Impersonating IUSR from code - asp.net

In IIS Manager, in Authentication - Anonymous Authentication I have Anonymous user identity set as IUSR.
Now if If put this into web.config:
<identity impersonate="true"/>
then System.Security.Principal.WindowsIdentity.GetCurrent().Name returns NT AUTHORITY\IUSR.
but if I remove
<identity impersonate="true"/>
how can I impersonate the IUSR from code? I tried to use SimpleImpersonation to do it but then I need the password of IUSR. I found a way to get it using obsolete adsutil.vbs but I don't have it on Windows 8.1 / IIS 8.5.
This question is theoretical, I don't have a need for impersonating IUSR but I find the fact that IIS does it interesting.

IUSR is built-in now and does not have a password (more info).
IIS as a service has rights to obtain IUSR impersonation token -- check example on LogonUser.
There is IIS API that provides token handle, which ASP.NET runtime uses.
I believe this may be relevant code from reference sources.
As for actual question, I don't know how anyone can legally impersonate IUSR, sorry.

Related

Configuring ASP.NET Impersonation Authentication

I developed a webpage on IIS that controls PC volume (using the library - CSCore.CoreAudioAPI ).
I need that the user will be logged in as the current user in the machine.
I tried to configure the web.config file to allow Impersonated Authentication, but still having troubles.
<system.web>
<identity impersonate="true"
userName="Domain\username"
password="XXXX" />
</system.web>
Thank you for your help.
You need to also enable Windows Authentication in order for this to work. Otherwise there's no mechanism to capture the user name.
However, I think the better approach is to create a custom application pool for your application and explicitly set the impersonation (Advanced Settings) to the user you want to set it to. Since the application pool hosts your application (ie. it's the launching EXE) your application then runs under that account and assuming it has full rights on the machine it should be able to access the hardware to control the volume.
ASP.NET Impersonation is a legacy feature that was meant to be used with IIS 6 and older when IIS didn't have proper application isolation. With later versions Application Pools took over the hosting of applications and the user account impersonation with it.

Is it possible for windows authentication to not prompt the user for credentials?

I'm using iis 7, currently deployed on a test machine running windows 7 professional.
The computer is logged into the domain of my company. In the past (at another company) I was able to use integrated authentication in ii6 and it wouldn't prompt the user if they were using IE. It would just absorb their domain credentials.
However, that was initially setup by somebody else before I started. I'm doing this project from scrap, and I'm a software engineer without much IIS experience.
This is the relevant snippit from my web.config file
<authentication mode="Windows" />
<identity impersonate="false" />
I'm also running the app pool in v4.0 integrated.
Any help would be appreciated. Thanks!
On IIS disable anonymous authentication and activate Windows auth:
- select your web application (or root if you app is place as root app)
- select Authentication
- disable Anonymous Authentication
- enable Windows Authentication
Remember: for "automatic" login both your server and client must be in the same AD domanin or trusted domains.

Windows authentication for intranet site pages

I'm building an intranet web site (asp.net 3.5) which has windows authentication. Two questions:
When the code behind makes a trusted connection to the SQL server, will it connect with app pool credentials or current page user credentials?
Right now, with a blank page, when the internal user (logged in to the domain) tries to hit the page they get challenged with windows login screen, and their credentials don't work.
Is there anything else I need to setup in web.config or IIS for the windows authentication to work, other than adding <authentication mode="Windows"/>?
You can configure the Windows identity of your ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. That is, you instruct your ASP.NET application to impersonate the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.
To enable impersonation for your Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as shown in the following code example.
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>
Source
You don't want to use imporsonate as suggested by kd7. Because then you will need to give your users rights on the database. Might be okay for SELECT operations, but I don't think your DBAs will go along if you also need to UDATE/DELETE operations. already addressed by kd7.
When you enable "Windows" authentication, you need to not only configure your application to use it, you also need to configure IIS as well.
You also need to make sure that your AppPool user has proper permissions on the File System for your site.
Depending on IIS version, the procedure for enabling windows authentication is different. You can google it.

ASP.NET impersonation problem (part 2)

This is a follow on to a previous post about being unable to impersonate a currently logged in Windows user. There were many good suggestions, but the previous thread was getting messy, so I am resetting with this post. Hopefully with the current state documented below it will be obvious what the issue is. This is a well worn path, so I have to believe all I am missing is a little configuration step.
PROBLEM: I need to have ASP.NET impersonate the currently logged in user. When I run under IIS 7.5, it doesn't work. IIS Express works fine, but I believe that is because the debugging session is running under my user id.
I am using Environment.Username to determine who this user is. There was a suggestion that this property always returns the logged in user name, but from my testing it returns the impersonated user from IIS.
For example, if my web.config has…
<identity impersonate="true" />
When I run under IIS 7.5 with that setting, Environment.Username returns IUSR. I believe this is the IIS anonymous user account.
If I change web.config to…
<identity impersonate="true" userName="domain\jlivermore" password="mypassword" />
… then Environment.Username returns jlivemore. However, I need it to return jlivermore without me explicitly setting it in web.config.
Here are my IIS settings…
.NET Authorization Rules
Authentication
One question, if I disable Anonymous Authentication, then I am prompted to login to the site. I thought if you were logged in with an Active Directory account on a domain then this challenge wouldn't appear? Even if I enter my username/password into this prompt, I still don't get the impersonation to work.
Basic Settings
I'm not sure if you've found an answer, but if anyone is having problems with it you will need the following in your web.config file
<authentication mode="Windows"/>
<identity impersonate="true"/>
And in IIS you will need Asp.net Impersonation enabled as well as Windows Authentication enabled, the others should be disabled. And in Windows Authentication, go to Advanced Settings and UNCHECK the Enable Kernel-mode authentication. That should do it. Your site should now be set for Local Intranet apps and using any of the following will work
System.Security.Principal.WindowsIdentity.GetCurrent().Username()
HttpContext.Current.User.Identity.Name
System.Threading.Thread.CurrentPrincipal.Identity.Name
But using Environment.Username will only return the server name, hopefully this helps anyone struggling with this
I had a similar problem as you describe. The basic crux of the matter is that there is a difference between impersonation and delegation. My simple understanding of this is that impersonation will work when the client and server are on the same machine. If however, the client is on a different machine, you need delegation.
MSDN Reference
What is the difference between impersonation and delegation?
Impersonation flows the original
caller's identity to back-end
resources on the same computer.
Delegation flows the original caller's
identity to back-end resources on
computers other than the computer
running the service.
Related SO questions
Impersonation in ASP.NET MVC
Starting a console application from asp.net using authenticated user credentials
Have you tried using
HttpContext.Current.User.Identity.Name ?

Forms Authentication overrides impersonation in IIS7

I have been searching all over the place for a solution to this.
I have an ASP.NET app which ran fine on IIS6. On IIS 7.5 (Integrated pipeline) I am running into some problems. <identity impersonate="true" /> is set in the web.config as the app needs to access some resources under the IIS IUSR account. If works fine as when a user isn't logged in (i.e. the app impersonates IUSR and accesses the resources fine).
As soon as you logon via Forms Authentication (backed by a DB) impersonation stops working and it reverts to the app pool user identity (which doesn't have access to the required resources, I have verified this with procmon). I understand this is probably a limitation of Forms Authentication in integrated mode.
Is there any workaround which would let me impersonate IUSR while still using Forms Authentication?

Resources