If I impersonate a user in the web.config but the application runs under an application pool which uses another identity, which identity would be used when you access resources (say files) on the server?
Another question, can you run a page under a separate identity from rest of the application?
When you access resources on the server the user will be the one specified on the impersonation configuration NOT the one on the application pool
Impersonation enabled for a specific identity. In this instance, ASP.NET impersonates the token generated using an identity specified in the Web.config file.
<identity impersonate="true"
userName="domain\user"
password="password" />
Impersonation enabled. In this instance, ASP.NET impersonates the token passed to it by IIS, which is either an authenticated user or the anonymous Internet user account.
<identity impersonate="true" />
Source: MSDN
In case you're interested, here you have an article with a Identity matrix for different impersonate scenarios.
And yes, you can impersonate programatically as Alex Dn said
1) In web.config.
2) You can do impersonation in code behind:
http://support.microsoft.com/kb/306158
or Another article
Related
I have implemented SignalR in my ASP.NET WebForms application and am successfully connecting to the hub. However, when a call is made to the database (SQL Server) I get Login failed for user 'MY_DOMAIN\MY_PC_NAME'. Note that the user being failed is the PC name and not the user I am impersonating (see below).
My Web.Config is set to impersonate a user who does have access to the database and this works for all calls made to the database that are not via SignalR processes.
IIS is set to use Windows Authentication for the application (and also has ASP.NET Impersonation enabled).
During debug of the SignalR process, the Context.User.Identity is the user that is authenticated in the browser session.
Is there a way to ensure that the impersonated user in the Web.Config is honored by SignalR when making SQL calls?
For reference:
Impersonate Tag in Web.Config: <identity impersonate="true" userName="MY_DOMAIN\MY_USER" password="MY_PASSWORD" />
Connection String in Web.Config: <add name="SiteDatabase" connectionString="Server=SERVER_NAME; Database=DATABASE_NAME; Integrated Security=SSPI" />
I changed the AppPool identity in IIS from LocalSystem to use the same user as that set in the impersonate of the Web.Config file and the SignalR process successfully connects to the database!
I don't know yet if this is the perfect solution or why SignalR won't honor the Web.Config impersonate, but it at least gets me going...
ASP.NET Impersonation
I have a site hosted on IIS that has anonymous authentication and forms authentication both enabled.
Initially I have impersonation Turned Off. So before logging in using forms authentication for,
System.Security.Principal.WindowsIdentity.GetCurrent().Name
I get a value of IIS APPPOOL\DefaultAppPool
when i enable impersonation I get a value NT AUTHORITY\IUSR
After logging in with forms authentication regardless of whether I have impersonation turned or or off.. I am always getting a value of IIS APPPOOL\DefaultAppPool
My question is.... if I have impersonation turned on and I log in using JSMITH's account, shouldn't I be getting a value of JSMITH
Impersonation doesn't run as the user you've logged in as, it just allows you to run your application under a specified user account.
<identity impersonate="true" userName="domain\username" password="P#$$word"/>
This will run as domain\username.
If you want to use the user account that's logged in you will want to look at something like Forms Authentication or Windows Authentication.
I have a web app, in the web.config, I have following settings:
<authentication mode="Windows"/>
<identity impersonate="true" userName="domain01\user01" password="***"/>
I deployed the app to Windows 2008 (IIS 7), the Identity of the application pool is domain01\user01, and in the Authentication of the app, I have following set:
Anonymous Authentication Disabled
ASP.NET Impersonation Enabled
Basic Authentication Disabled
Digest Authentication Disabled
Forms Authentication Disabled
Windows Authentication Enabled
Now I need to get the user name who is currently logged on the machine, could be any authorized user with different domain. But no matter what I tired, I always got the impersonated user domain01\user01. I tried, HttpContext, WindowsIdentity, etc. Does anybody know how do I get the correct user name without changing my settings?
You are specifying domain01\username as the identity that you want to impersonate. That is why the current user is always that. If you remove the configured identity you will get the actual logged in user.
<identity impersonate="true" />
This is documented here:
http://msdn.microsoft.com/en-us/library/xh507fc5(v=vs.85).aspx
I under stand how to configure .NET Authorization under Windows Authentication to limit access to a website to specific users and groups.
However, for a web application, how do I set the database connection to impersonate the logged in user? The SQl database is on another server.
If this strictly IIS configuration? Code? Both? For an individual, I can add the credentials via the <identity> element, but what about impersonating AD group members?
The SQL Server is set up to to only allow connections from a specific group. The DBA set this up, I do not know the details.
Setting
<identity impersonate="true" />
and Integrated Security=true results in the following error:
HTTP Error 500.24 - Internal Server Error
An ASP.NET setting has been detected that does not apply in
Integrated managed pipeline mode.
Using <identity impersonate="true" />
in your web.config along with Integrated Security=true; in your connection string should do this for you.
It will be up to the database to discover if the Active Directory User supplied is in the appropriate AD Group.
I'm trying to make a call to the SharePoint Search Webservice from an Asp.NET 4.0 application that does not reside on the SharePoint server. Everything seems to work, accept it is using the AppPool's credentials (a domain service account) to authenticate to SharePoint, which only returns results that that pin has access to. What I need to be able to do is impersonate the calling user, so that I get results for that user and not the domain account. I've set the server that the application is running under up to be trusted for delegation to the http spn that the SharePoint server is using, but I get a 401 error when doing the impersonation in my code. What could I be doing wrong?
you have to impersonate your call to the sharepoint web service.
you can do this at a web application level, with either the calling user or a static user, inside the web.config in the system.web node using the identity element, i.e...
<system.web>
<identity impersonate="true" />
</system.web>
or you can do this with inline code when you make your requesting call.
here is a microsoft KB on how to impersonate with an asp.net application. http://support.microsoft.com/kb/306158