Check out JobNimbus - CRM for Contractors and Service Professionals.
Impersonate User in ASP.NET
When ASP.NET executes code, under Windows XP / Windows 2000, the ASP.NET process runs under the context of the user called ASPNET. But in Windows 2003 or above, the ASP.NET process runs under the context of the NETWORK SERVICE account. For most operations in ASP.NET, you can just set permissions on the NETWORK SERVICE account to manage more privileged operations such as writing a file to a secure directory.
But in some cases, you need to temporarily elevate permissions in ASP.NET to do some operation that requires rights that are only available in a more privileged account. There are several ways to do this. You could set up ASP.NET via the Web.Config file to impersonation = true, or you could specify an account to have ASP.NET run under from the Web.Config. But you can also do this in code.
The following example is a wrapper class that I created base on the code samples for impersonation that can be found here:
How to implement impersonation in an ASP.NET application
http://support.microsoft.com/kb/306158
This class provides methods to impersonate ASP.NET under an account specified and remove impersonation.
// Provides a simple wrapper class to Impersonate a user for the context of the // current process using this class such as ASP.NET application.public class ImpersonateManager
{ // Intended for users who will be interactively using the computer.public const int LOGON32_LOGON_INTERACTIVE = 2;
// Use the standard logon provider for the system.public const int LOGON32_PROVIDER_DEFAULT = 0;
// Private members: // Holds windows impersonation context for this instance of the object. This // is also held here so we can undo impersonation by using this handle. private System.Security.Principal.WindowsImpersonationContext m_ImpersonationContext; // Attempts to log a user on to the local computer. The local computer is the // computer from which LogonUser was called. You cannot use LogonUser to log on // to a remote computer. // Additional documentation here: // http://msdn.microsoft.com/en-us/library/aa378184(VS.85).aspx [DllImport("advapi32.dll")]public static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType, int dwLogonProvider, ref IntPtr phToken); // Creates a new access token that duplicates one already in existence. // Additional documentation here: // http://msdn.microsoft.com/en-us/library/aa446616(VS.85).aspx[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel, ref IntPtr hNewToken); // Terminates the impersonation of a client application. // Additional documentation here: // http://msdn.microsoft.com/en-us/library/aa379317(VS.85).aspx[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();
// Closes an open object handle. // Additional documentation here: // http://msdn.microsoft.com/en-us/library/ms724211(VS.85).aspx [DllImport("kernel32.dll", CharSet = CharSet.Auto)]public static extern bool CloseHandle(IntPtr handle);
// Impersonates the user specified by sUserName, sDomain, and sPassword.public bool ImpersonateUser(String sUserName, String sDomain, String sPassword)
{WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
// Remove the current impersonation by calling RevertToSelf() if (RevertToSelf()) { // If user successfully logs in, set up their impersonation. if (LogonUserA(sUserName,
sDomain,
sPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref token) != 0) { // Make a copy of the token for the windows identity private member.if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{ // set the private member for the current impersonation context. tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);m_ImpersonationContext = tempWindowsIdentity.Impersonate();
if (m_ImpersonationContext != null)
{ // close handles to the tokens we just created.CloseHandle(token);
CloseHandle(tokenDuplicate);
return true;
}
}
}
}
if (token != IntPtr.Zero) { // close handle if we created it.CloseHandle(token);
}
if (tokenDuplicate != IntPtr.Zero) { // close handle if we created it.CloseHandle(tokenDuplicate);
}
// impersonation or login must have failed so return false.return false;
}
// Remove tthe current impersonation to revert the context back to // it's default impersonation login.public void UndoImpersonation()
{m_ImpersonationContext.Undo();
}
}
To use this class, you might do something like this:
// Create new instance of our new ImpersonateManager wrapper class.ImpersonateManager impersonate = new ImpersonateManager();if (impersonate.ImpersonateUser("MyUserName", "MyWindowsDomain", "MyPassword"))
{ // do some more privileged operation here... // remove impersonation nowimpersonate.UndoImpersonation();
}
else{ // Failed to impersonate, most likely because the login information // provided was incorrect or unable to authenticate.}
This class can be used in your ASP.NET applications to impersonate ASP.NET under a different account than the default NETWORK SERVER or ASPNET user account.
Popular Articles
Recent comments
- Insertion of illegal Element:
4 weeks 2 days ago - Insertion of illegal Element: 32
4 weeks 2 days ago - re "But, this will NOT work."
5 weeks 3 days ago - Unable to cast COM object of t
5 weeks 3 days ago - Saved my life
5 weeks 4 days ago - nice
8 weeks 3 days ago - good article
9 weeks 4 days ago - windows 2008 server backups
11 weeks 3 days ago - code
12 weeks 1 day ago - uh...what?
12 weeks 3 days ago
Life saver
thanks for the code. it helped a lot.
thx
thanks for the code. god bless you