{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Deceive 欺骗 的问题《Set up impersonation with ASP.NET》','https://www.manongdao.com/q-647865.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
for a first understanding, I have created a very simple project which tries to count the number of files in two directories. User1 is not allowed to access Directory2 and User2 is not allowed to access Directory1. Due to impersonation I should get only one number, depending on the user who is calling my application. Both user are set up as administrators.
So I have created a new MVC-project in Visual Studio 2015 (running on Windows 8.1) and selected to use Windows authentication. Once the application is up and running (in ISS Express), I switch to User1 on my machine (there is no Active Directory) and call the website in Internet Explorer (yes, "Integrated Windows authentication" is enabled in the settings). With this setup, the user in HttpContext.User.Identity is User1 and WindowsIdentity.GetCurrent() is my development user, the one I am working with in Visual Studio.
I have also tried to impersonate manually:
WindowsIdentity winId = (WindowsIdentity)User.Identity;
WindowsImpersonationContext ctx = null;
try
{
ctx = winId.Impersonate();
// GetNumbers() tries to get the number of files for both directories
numbers = GetNumbers();
}
catch (Exception e)
{
}
finally
{
if (ctx != null)
{
ctx.Undo();
}
}
Unfortunately, I get the exception "Either a required impersonation level was not provided, or the provided impersonation level is invalid." Some people were claiming the this one solved their problem: https://kc.mcafee.com/corporate/index?page=content&id=KB56194 Not for me. I've added User1 and my own user to the lists and restarted the computer. No change.
The only thing which gives me a little bit of hope is the impersonation with a separate login, as described on https://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingusinglogonuser The disadvantages are quite obvious: I have to have the user's password and why should I login again if the user already did it for me.
Although this is a new project without major changes by me, some more information just for sanity check...
My Web.config
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
My project settings are
- "Anonymous authentication" is
false - "Windows authentication" is
true - "Managed pipline mode" is
Integrated
Any suggestions on what to change to make this simple project work as expected?
Best regards, Carsten
I finally managed to get it to work (IIS Express and IIS)! As mentioned above, the first approach was a prototype only. The final goal was to create a GUI which runs on server A and an API which runs on server B. Both implemented with ASP.NET.
The
Web.configof the GUI and the API got these settings:The project property (press
F4after selecting the project) "Managed pipline mode" is set toClassic.Somewhere on SO I saw a discussion about if the impersonation should work with
HttpClientas well. It was said, it does. Well, it did not for me. And theWebClientis no fun if you are using a variety of HTTP methods. So I switched to RestSharp:Classic"Managed pipeline mode".user1on my development machine had another password then theuser1on my target machine...I hope this helps someone.