How to Do Impersonation in .Net

How do you do Impersonation in .NET?

Here is some good overview of .NET impersonation concepts.

  • Michiel van Otegem: WindowsImpersonationContext made easy
  • WindowsIdentity.Impersonate Method (check out the code samples)

Basically you will be leveraging these classes that are out of the box in the .NET framework:

  • WindowsImpersonationContext
  • WindowsIdentity

The code can often get lengthy though and that is why you see many examples like the one you reference that try to simplify the process.

ASP.NET Core Identity impersonate specific user

There is a blog post about impersonation in Asp.Net Core HERE. I am just searching for such a solution, so I have not tried implementing it yet. However it seems you are on the right track. There are only slight differences between your code and Max's.

Basically you need to replace the cookie at the browser side. So, for the next request the server "thinks" its someone else logged in. At least that's what I understood so far. This is why you better save the original identity in the cookie as well, thus you could switch back to the original user when needed.

I get back when I have a working solutions anyway.

ASP.NET User Impersonation

What you are doing/asked to do is typically frowned upon. When you have Integrated Security=True set in your connection string, the SID/user access the connection is defined by the application pool. This allows SQL Connection Pooling to work very efficiently.

When you try to access the SQL server using Integrated Security with Pass-through authentication or impersonation, you basically lose all value from the connection pool (because now each connection has to be created with the user credentials and cannot be shared across requests).

Normally when I come across this situation, I create a user, grant db access and use that user with the application pool. When a user authenticates on the website (windows or basic auth) I use Active Directory Services or LDAP to verify the user has access to the application.

C# - Asp.net web API test project - how to impersonate a user and run test cases under a specific user

I am now running my test cases using SimpleImpersonation library. This nugget package allows you to impersonate some user and its really easy to use. 

 [TestMethod]
    public void SearchUser()
    {
        var  credentials = new UserCredentials("domain", "UID", "PWD");
        var result = Impersonation.RunAsUser(credentials, LogonType.NewCredentials, () =>
        {
            //CODE INSDIE THIS BLOCK WILL RUN UNDER THE ID OF ANOTHER USER 
            dynamic actualResult = controller.SearchUser();
            //Assert
            Assert.IsNotNull(actualResult);
            return actualResult;
        });
    }

When using ASP.NET how do you impersonate Windows Credentials?

You can temporary impersonate user:

in c# but you can easy translate it to vb

    if (!HttpContext.Current.User.Identity.IsAuthenticated) 
    {
       if (LogonUser("TempUser", Environment.MachineName, 
                  "password", LOGON32_LOGON_INTERACTIVE,
                  LOGON32_PROVIDER_DEFAULT, ref token) != 0)
       {
          if (DuplicateToken(token, SecurityImpersonation, ref tokenDuplicate) != 0)
          {
            m_ImpersonatedUser = new WindowsIdentity(tokenDuplicate);
            m_ImpersonationContext = m_ImpersonatedUser.Impersonate();                                
            try
            {
                // impersonated code here       
            }        
            catch { throw; }
            finally
            {
              m_ImpersonationContext.Undo();
            }
          }
       }
    }

Impersonation and asynchrony in ASP.NET WebAPI

As this answer explained; the impersonation in the web.config overrides the identity in the application pool.

In my opinion there is a fine explanation here which one to use: impersonation or application pool

What is Impersonation in ASP.NET?

You should check out Keith Brown's description of impersonation. It is really a Windows concept.

When you have an application using forms authentication (FA) the IIS process is running under the credentials of a specific user setup in IIS.

Example: If you have a user called Bob logged on using FA and IIS setup to run as Network Service. Bob accesses a page which makes a web service call to another computer, the other computer will see the IIS user and not Bob. You can use impersonation to allow Bob to access the web service as a real Windows user and not Network Service.

Impersonation is not evil but it can be misused. You really need to understand the impact on your overall security model. It is also something that creates a lot of work for a developer to debug. This is especially the case if you do not have admin rights to the resource (eg. web service) you are trying to access.


Related Topics

What Is the Correct Way to Create a Single-Instance Wpf Application

Convert List≪Derivedclass≫ to List≪Baseclass≫

How to Make Realistic N-Body Solar System Simulation in Matter of Size and Mass

How to Make the Script Wait/Sleep in a Simple Way in Unity

The Request Was Aborted: Could Not Create Ssl/Tls Secure Channel

Linq Query on a Datatable

Why Is the Console Window Closing Immediately Once Displayed My Output

Json.Net: How to Deserialize Without Using the Default Constructor

Select Tag Helper in ASP.NET Core MVC

C# Lambda Expressions: Why Should I Use Them

Deserialize Json With C#

Ef: Include With Where Clause

\D Less Efficient Than [0-9]

Use of Finalize/Dispose Method in C#

How to Remove All Event Handlers from an Event

How to Use Localization in C#

Add N Rectangles to Canvas With Mvvm in Wpf

How to Get Parent Process in .Net in Managed Way


Leave a reply



Submit