tag:blogger.com,1999:blog-4702950152327976706.post1725148202611870807..comments2024-03-27T19:28:01.524-07:00Comments on Just geeks: Impersonating a user in ASP.NET when using Windows AuthenticationBrent Vhttp://www.blogger.com/profile/15891142062380248367noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-4702950152327976706.post-90566133264012781922013-08-05T22:31:25.494-07:002013-08-05T22:31:25.494-07:00Hi Jean-Alexandre,
I'm getting the exact same...Hi Jean-Alexandre,<br /><br />I'm getting the exact same problem also. Did you find a solution to this?<br /><br />I'm using Azman to control roles and have a feeling it's a permissions issue when trying to authenticate.<br /><br />Thanks!Andrewnoreply@blogger.comtag:blogger.com,1999:blog-4702950152327976706.post-61306806697292727122013-05-09T03:51:19.892-07:002013-05-09T03:51:19.892-07:00While using query-string-based impersonation , I f...While using query-string-based impersonation , I found that Impersonation was timing out in the middle of actions. <br /><br />So made a small change to my implementation of HandleAuthenticationRequest: -<br /><br />public void HandleAuthenticationRequest()<br />{<br /> var roleManager = new RoleManager();<br /><br /> if (roleManager.IsUserInRole(AuthenticatedUsername, _requiredRoleName))<br /> {<br /> ImpersonationInfo info = _ds.Retrieve(AuthenticatedUsername);<br /> if (info != null)<br /> {<br /> var impersonatedUsername = info.ImpersonatedUser;<br /> if (!string.IsNullOrEmpty(impersonatedUsername))<br /> {<br /> GenericIdentity id = new GenericIdentity(impersonatedUsername);<br /> GenericPrincipal p = new GenericPrincipal(id, roleManager.GetRolesForUser(impersonatedUsername));<br /> HttpContext.Current.User = p;<br /><br /> //also, slide the Expiry time out again<br /> info.Expires = DateTime.Now.Add(_expirationDuration);<br /><br /> // and re-persist of course<br /> _ds.Store(AuthenticatedUsername, info);<br /> } <br /> }<br /> }<br />}<br /><br /><br />- this rolls on the expiration time to always be 20 minutes from last activity of the Authenticated user. Jamesnoreply@blogger.comtag:blogger.com,1999:blog-4702950152327976706.post-11577883579760903582013-04-17T07:29:09.464-07:002013-04-17T07:29:09.464-07:00Still reading and looking to make this work.
So f...Still reading and looking to make this work.<br /><br />So far all seems well using the buttons method but once I hit de impersonate button it fails on this line :<br />GenericPrincipal p = new GenericPrincipal(id, Roles.GetRolesForUser(impersonatedUsername));<br /><br />Saying that <br /><br />Method is only supported if the user name parameter matches the user name in the current Windows Identity<br /><br />Might be an overlook on my part somewhere... posting in case someone answers quicker that my troubleshooting :)Anonymoushttps://www.blogger.com/profile/00943941960142851818noreply@blogger.comtag:blogger.com,1999:blog-4702950152327976706.post-37877362402823634552013-04-09T03:11:05.039-07:002013-04-09T03:11:05.039-07:00Great stuff - many thanksGreat stuff - many thanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4702950152327976706.post-3882049138472154302010-12-16T15:21:21.287-07:002010-12-16T15:21:21.287-07:00Hi Anonymous,
I have not had the problem you are ...Hi Anonymous,<br /><br />I have not had the problem you are experiencing. Let me know if you figure it out.<br /><br />BrentBrent Vhttps://www.blogger.com/profile/15891142062380248367noreply@blogger.comtag:blogger.com,1999:blog-4702950152327976706.post-38599028692553697222010-11-21T08:55:31.012-07:002010-11-21T08:55:31.012-07:00Brent,
I'm having a problem with the unimpers...Brent,<br /><br />I'm having a problem with the unimpersonate methods. When it try's to get the ImpersonatedUsernameInternal, it doesn't find it because the ds.Retrieve passes the impersonated users name rather than the original AuthenticatedUsername becuase now HttpContext.Current.User.Identity.Name is the impersonated users identity. And since the ds.Store() saved the original AuthenticatedUsername, the impersonated user isn't found in the ds. Therefore, after I have impersonated, the code doesn't think I'm impersonating anymore and I can't tell it to unimpersonate because it doesn't find the current user in the ds. Please help.<br /><br /> private string ImpersonatedUsernameInternal<br /> {<br /> get<br /> {<br /><br /> ImpersonationInfo info = ds.Retrieve(AuthenticatedUsername);<br /> if (info == null) return null;<br /> else return info.ImpersonatedUser;<br /> }<br /><br /> set<br /> {<br /> ImpersonationInfo info = new ImpersonationInfo();<br /> info.AuthenticatedUsername = AuthenticatedUsername;<br /> info.ImpersonatedUser = value;<br /><br /> // slide the expiration window out from the current date time.<br /> info.Expires = DateTime.Now.Add(expirationDuration);<br /><br /> ds.Store(AuthenticatedUsername, info);<br /> }<br /> }<br /><br />Thanks,<br /><br />DavidAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4702950152327976706.post-40480102877006067862010-11-18T09:57:14.368-07:002010-11-18T09:57:14.368-07:00Hi Doug,
I think I see where the confusion. Just ...Hi Doug,<br /><br />I think I see where the confusion. Just to clarify, you don't actually have to put anything on the page or page load event. Not sure if you were trying to do that.<br /><br />Once you have your Global.asax.vb file configured as it appears you have you should just have to do something like this in the url:<br /><br />http://myhost/myapp/mypage.aspx?ImpersonatedUser=myusernamehere<br /><br />To unimpersonate you can let the time expire or do:<br /><br />http://myhost/myapp/mypage.aspx?UnImpersonate=Y<br /><br />The Y doesn't really matter. I am just looking for the variable in the query string.<br /><br />FYI, while this works, I found that using using the other option described is a bit easier to use and more flexible. In this scenario, you have a page that is accessible only to admin user(s) that give you an impersonate or unimpersonate button. The choice is yours.<br /><br />Does that help?<br /><br />BrentBrent Vhttps://www.blogger.com/profile/15891142062380248367noreply@blogger.comtag:blogger.com,1999:blog-4702950152327976706.post-21084293886590832582010-11-17T13:24:46.712-07:002010-11-17T13:24:46.712-07:00Brent,
I'm in need of a bit of clarification....Brent,<br /><br />I'm in need of a bit of clarification. I've created a class using your code and updated my global.asax's Application_AuthenticateRequest to the following:<br />--------------------------------<br /> Dim i As New Impersonation()<br />i.ImpersonateBasedOnQueryStrings("ImpersonatedUser", "UnImpersonate")<br /> i.HandleAuthenticationRequest()<br />--------------------------------<br />The function fires on each page load, but how do I get the credentials from the querystring to here?<br /><br />For the ImpersonateBasedOnQueryStrings function, should I be replacing "impersonateUser" with something like "Request.Querystring("test")" ?<br /><br />Also, do I just provide a Y or N for the "UnImpersonate" parameter?<br /><br />Thanks,<br />DougAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4702950152327976706.post-10067691087123881792010-08-06T09:23:35.849-07:002010-08-06T09:23:35.849-07:00Hi Sven,
I don't think what you have is right...Hi Sven,<br /><br />I don't think what you have is right. That if statement is to prevent users that are NOT in the "Admin" role (or whatever role you specify) from impersonating other users. By changing it to your lines you are actually checking if the user you are impersonating has rights to impersonate. I don't think that is what you want, but you may be using this is a different way than I imagine.<br /><br />By default the code only allows users that are in the role "Admin" to use the impersonation functionality. You can change that to use Legal Admin or anything else if you like. The roles of the users that you are impersonating should not matter from an impersonation standpoint. I can't see how spaces in a role of a user you are impersonating would make a difference since I am just copying them.<br /><br />I may be not understanding how you have it setup but here is how I have used this.<br /><br />*** User A ***<br />Username: userA<br />Roles: Admin, Registered User<br /><br />*** User B ***<br />Username: userB<br />Roles: Registered User<br /><br />Let's assume I am logged into my Windows machine as User A. When the Authentication method is encountered in my ASP.NET web application it looks at User A's credentials. If it is in the "Admin" role then it proceeds to impersonate User B (assuming that is who I specified that I wanted to impersonate). After the impersonation, my Identity is now that of User B, not A. Now if you use something like Page.User you will get User B's info. The next time a page loads, the authentication method is called. Once again I show as User A. It checks to see if I am impersonating a user. If I am, it creates that User B identity again. Once again Page.User will be User B's info. This happens for every request.<br /><br />The change you implemented will require User B to in the "Admin" role which makes no sense.<br /><br />I am not clear if you change the role required to impersonate from "Admin" to "Legal Admin" or if (using my example) User B is in the "Legal Admin" role.<br /><br />I hope that clears it up a bit.Brent Vhttps://www.blogger.com/profile/15891142062380248367noreply@blogger.comtag:blogger.com,1999:blog-4702950152327976706.post-45528806299816493512010-08-06T08:18:55.329-07:002010-08-06T08:18:55.329-07:00Brent....another quick question for you. Ran into...Brent....another quick question for you. Ran into an issue today trying to impersonate a user that had a role that was defined with two words. Impersonating the user with a role of "Admin" was fine. But trying "Legal Admin" caused it to not work. <br /><br />I changed the overloaded method:<br /><br />public void Impersonate(string impersonatedUsername)<br /> {<br /> if (Roles.IsUserInRole(requiredRoleName))<br /> {<br /> ImpersonatedUsernameInternal = impersonatedUsername;<br /> }<br /> }<br /><br />to this:<br /><br />public void Impersonate(string impersonatedUsername)<br /> {<br /> if (Roles.IsUserInRole(impersonatedUsername, requiredRoleName))<br /> {<br /> ImpersonatedUsernameInternal = impersonatedUsername;<br /> }<br /> }<br /><br />and now everything appears to work smoothly. I am still pretty new to all this roles and permissions stuff so I am not 100% sure why this is so. Thanks again.Svennoreply@blogger.comtag:blogger.com,1999:blog-4702950152327976706.post-37803353846663774992010-08-04T22:31:15.594-07:002010-08-04T22:31:15.594-07:00Hi Sven,
I'm so glad you found it useful. You...Hi Sven,<br /><br />I'm so glad you found it useful. You are right. Copy and Paste bug. :) I guess I have always set a value for that so it wasn't a issue by luck. I have updated the posting. <br /><br />Thank you so much for the correction.<br /><br />BrentBrent Vhttps://www.blogger.com/profile/15891142062380248367noreply@blogger.comtag:blogger.com,1999:blog-4702950152327976706.post-32896997614611058272010-08-04T07:17:24.869-07:002010-08-04T07:17:24.869-07:00This has been a lifesaver. One question concernin...This has been a lifesaver. One question concerning the variable (configFileRequiredRoleName). Shouldn't this:<br /><br />// if the web.config does not have a default value specified,<br /> // then use our own default.<br /> string configFileRequiredRoleName = ConfigurationManager.AppSettings["Impersonation-RequiredRoleName"];<br /> if (!string.IsNullOrEmpty(configFileExpirationDuration))<br /> {<br /><br /> this.requiredRoleName = configFileRequiredRoleName;<br /> }<br /> else<br /> {<br /> // default role to Admin<br /> this.requiredRoleName = "Admin";<br /> }<br /><br />ACTUALLY BE THIS:<br /><br />// if the web.config does not have a default value specified,<br /> // then use our own default.<br /> string configFileRequiredRoleName = ConfigurationManager.AppSettings["Impersonation-RequiredRoleName"];<br /> if (!string.IsNullOrEmpty(configFileRequiredRoleName))<br /> {<br /><br /> this.requiredRoleName = configFileRequiredRoleName;<br /> }<br /> else<br /> {<br /> // default role to Admin<br /> this.requiredRoleName = "Admin";<br /> }Svennoreply@blogger.com