Obtaining Application Pool Identity in Inpersonation Mode

[Adam Roe]

I have an ASP.Net application running on IIS 6.0 that is configured to
impersonate the identity of the user who is accessing the page. I am
wanting to have code that runs as the identity of the application pool for
which this website runs as. is there a way to do this in code?

[Jim Cheshire [MSFT]]

Adam,

You would normally impersonate only when you want to run code under a
different identity than the application pool. Is there a specific need to
impersonate in your application?

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
[email]jamesche@online.microsoft.com[/email]

This post is provided as-is with no warranties and confers no rights.

--------------------

>From: "Adam Roe" <roeadam@hotmail.com>
>Subject: Obtaining Application Pool Identity in Inpersonation Mode
>Date: Wed, 21 Jan 2004 23:31:20 -0500
>Lines: 6
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <u7dWWCK4DHA.4084@TK2MSFTNGP11.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: adsl-67-39-0-49.dsl.dytnoh.ameritech.net 67.39.0.49
>Path:

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!TK2MSFTNGP11.
phx.gbl

>Xref: cpmsftngxa07.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 8320

>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I have an ASP.Net application running on IIS 6.0 that is configured to
>impersonate the identity of the user who is accessing the page. I am
>wanting to have code that runs as the identity of the application pool for
>which this website runs as. is there a way to do this in code?
>
>
>

[Adam Roe]

The Server control that I am building must run in windows sharepoint
services which requires impersonation. I am wanting to connect to a SQL
Server DB using SSPI and I was wanting to run the Application Pool as a
domain user that has writes on the SQL Server Database. I am starting to
think that my approach might be wrong could you recommend a better way of
doing this. Should I build a COM+ component to make the data call or can I
change the security context on just the Thread while I am making the call?
I haven't done a hole lot with .net security so any advice would be great.

Thanks
Adam Roe

"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
news:hXLxvNQ4DHA.1992@cpmsftngxa07.phx.gbl...

> Adam,
>
> You would normally impersonate only when you want to run code under a
> different identity than the application pool. Is there a specific need to
> impersonate in your application?
>
> Jim Cheshire, MCSE, MCSD [MSFT]
> ASP.NET
> Developer Support
> [email]jamesche@online.microsoft.com[/email]
>
> This post is provided as-is with no warranties and confers no rights.
>
> --------------------

> >From: "Adam Roe" <roeadam@hotmail.com>
> >Subject: Obtaining Application Pool Identity in Inpersonation Mode
> >Date: Wed, 21 Jan 2004 23:31:20 -0500
> >Lines: 6
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> >Message-ID: <u7dWWCK4DHA.4084@TK2MSFTNGP11.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> >NNTP-Posting-Host: adsl-67-39-0-49.dsl.dytnoh.ameritech.net 67.39.0.49
> >Path:

>

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!TK2MSFTNGP11.

> phx.gbl

> >Xref: cpmsftngxa07.phx.gbl

> microsoft.public.dotnet.framework.aspnet.security: 8320

> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> >I have an ASP.Net application running on IIS 6.0 that is configured to
> >impersonate the identity of the user who is accessing the page. I am
> >wanting to have code that runs as the identity of the application pool

for

> >which this website runs as. is there a way to do this in code?
> >
> >
> >

>

[Joe Kaplan \(MVP - ADSI\)]

That said, if you really need to be able to do this, you should be able to
strip off the impersonating token by calling the Windows API RevertToSelf
via P/Invoke. If you need to go back to impersonating, you should hold onto
the WindowsIdentity so you can create a new impersonation context.

I also don't understand why you are impersonating if you need to not
impersonate in your app, but perhaps there is a legitimate reason for doing
this.

Joe K.

"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
news:hXLxvNQ4DHA.1992@cpmsftngxa07.phx.gbl...

> Adam,
>
> You would normally impersonate only when you want to run code under a
> different identity than the application pool. Is there a specific need to
> impersonate in your application?
>
> Jim Cheshire, MCSE, MCSD [MSFT]
> ASP.NET
> Developer Support
> [email]jamesche@online.microsoft.com[/email]
>
> This post is provided as-is with no warranties and confers no rights.
>
> --------------------

> >From: "Adam Roe" <roeadam@hotmail.com>
> >Subject: Obtaining Application Pool Identity in Inpersonation Mode
> >Date: Wed, 21 Jan 2004 23:31:20 -0500
> >Lines: 6
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> >Message-ID: <u7dWWCK4DHA.4084@TK2MSFTNGP11.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> >NNTP-Posting-Host: adsl-67-39-0-49.dsl.dytnoh.ameritech.net 67.39.0.49
> >Path:

>

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!TK2MSFTNGP11.

> phx.gbl

> >Xref: cpmsftngxa07.phx.gbl

> microsoft.public.dotnet.framework.aspnet.security: 8320

> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> >I have an ASP.Net application running on IIS 6.0 that is configured to
> >impersonate the identity of the user who is accessing the page. I am
> >wanting to have code that runs as the identity of the application pool

for

> >which this website runs as. is there a way to do this in code?
> >
> >
> >

>

[Joe Kaplan \(MVP - ADSI\)]

COM+ is probably the "right" way to do what you want. That allows you more
fine-grained control over the account that is used to access SQL and
decouples it from the ASP.NET worker process.

However, you could probably use the trick I suggested in my other post to
call RevertToSelf and then start impersonation again when you are done.
That would require that you have unmanaged code execution permissions and
sounds a lot like a hack that would be difficult to support. Hence the COM+
suggestion.

Remoting or Web Services would also give you another way to get into a
different process context, but they should all be slower and thus not as
desirable unless you want that additional functionality.

Joe K.

"Adam Roe" <roeadam@hotmail.com> wrote in message
news:ehZ6gXQ4DHA.632@TK2MSFTNGP12.phx.gbl...

> The Server control that I am building must run in windows sharepoint
> services which requires impersonation. I am wanting to connect to a SQL
> Server DB using SSPI and I was wanting to run the Application Pool as a
> domain user that has writes on the SQL Server Database. I am starting to
> think that my approach might be wrong could you recommend a better way of
> doing this. Should I build a COM+ component to make the data call or can

I

> change the security context on just the Thread while I am making the call?
> I haven't done a hole lot with .net security so any advice would be great.
>
> Thanks
> Adam Roe
>
> "Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
> news:hXLxvNQ4DHA.1992@cpmsftngxa07.phx.gbl...

> > Adam,
> >
> > You would normally impersonate only when you want to run code under a
> > different identity than the application pool. Is there a specific need

to

> > impersonate in your application?
> >
> > Jim Cheshire, MCSE, MCSD [MSFT]
> > ASP.NET
> > Developer Support
> > [email]jamesche@online.microsoft.com[/email]
> >
> > This post is provided as-is with no warranties and confers no rights.
> >
> > --------------------

> > >From: "Adam Roe" <roeadam@hotmail.com>
> > >Subject: Obtaining Application Pool Identity in Inpersonation Mode
> > >Date: Wed, 21 Jan 2004 23:31:20 -0500
> > >Lines: 6
> > >X-Priority: 3
> > >X-MSMail-Priority: Normal
> > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> > >Message-ID: <u7dWWCK4DHA.4084@TK2MSFTNGP11.phx.gbl>
> > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> > >NNTP-Posting-Host: adsl-67-39-0-49.dsl.dytnoh.ameritech.net 67.39.0.49
> > >Path:

> >

>

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!TK2MSFTNGP11.

> > phx.gbl

> > >Xref: cpmsftngxa07.phx.gbl

> > microsoft.public.dotnet.framework.aspnet.security: 8320

> > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> > >
> > >I have an ASP.Net application running on IIS 6.0 that is configured to
> > >impersonate the identity of the user who is accessing the page. I am
> > >wanting to have code that runs as the identity of the application pool

> for

> > >which this website runs as. is there a way to do this in code?
> > >
> > >
> > >

> >

>
>