16 07 2009

I’ll talk of impersonation in the context of a web-application. A similar analogy may be drawn for a client side app too…

Basically, when you are running a web-site, it runs under IIS’s credentials (usually NT AUTHORITY\NETWORK SERVICE). Now this is a service account and is designed to have very limited privileges. Lets say you want to do something with higher privileges. Two possibilities

1. You want to temporarily run code as a different user on the current system (with the user existing on the current system)

2. You want to run as a different user whose account may not exist on the current system but luckily for you, you are on a domain.

Now, there are two broad ways to impersonate. In, you can mention impersonation in web.config and have the windows authenticated person automatically impersonated when he/she visits a page. But usually, if you have some SQL statements, the permissions may not be enough (hopefully they wont be! otherwise, anyone can meddle with your Database)…

So, the other way to impersonate is in code. There are lots of very simple examples on the web… ideally, it should take less than 4-5 lines of code to fully impersonate someone.  Now, you can impersonate with a User identity object that HttpContext contains. But in this case, when you try to access the person’s computer, you will still be recognized as Anonymous (you can check the target system’s event logs). To circumvent this, you will need the actual password of the person you are trying to impersonate. Use the WinApi LogonUser function. Remember, since you are on a domain, you can run LogonUser for a remote user on your system and the authentication will anyway happen at the LDAP server. So, LogonUser CAN be used for remote authentication. The access token that you get is then used to impersonate.

Doing it this way is better than a few other options. One is adding a network share. This is somewhat slow in my experience.

So, impersonate where ever needed. Its good and saves you a lot of time from worrying about privileges…




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: