aspnet2securityfaq0063

Question: How do I use programmatic impersonation?

Answer:

There are two approaches to using programmatic impersonation in your code and these are based on which form of authentication your ASP.NET application employs. For both cases however, you need to ensure that ASP.NET built-in impersonation is disabled. This, you can specify in the web.config file.

		 <identity impersonate="false">

If your ASP.NET web application uses Windows authentication, then to use programmatic impersonation, you need to obtain the WindowsIdentity object from HTTPContext.User. This WindowsIdentity represents the authenticated user. You need then call its Impersonate method as shown below:

		 [WindowsIdentity] winId = [(WindowsIdentity)HttpContext.Current.User.Identity;]
		 [WindowsImpersonationContext] ctx = null;
		 try
		 {
		  // Start impersonating
		  ctx = winId.Impersonate();
		  // Now impersonating
		  // Access resources or perform operation impersonated security context
		 }
		 finally
		 {
		  // Revert impersonation
		  if (ctx != null)
		    ctx.Undo();
		 }
		 // Back to running under the default ASP.NET process identity

If your ASP.NET web application uses custom authentication, such as Forms authentication, you must programmatically create a WindowsIdentity object for the caller, which you can then use to impersonate the caller. For this you have two options, depending on your deployment environment
* Use the Win32 LogonUser API (via P/Invoke)
* Use new WindowsIdentity constructor passing in the user principal name (UPN) for the account. This feature is only available in windows server 2003. An example of this is shown below
Important: Your process identity should have TCB permission for using the new WindowsIdentity constructor to get impersonation level token.
Here is sample code for using WindowsIdentity constructor

		 using System.Security.Principal;
		 …. 
		 // Obtain the user Identity token using
		 // [WindowsIdentityConstructor]
		 [WindowsIdentity] winId = new [WindowsIdentity(]
		 userName@fullyqualifieddomainName);
		 [WindowsImpersonationContext] ctx = winId.Impersonate();
		 // Access resources using the identity of the impersonated user 
		 // Revert impersonation
		 ctx.Undo();

More information

For more information on using programmatic impersonation, see “How To: Use Impersonation and Delegation in ASP.NET 2.0” at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000023.asp

Return to
HomePage
ASPNET2SecurityFAQs

Return to
%5bHomePage%5d
%5bASPNET2SecurityFAQs%5d
----
%21%21%21 Question%3a How do I use programmatic impersonation%3f
%21%21%21 Answer%3a
There are two approaches to using programmatic impersonation in your code and these are based on which form of authentication your ASP.NET application employs. For both cases however%2c you need to ensure that ASP.NET built-in impersonation is disabled. This%2c you can specify in the web.config file.
%7b%7b
 %3cidentity impersonate%3d%22false%22%3e
%7d%7d
If your ASP.NET web application uses Windows authentication%2c then to use programmatic impersonation%2c you need to obtain the %5bWindowsIdentity%5d object from *HTTPContext.User*. This %5bWindowsIdentity%5d represents the authenticated user. You need then call its Impersonate method as shown below%3a
 
%7b%7b
 %5bWindowsIdentity%5d winId %3d %5b%28WindowsIdentity%29HttpContext.Current.User.Identity%3b%5d
 %5bWindowsImpersonationContext%5d ctx %3d null%3b
 try
 %7b
  // Start impersonating
  ctx %3d winId.Impersonate%28%29%3b
  // Now impersonating
  // Access resources or perform operation impersonated security context
 %7d
 finally
 %7b
  // Revert impersonation
  if %28ctx %21%3d null%29
    ctx.Undo%28%29%3b
 %7d
 // Back to running under the default ASP.NET process identity
%7d%7d
 
If your ASP.NET web application uses custom authentication%2c such as Forms authentication%2c you must programmatically create a %5bWindowsIdentity%5d object for the caller%2c which you can then use to impersonate the caller. For this you have two options%2c depending on your deployment environment
	* Use the Win32 %5bLogonUser%5d API %28via P/Invoke%29
	* Use new %5bWindowsIdentity%5d constructor passing in the user principal name %28UPN%29 for the account. This feature is only available in windows server 2003. An example of this is shown below
Important%3a Your process identity should have TCB permission for using the new %5bWindowsIdentity%5d constructor to get impersonation level token.  
Here is sample code for using %5bWindowsIdentity%5d constructor
%7b%7b
 using System.Security.Principal%3b
 …. 
 // Obtain the user Identity token using
 // %5bWindowsIdentityConstructor%5d
 %5bWindowsIdentity%5d winId %3d new %5bWindowsIdentity%28%5d
 userName@fullyqualifieddomainName%29%3b
 %5bWindowsImpersonationContext%5d ctx %3d winId.Impersonate%28%29%3b
 // Access resources using the identity of the impersonated user 
 // Revert impersonation
 ctx.Undo%28%29%3b
%7d%7d
%21%21%21%21 More information
For more information on using programmatic impersonation%2c see “How To%3a Use Impersonation and Delegation in ASP.NET 2.0” at http%3a//msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000023.asp   
----
Return to
%5bHomePage%5d
%5bASPNET2SecurityFAQs%5d