationContext ctx = winID.Impersonate
> ();
>
> // do stuff as impersonated user.
> if (ctx != null)
> ctx.Undo();
> }
> }
>
> So somehow by calling it as a delegate I am able to create
> a thread that can impersonate an authenticated winID.
> But I still don't know how to do it if I were to for
> whatever reason to create my own Thread. I don't need to
> right now, but would still like to find out just for
> future reference.
>

> >-----Original Message-----
> >When you create a new thread it inherits the original
> >security context of the parent process.
> >E.g. when a webapplication that is set to impersonate
> >some domain account creates a new thread, the new thread
> >runs as the original user (e.g. localmachine\ASPNET) not
> >the user the application is impersonating.
> >
> >Does anyone know how to create a thread and make it
> >impersonate the same user as the parent process is
> >impersonating?
> >
> >I tried making the child thread explicitely impersonate
> >the domain user, but it was not able/allowed to.
> >
> >Basically I am doing
> >
> >WindowsIdentity _winID;
> >public static void StartThread()
> >{
> >// runs as domain user set to impersonate in web.config
> >// or IIS control
> > _winID = WindowsIdentity.GetCurrent();
> > Thread _thread = new Thread(_threadStart);
> >
> > _thread.Start();
> >}
> >
> >private static void DoWork()
> > {
> >//runs as localbox\ASPNET
> >
> >// fails with "Unable to impersonate user"
> > _winID.Impersonate();
> >
> >// more code supposed to run as impersonated user
> > }
> >
> >
> >It succeeds when I set asp to run as SYSTEM. (in set
> ><processModel userName="SYSTEM"> in machine.config)
> >
> > [url]http://support.microsoft.com/default.aspx?scid=kb;en-[/url]
> >us;Q306158
> >
> >indicates that the process would need the "act as part of
> >the OS" privilege.
> >After giving that privilege to ASPNET, it still
> >impersonation still fails.
> >
> >Anybody know how I can get the subthread to execute as

> the

> >same (impersonated) user as the web app? Additional
> >privileges required for ASPNET? is there a way to start
> >the subthread off with the right user?
> >
> >Thanks
> > Christian
> >.
> >