Tehrik-e-Insaaf

Earn 600$ by Clicking on each Ad

GoWellUp.com

Monday, September 22, 2008

ASP.NET Impersonation

Another important security feature is the ability to control the identity under which code is executed. Impersonation is when ASP.NET executes code in the context of an authenticated and authorized client. By default, ASP.NET does not use impersonation and instead executes all code using the same user account as the ASP.NET process, which is typically the ASPNET account.
This is contrary to the default behavior of ASP, which uses impersonation by default. In Internet Information Services (IIS) 6, the default identity is the NetworkService account.

Note Impersonation can significantly affect performance and scaling. It is generally more expensive to impersonate a client on a call than to make the call directly.

Using impersonation, ASP.NET applications can optionally execute the processing thread using the identity of the client on whose behalf they are operating. You usually use impersonation for resource access control. Delegation is a more powerful form of impersonation and makes it possible for the server process to access remote resources while acting as the client.
If you enable impersonation, ASP.NET can either impersonate the authenticated identity received from IIS or one specified in the application's Web.config file. You have the following three options when configuring impersonation:
  • Impersonation is disabled. This is the default setting. For backward compatibility with ASP, you must enable impersonation and change the ASP.NET process identity to use the Local System account. In this instance, the ASP.NET thread runs using the process token of the application worker process regardless of which combination of IIS and ASP.NET authentication is used. By default, the process identity of the application worker process is the ASPNET account.

  • Impersonation enabled. In this instance, ASP.NET impersonates the token passed to it by IIS, which is either an authenticated user or the anonymous Internet user account (IUSR_machinename).

  • Impersonation enabled for a specific identity. In this instance, ASP.NET impersonates the token generated using an identity specified in the Web.config file. userName="domain\user"
    password="password" />

If the application resides on a UNC share, ASP.NET always impersonates the IIS UNC token to access that share unless a configured account is used. If you provide an explicitly configured account, ASP.NET uses that account in preference to the IIS UNC token.
You should exercise care when using impersonation because it makes it possible for an application to potentially process code using permissions not anticipated by the application designer. For example, if your application impersonates an authenticated intranet user, that application possesses administrative privileges when impersonating a user with those privileges. Likewise, if the impersonated user possesses more restrictive permissions than anticipated, the user may not be able to use the application.

2 comments:

Ahmad Sheikh said...

Its a good effort to teach dummy people about tech.

Shahid Riaz Bhatti said...

Hi,
This is a good article. But you didn't explain that why or how to use this feature.

Lets consider the following scenario:
You develop a web application that writes data to a file on a sever and you restrict access to the file to specific Windows users.
The web application runs and MachineName\ASPNET and you deny anonymous access to the application in IIS or in web.config using deny users="?"
Also you are using the windows authentication. Now you need to ensure that the application meets the following requirments.
(1) It must impersonate the user when it writes data to the file.
(2). It must run as Machinename\ASPNET when user does not access the file.

To accomplish the above task you need to do the following two things.
First of all disbale impersonation in web.config like this:
identity impersonate="false"

Now you will face difficulties in ur code segments where u are trying to write to some file. Why?
because u r using windows authentication and in IIS u stated thhat you dont want anonymous access to the application by putting this tag deny users="?"
So now MachineName\ASPNET user can not write data to file. Now our task is to Impersonate the MachineName\ASPNEt user, so that our application can write data to some file on the server. for that we need to write code some thing like this:

WindowsPrinciple wp = (WindowsPrinciple)HttpContext.Current.User;


WindowsIdentity wi = (WindowsIdentity)wp.Identity;

WindowsImpersonationContext wic = wi.Impersonate();

Access and write the data in file, because in the above code we have get the identity of MAchninename\ASPNET and impersonate it. After accessing the file and doing other stuff according to ur requirments we have to get back the Impersonation from MachineName\ASPNET user. for that just write this:



wic.Undo();


Have fun

Regards,
Shahid Riaz Bhatti