Who am I impersonating?

[Gary Bagen]

Is there a way I can get the user of the identity I will be
impersonating to get network resources?

I know WindowsIdentity.GetCurrent().Name for the person coming into
the ASP.NET app but I want to do some testing of different
combinations of impersonating based on Anon, Windows Auth, and
impersonate = true in web.config. So I am looking for the identity
that will be used for the ASP.NET app to go to a network resource.

thanks,
Gar

[Aaron Margosis [MS]]

If the question is, "can I impersonate the caller in such a way that I can
access network resources as that caller", then:

If you are using integrated Windows authentication at the IIS level, the
answer is "no", unless:
* You enable Kerberos delegation for the account and the machines involved
in the delegation, or
* Your web browser is on the same machine as the web server.

If you are using Basic authentication at the IIS level, the answer is "yes"
if Basic auth is configured to use "interactive" logon. This is the default
for IIS5. (I'm blanking all of a sudden as to whether it is the default for
IIS6, but I think it isn't.)

-- Aaron

"Gary Bagen" <garbage400@hotmail.com> wrote in message
news:8b702e36.0402261607.41a8b185@posting.google.c om...

> Is there a way I can get the user of the identity I will be
> impersonating to get network resources?
>
> I know WindowsIdentity.GetCurrent().Name for the person coming into
> the ASP.NET app but I want to do some testing of different
> combinations of impersonating based on Anon, Windows Auth, and
> impersonate = true in web.config. So I am looking for the identity
> that will be used for the ASP.NET app to go to a network resource.
>
> thanks,
> Gar

[Gary Bagen]

Hi Aaron,

I understand what you are describing, but I have done a poor job of
asking the right question.

For production, what we plan on doing is using the ProcessModel
element of Machine.Config on the web servers to point to a registry
location for username/password attributes which will use aspnetreg.exe
for encryption.

We want to test this out before making a final recommendation. So,
with my ASP.NET temporary test app, I just wanted to display the name
of the user the ASP.NET app will use to try and access network
resources.

Then I can show depending on how machine.config, web.config, IIS
Anonymous and IIS Windows Authentication settings determine who will
try and use network resources from the ASP.NET app. This is not
something we will be doing in production.

Thanks,
Gar

"Aaron Margosis [MS]" <aaron.margosis.ms@online.microsoft.com> wrote in message news:<#AwlUNQ$DHA.2012@TK2MSFTNGP11.phx.gbl>...

> If the question is, "can I impersonate the caller in such a way that I can
> access network resources as that caller", then:
>
> If you are using integrated Windows authentication at the IIS level, the
> answer is "no", unless:
> * You enable Kerberos delegation for the account and the machines involved
> in the delegation, or
> * Your web browser is on the same machine as the web server.
>
> If you are using Basic authentication at the IIS level, the answer is "yes"
> if Basic auth is configured to use "interactive" logon. This is the default
> for IIS5. (I'm blanking all of a sudden as to whether it is the default for
> IIS6, but I think it isn't.)
>
> -- Aaron
>
> "Gary Bagen" <garbage400@hotmail.com> wrote in message
> news:8b702e36.0402261607.41a8b185@posting.google.c om...

> > Is there a way I can get the user of the identity I will be
> > impersonating to get network resources?
> >
> > I know WindowsIdentity.GetCurrent().Name for the person coming into
> > the ASP.NET app but I want to do some testing of different
> > combinations of impersonating based on Anon, Windows Auth, and
> > impersonate = true in web.config. So I am looking for the identity
> > that will be used for the ASP.NET app to go to a network resource.
> >
> > thanks,
> > Gar

[Tim Thacker]

I've got a similar issue and I think I'm running into the same problem.
I've got a ASPX Page on Server A. Web Service on Server B. I need to
pass the Windows Creditials through Server A to Server B. I've set the
Impersonate options, turned on Windows Auth. When I run IE from Server A
everyhting works fine. Run it from anywhere else and I get Access
Denied. Is this by design or am I doing something wrong?

Thanks!
Tim


*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Alek Davis]

Tim,

This is by design (as Aaron described). To summarize, in a typical situation
(integrated authentication), you cannot pass users credentials over one
machine (i.e. from computer A (IE) through server B (ASPX) to server C (SQL
Server/Web Service/etc)), unless you enable Kerberos/delegation on the
network, which is generally not recommended for security reasons.

Alek

"Tim Thacker" <timthacker63@hotmail.com> wrote in message
news:OptxOjX$DHA.624@TK2MSFTNGP11.phx.gbl...

>
> I've got a similar issue and I think I'm running into the same problem.
> I've got a ASPX Page on Server A. Web Service on Server B. I need to
> pass the Windows Creditials through Server A to Server B. I've set the
> Impersonate options, turned on Windows Auth. When I run IE from Server A
> everyhting works fine. Run it from anywhere else and I get Access
> Denied. Is this by design or am I doing something wrong?
>
> Thanks!
> Tim
>
>
> *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
> Don't just participate in USENET...get rewarded for it!