I'm writing an web application (in C#) where I need to logon to a web page using different credentials to the user logged on locally to Windows. That page the executes a process on the web server but it executes as the user that has logged into the web page. The user logging into the web page is authenticated against Active Directory. I've used Windows Authenication and ASP.NET impersonation to launch processes on the web server, and I can create a site that uses forms authentication against AD, however I can't find a good article that explains how to run a process impersonating a user that have logged on using forms authentication from AD. Whenever I run anything it just give me an error because it's trying to run as 'NT AUTHORITY\IUSR'. Does anyone know of any good articles, or can you give me any code examples?
Thanks in advance,
Rich
take a look at ProecessStartInfo - you can setup security etc. (if your thread is already running impersonated then you can get some of the necessary info from System.Threading.Thread.CurrentThread /CurrentPrincipal) and then call Preocess.Start.
Related
I have viewed and tried dozens of "answers" on StackOverflow, but none work.
I have a pretty simple aspx page with C# code behind.
The web site is on a Windows 2008R2 server.
The web site looks like (actual names changed):
MyServer - set for Anonymous Authentication
Application Pools
ASP.NET v4.0 Classic - .Net 4.0, Classic pipeline, App Pool Identity
MySiteAppPool - .Net 2.0, Integrated, runs under a Domain-wide Service identity (call it "mycompany\domservice")
Sites
MyMainSite - Windows Authentication, uses "MySiteAppPool"
"AutoPrint" - my web app, Windows Authentication, uses "ASP.Net v4.0 Classic" app pool, ASP.NET Impersonation enabled
My "AutoPrint" web app has a start page "AutoPrint.aspx" and code behind ("AutoPrint.aspx.cs", plus several classes).
The server and main site are not alterable, as there are several other applications under this site.
The user currently invokes this app with :
http://MyServer/AutoPrint
Everything I have tried is returning the "mycompany\domservice" result:
Request.LogonUserIdentity.Name.ToString() - returns "mycompany\domservice"
System.Environment.UserName.ToString() - returns "domservice"
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() - returns "mycompany\domservice"
What am I missing here? Why is this so hard?
Further clarifications:
"mycompany\domservice" - the "domservice" account is just an ActiveDirectory account in the "mycompany" domain that has permissions to read/write directories needed by the site and other applications. When installing the Site and additional web apps, we use that account as the "connect as" user.
What I am trying to do is to get the ActiveDirectory name of the Windows user account of the person who opened their browser and accessed this app. If user "JJONES" logs into Windows and launches the app with "http://myserver/autoprint", I want to get either "JJONES" or "mycompany\JJONES" as the user name.
If you use anonymous authentication, then the browser does not send any credentials (user id/password) to the server. Therefore if you want the client user id on the server, you have to use non-anonymous authentication, e.g,. Windows or Forms. You can use non-anonymous authentication and then allow or deny access to your web site to specific users or groups of users, or all users.
Thank you for all the helpful comments/suggestions.
The problem turned out to be a combination of factors. The App Pool I was using was using App Pool Identity (which has limited rights), so I had to use a specific account (the domain service account) in the "Connect as..." for the physical path credentials in order to access certain files.
Changing to use an App Pool that used an account with sufficient privileges (the domain service account) allowed me to leave the "Connect as..." using Pass-through authentication when converting to application.
Voila - I now get the user credentials using pretty much any of the proposed methods. After way too many hours of beating my head against the keyboard...
Have you looked at using HttpContext.User property ? This will give the current logged on user. After which point you may need to perform some nifty LDAP queries to get the username from AD.
See https://msdn.microsoft.com/en-us/library/system.web.httpcontext.user(v=vs.110).aspx
You may want to see the below link on how to search AD on the link "How can I search Active Directory by username using C#?"
Hope this helps you.
I have a single sign-off requirement from our customers as part of our next release. The existing flow is as follows:
User logs into their organization system (ad user) or main portal system using their email ID or user name as provided by the organization.
User clicks the link to my web (i.e. angular + web api)
User is automatically taken as a logged in user and he can access protected pages. If the user wants to log in from outside the organization he must use the login form on our site.
I have completed the login form web application using the email/password that we have stored in our local system, but I am still struggling to implement with window credential's.
My project is based on web api 2.0 with an angular fronted. It's hosted on IIS. I don't want to use any 3rd party DLLs to manage everything, so are there any appropriate solutions available in the .NET environment which would achieve my requirements in a simple way?
If your website needs to seamlessly authenticate user credentials in an AD domain, one way to achieve this is by creating a small IIS server with NTLM authentication inside the domain and forward some type of authorization/credential key to your outside website.
Let's say I'm on a domain (paddyspub.com) and user dennisreynolds#paddyspub.com calls a web service that is configured in IIS to use NTLM / windows authentication. Is there a way for me to start a process on the web server as dennisreynolds#paddyspub.com from the method in web service that was called?
Take a look at ASP.NET Impersonation:
When using impersonation, ASP.NET applications can execute with the Windows identity (user account) of the user making the request. Impersonation is commonly used in applications that rely on Microsoft Internet Information Services (IIS) to authenticate the user.
ASP.NET impersonation is disabled by default. If impersonation is enabled for an ASP.NET application, that application runs in the context of the identity whose access token IIS passes to ASP.NET. That token can be either an authenticated user token, such as a token for a logged-in Windows user, or the token that IIS provides for anonymous users (typically, the IUSR_MACHINENAME identity).
When impersonation is enabled, only your application code runs under the context of the impersonated user. Applications are compiled and configuration information is loaded using the identity of the ASP.NET process. For more information, see Configuring ASP.NET Process Identity. The compiled application is put in the Temporary ASP.NET files directory. The application identity that is being impersonated needs to have read/write access to this directory. The impersonated application identity also requires at least read access to the files in your application directory and subdirectories. For more information, see ASP.NET Required Access Control Lists (ACLs).
Has anyone managed to achieve this?
Application should work like this:
App admin can add AD users
App admin can define users not from AD
If user is added from AD and trying to access to application from same AD - application should log him in automatically (single sign on).
If user is not from AD, or not added as application user - application login form is displayed
Just to mention, I managed to achieve this on IIS6. I have read several techniques so far with IIS 7 and 7.5 involved, but it seems none of them really works when deployed on production server.
So far I have 2 separate web applications. One web application is configured with forms authentication - this one is main. Other is configured as windows authentication.
So idea is, user tries to acces to main application, this one redirects him to the other application which tries to extract his domain username (NTLM), and redirects him back to main application. Main application tries to log him in as AD user, if this fails forms login is displayed. If AD user is added as application user (using separate admin module of application), he should be authenticated automatically, meaning no IIS login prompt should be displayed.
These two applications are running in same application pool. Also they are both in integrated pipeline mode.
This works if I set it up on my development win7 IIS, but when I deploy application on win 2008 server with IIS 7.5 - it's not working. I keep getting IIS login prompt. If I enter my credentials to IIS login prompt it will eventually log me into application.
Has anyone has similar issue and hopefully solved it?
Please update the question with the info you have provided.
As I understand, these two applications are in the same app pool and I believe you need to separate them into two app pools.
Progress update - this authentication works now as expected (I didn't have to split app pools). Problem was that on machine accessing application, app server hasto be registered as Local intranet. This is a must in order to IE sends credentials to server.
I have a requirement where I need to be able to access a list which sits in Central Administration from an Application Page which sits on my Web Front End (WFE). The issue I have is that the Application Pool User for my WFE does not have access to the SharePoint_AdminContent database so I get access denied, they both have their own App Pools
In the logs it shows the following:
Reverting to process identity
Current user before SqlConnection.Open: Name:
SharePointDemo\SPContentPool SID:
S-1-5-20 ImpersonationLevel: None
Current user after SqlConnection.Open: Name:
SharePointDemo\SPContentPool: S-1-5-20
ImpersonationLevel: None
Insufficient SQL database permissions for user 'SPContentPool'
in database
'SharePoint_AdminContent_53169fb3-137c-44b2-b90e-961b656e4275' on SQL Server instance 'SPNSQL'.
Additional error information from SQL
Server is included below. The EXECUTE
permission was denied on the object
'proc_EnumLists', database
'SharePoint_AdminContent_53169fb3-137c-44b2-b90e-961b656e4275',
schema 'dbo'.
I have tried to runwithelevatedprivileges as well as trying Daniel Larsons method (http://daniellarson.spaces.live.com/blog/cns!D3543C5837291E93!1919.entry) which uses the SharePoint\System user token but it only seems to elevate as high as the Application Pool.
I am hoping there is an easy way to impersonate the Application Pool of the Admin Web Application but have been unable to find a way to do so yet... Or change the process identity to one which has access
Any thoughts, ideas or solutions are thankfully received!
Phill
You should try to use the List web service to access the list items. And set the credentials before connecting to the web service.
The problem is that the CA Application Pool and the WFE Application pool most likely run under different accounts, which is best practice though annoying when you are a developer. There is no amount of Elevating Privileges you can do using SPSecurity.RunWithElevatedPrivileges to get around this.
Providing your security policy allows this, you can give the application pool that runs your WFE Web Application the same credentials as the Central Administration Application Pool.
This can be done using the Service Accounts screen at:
http:///_admin/FarmCredentialManagement.aspx
If you go down the web service route, you may want to role your own web service to prevent too much 'chatting' over HTTP.
Have you tried regular windows impersonation? You should probably be able to impersonate the service account and get access to the list that way.