Impersonation of forms-authenticated Active Directory user

[Mike Swift]

Hello all

I wonder if the great and the good of this esteemed forum might shed
some light on a problem of mine...

Three servers in a domain: one Active Directory server, one SQL Server
and one IIS. IIS hosts an ASP.NET Web Application which requires that
users log on through a web form, are authenticated against their
Active Directory account and then acquire the permissions on the SQL
Server objects that their Active Directory group membership bestows.

In the following code authentication through LDAP works and authTicket
appears to be generated correctly. At this stage User.Identity is
empty, but by loading the page a second time User.Identity contains
the correct details. This is presumably as a result of reading the
cookie, but how can I get the correct User.Identity from the
authTicket without letting the cookie reader do it for me
automagically?

Anyway, even on the refresh when we have...

User.Identity.Name=myuser
User.Identity.IsAuthenticated=True
User.Identity.AuthenticationType=Forms

....the code still fails on
(System.Security.Principal.WindowsIdentity)User.Id entity, producing
'specified cast is invalid'. Is this because its authentication type
is Forms? If so, and given that form based login is a requirement, how
can I "Impersonate the Authenticating User in Code".


string adPath = "LDAP://ad1.mydomain.com/DC=mydomain,DC=com";
LdapAuthentication adAuth = new LdapAuthentication(adPath);
if(true == adAuth.IsAuthenticated(txtDomainName.Text,
txtUserName.Text, txtPassword.Text))
{
FormsAuthenticationTicket authTicket =
new FormsAuthenticationTicket(1,
txtUserName.Text,
DateTime.Now,
DateTime.Now.AddMinutes(60),
false, "");
string encryptedTicket =
FormsAuthentication.Encrypt(authTicket);
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
Response.Cookies.Add(authCookie);
System.Security.Principal.WindowsImpersonationCont ext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.I dentity).Impersonate();
}

As you may recognise, this code has been cribbed from
[url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306158[/url] and it
may help diagnosis to know that the code from the "Impersonate a
Specific User in Code" section is working fine, but presumably this
approach would require me to carry the username and password around,
in the session say, and re-authenticate on every page_load.

Once the user has logged I want every page to be executed in the
context of their AD account, so should perhaps there's some altogether
better way of achieving this that I'm missing.

Cheers,
Mike.

[Joe Kaplan \(MVP - ADSI\)]

This isn't going to work. You can't cast a FormsPrincipal to a
WindowsPrincipal.

In order to get a WindowsPrincipal, you must either use Windows auth in
ASP.NET/IIS or explicitly call the LogonUser API with the user's credentials
in order to create a token that you can then use to create a WindowsIdentity
that you can impersonate. For the latter, the canonical example is here,
but it can't be used easily on Win2K due to security restrictions:

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsImpersonationCo ntextClassTopic.asp?frame=true[/url]

If you use Windows auth in ASP.NET, you will also need to be careful about
impersonation and double hop issues.

HTH,

Joe K.

"Mike Swift" <mikeswift@mailinator.com> wrote in message
news:88fce4c8.0404280552.20fee3f6@posting.google.c om...

> Hello all
>
> I wonder if the great and the good of this esteemed forum might shed
> some light on a problem of mine...
>
> Three servers in a domain: one Active Directory server, one SQL Server
> and one IIS. IIS hosts an ASP.NET Web Application which requires that
> users log on through a web form, are authenticated against their
> Active Directory account and then acquire the permissions on the SQL
> Server objects that their Active Directory group membership bestows.
>
> In the following code authentication through LDAP works and authTicket
> appears to be generated correctly. At this stage User.Identity is
> empty, but by loading the page a second time User.Identity contains
> the correct details. This is presumably as a result of reading the
> cookie, but how can I get the correct User.Identity from the
> authTicket without letting the cookie reader do it for me
> automagically?
>
> Anyway, even on the refresh when we have...
>
> User.Identity.Name=myuser
> User.Identity.IsAuthenticated=True
> User.Identity.AuthenticationType=Forms
>
> ...the code still fails on
> (System.Security.Principal.WindowsIdentity)User.Id entity, producing
> 'specified cast is invalid'. Is this because its authentication type
> is Forms? If so, and given that form based login is a requirement, how
> can I "Impersonate the Authenticating User in Code".
>
>
> string adPath = "LDAP://ad1.mydomain.com/DC=mydomain,DC=com";
> LdapAuthentication adAuth = new LdapAuthentication(adPath);
> if(true == adAuth.IsAuthenticated(txtDomainName.Text,
> txtUserName.Text, txtPassword.Text))
> {
> FormsAuthenticationTicket authTicket =
> new FormsAuthenticationTicket(1,
> txtUserName.Text,
> DateTime.Now,
> DateTime.Now.AddMinutes(60),
> false, "");
> string encryptedTicket =
> FormsAuthentication.Encrypt(authTicket);
> HttpCookie authCookie =
> new HttpCookie(FormsAuthentication.FormsCookieName,
> encryptedTicket);
> Response.Cookies.Add(authCookie);
> System.Security.Principal.WindowsImpersonationCont ext
> impersonationContext;
> impersonationContext =
>

((System.Security.Principal.WindowsIdentity)User.I dentity).Impersonate();

> }
>
> As you may recognise, this code has been cribbed from
> [url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306158[/url] and it
> may help diagnosis to know that the code from the "Impersonate a
> Specific User in Code" section is working fine, but presumably this
> approach would require me to carry the username and password around,
> in the session say, and re-authenticate on every page_load.
>
> Once the user has logged I want every page to be executed in the
> context of their AD account, so should perhaps there's some altogether
> better way of achieving this that I'm missing.
>
> Cheers,
> Mike.

[avnrao]

just wanted to find out why User.Identity is empty for the first time..
r u populating User.Identity with GenericPrinciple object for the first time
just after validating from your login page?

Av.

"Mike Swift" <mikeswift@mailinator.com> wrote in message
news:88fce4c8.0404280552.20fee3f6@posting.google.c om...

> Hello all
>
> I wonder if the great and the good of this esteemed forum might shed
> some light on a problem of mine...
>
> Three servers in a domain: one Active Directory server, one SQL Server
> and one IIS. IIS hosts an ASP.NET Web Application which requires that
> users log on through a web form, are authenticated against their
> Active Directory account and then acquire the permissions on the SQL
> Server objects that their Active Directory group membership bestows.
>
> In the following code authentication through LDAP works and authTicket
> appears to be generated correctly. At this stage User.Identity is
> empty, but by loading the page a second time User.Identity contains
> the correct details. This is presumably as a result of reading the
> cookie, but how can I get the correct User.Identity from the
> authTicket without letting the cookie reader do it for me
> automagically?
>
> Anyway, even on the refresh when we have...
>
> User.Identity.Name=myuser
> User.Identity.IsAuthenticated=True
> User.Identity.AuthenticationType=Forms
>
> ...the code still fails on
> (System.Security.Principal.WindowsIdentity)User.Id entity, producing
> 'specified cast is invalid'. Is this because its authentication type
> is Forms? If so, and given that form based login is a requirement, how
> can I "Impersonate the Authenticating User in Code".
>
>
> string adPath = "LDAP://ad1.mydomain.com/DC=mydomain,DC=com";
> LdapAuthentication adAuth = new LdapAuthentication(adPath);
> if(true == adAuth.IsAuthenticated(txtDomainName.Text,
> txtUserName.Text, txtPassword.Text))
> {
> FormsAuthenticationTicket authTicket =
> new FormsAuthenticationTicket(1,
> txtUserName.Text,
> DateTime.Now,
> DateTime.Now.AddMinutes(60),
> false, "");
> string encryptedTicket =
> FormsAuthentication.Encrypt(authTicket);
> HttpCookie authCookie =
> new HttpCookie(FormsAuthentication.FormsCookieName,
> encryptedTicket);
> Response.Cookies.Add(authCookie);
> System.Security.Principal.WindowsImpersonationCont ext
> impersonationContext;
> impersonationContext =
>
> ((System.Security.Principal.WindowsIdentity)User.I dentity).Impersonate();
> }
>
> As you may recognise, this code has been cribbed from
> [url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306158[/url] and it
> may help diagnosis to know that the code from the "Impersonate a
> Specific User in Code" section is working fine, but presumably this
> approach would require me to carry the username and password around,
> in the session say, and re-authenticate on every page_load.
>
> Once the user has logged I want every page to be executed in the
> context of their AD account, so should perhaps there's some altogether
> better way of achieving this that I'm missing.
>
> Cheers,
> Mike.