> Hello,
>
> I have a web application for our intranet.
> Built in ASP.Net using C# running on WinXp and IIS.
> I wanted the application to impersonate the current user that logged
> onto
> Windows.
> So, in IIS, I checked only the Windows authentication.
> In web config, I used
> <authentication mode="Windows"/>
> <identity impersonate="true"/>
> That's all well.
>
> But now, I want all users to connect as the same one user and it
> doesn't work.
> Right now, when I use the application, the current user is myself:
> "MyBigDomain\ClaudeVernier".
> Off course, if my colleague is using it, the current user is himself:
> "MyBigDomain\colleaguehimself".
> I wanted to change only the web.config so any user are impersonating a
> new NT user called: "MyBigDomain\ThisUserIsGod"
>
> <authentication mode="Windows"/>
> <identity impersonate="true" userName="MyBigDomain\ThisUserIsGod"
> password="PasswordForGod"/>
> I have this strange behavior, I guess its ok, but I don't understand
> it. I tried to find the name of the current user using this line:
>
> User.Identity.Name    //Returns: "MyBigDomain\ClaudeVernier"
>
> while I was expecting God, so I tried this one, and it was ok.
>
> System.Security.Principal.WindowsIdentity.GetCurrent().Name
> //Returns: "MyBigDomain\ThisUserIsGod"
>
> So, I'd like to understand the difference between the two and should I
> do
> this differently.
> Also, if anyone knows a trick so the user could change the
> impersonation
> himself, it would be great.
> For example, using a "Login As" button, it would popup the logon
> window
> provided by Windows.
> Thanks a lot,
> Claude Vernier
> ps: Please excuse me if my english is not yet perfect.
>

"Dominick Baier [DevelopMentor]" wrote:

> Hello Claude,
>
> Context.User.Identity represents your client identity
> WindowsIdentity.GetCurrent() represents the process identity (or the thread
> identity if impersonating)
>
> so the behaviour is as expected.
>
> If you know the password for the account you can programmatically impersonate
> every user you like - you have to p/invoke LogonUser to do that.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hello,
> >
> > I have a web application for our intranet.
> > Built in ASP.Net using C# running on WinXp and IIS.
> > I wanted the application to impersonate the current user that logged
> > onto
> > Windows.
> > So, in IIS, I checked only the Windows authentication.
> > In web config, I used
> > <authentication mode="Windows"/>
> > <identity impersonate="true"/>
> > That's all well.
> >
> > But now, I want all users to connect as the same one user and it
> > doesn't work.
> > Right now, when I use the application, the current user is myself:
> > "MyBigDomain\ClaudeVernier".
> > Off course, if my colleague is using it, the current user is himself:
> > "MyBigDomain\colleaguehimself".
> > I wanted to change only the web.config so any user are impersonating a
> > new NT user called: "MyBigDomain\ThisUserIsGod"
> >
> > <authentication mode="Windows"/>
> > <identity impersonate="true" userName="MyBigDomain\ThisUserIsGod"
> > password="PasswordForGod"/>
> > I have this strange behavior, I guess its ok, but I don't understand
> > it. I tried to find the name of the current user using this line:
> >
> > User.Identity.Name    //Returns: "MyBigDomain\ClaudeVernier"
> >
> > while I was expecting God, so I tried this one, and it was ok.
> >
> > System.Security.Principal.WindowsIdentity.GetCurrent().Name
> > //Returns: "MyBigDomain\ThisUserIsGod"
> >
> > So, I'd like to understand the difference between the two and should I
> > do
> > this differently.
> > Also, if anyone knows a trick so the user could change the
> > impersonation
> > himself, it would be great.
> > For example, using a "Login As" button, it would popup the logon
> > window
> > provided by Windows.
> > Thanks a lot,
> > Claude Vernier
> > ps: Please excuse me if my english is not yet perfect.
> >
>
>
>
>

> Thanks !
>
> I what I needed was the WindowsIdentity.GetCurrent()  then.
> But still, can you tell me a little bit more on "client identity",
> where
> does it get the infos ?
> About:
>
> If you know the password for the account you can programmatically
> impersonate every user you like - you have to p/invoke LogonUser to do
> that.
>
> I don't want to see the user's password, I want to be as secure as
> possible that why I thought of that window, the same as if you try to
> map to a drive where you must authenticate to have access.
>
> I do not know what "p/invoke LogonUser" means. I think that "p/invoke"
> means making a call into an unmannaged DLL but besides that...
>
> Thanks for any info.
> Claude
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hello Claude,
>>
>> Context.User.Identity represents your client identity
>> WindowsIdentity.GetCurrent() represents the process identity (or the
>> thread identity if impersonating)
>>
>> so the behaviour is as expected.
>>
>> If you know the password for the account you can programmatically
>> impersonate every user you like - you have to p/invoke LogonUser to
>> do that.
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hello,
>>>
>>> I have a web application for our intranet.
>>> Built in ASP.Net using C# running on WinXp and IIS.
>>> I wanted the application to impersonate the current user that logged
>>> onto
>>> Windows.
>>> So, in IIS, I checked only the Windows authentication.
>>> In web config, I used
>>> <authentication mode="Windows"/>
>>> <identity impersonate="true"/>
>>> That's all well.
>>> But now, I want all users to connect as the same one user and it
>>> doesn't work.
>>> Right now, when I use the application, the current user is myself:
>>> "MyBigDomain\ClaudeVernier".
>>> Off course, if my colleague is using it, the current user is
>>> himself:
>>> "MyBigDomain\colleaguehimself".
>>> I wanted to change only the web.config so any user are impersonating
>>> a
>>> new NT user called: "MyBigDomain\ThisUserIsGod"
>>> <authentication mode="Windows"/>
>>> <identity impersonate="true" userName="MyBigDomain\ThisUserIsGod"
>>> password="PasswordForGod"/>
>>> I have this strange behavior, I guess its ok, but I don't understand
>>> it. I tried to find the name of the current user using this line:
>>> User.Identity.Name    //Returns: "MyBigDomain\ClaudeVernier"
>>>
>>> while I was expecting God, so I tried this one, and it was ok.
>>>
>>> System.Security.Principal.WindowsIdentity.GetCurrent().Name
>>> //Returns: "MyBigDomain\ThisUserIsGod"
>>>
>>> So, I'd like to understand the difference between the two and should
>>> I
>>> do
>>> this differently.
>>> Also, if anyone knows a trick so the user could change the
>>> impersonation
>>> himself, it would be great.
>>> For example, using a "Login As" button, it would popup the logon
>>> window
>>> provided by Windows.
>>> Thanks a lot,
>>> Claude Vernier
>>> ps: Please excuse me if my english is not yet perfect.

"Dominick Baier [DevelopMentor]" wrote:

> Hello Claude,
>
> if AuthenticationMode = Windows - ASP.NET will pick up the client identity
> that IIS retrieved for you (through any of the authentication handshakes
> available - basic, integrated, digest aso). If IIS is set to anonymous -
> Page.User.Identity.Name will be empty (as expected)
>
> if AuthenticationMode = Forms - The FormsAuthentication infrastructure sets
> this value for you.
>
> A better name for Thread.CurrentPrincipal would be IMO Thread.CurrentClientPrincipal
> (this maybe helps when thinking about it).
>
> LogonUser is a WIN32 API - you pass in username and password and get back
> a token which you can impersonate. If you don't really need that - stay away
> from it - it is messy, especially in an ASP.NET app. I know of no way to
> display that windows dialog you are talking about
>
> HTH
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Thanks !
> >
> > I what I needed was the WindowsIdentity.GetCurrent()  then.
> > But still, can you tell me a little bit more on "client identity",
> > where
> > does it get the infos ?
> > About:
> >
> > If you know the password for the account you can programmatically
> > impersonate every user you like - you have to p/invoke LogonUser to do
> > that.
> >
> > I don't want to see the user's password, I want to be as secure as
> > possible that why I thought of that window, the same as if you try to
> > map to a drive where you must authenticate to have access.
> >
> > I do not know what "p/invoke LogonUser" means. I think that "p/invoke"
> > means making a call into an unmannaged DLL but besides that...
> >
> > Thanks for any info.
> > Claude
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hello Claude,
> >>
> >> Context.User.Identity represents your client identity
> >> WindowsIdentity.GetCurrent() represents the process identity (or the
> >> thread identity if impersonating)
> >>
> >> so the behaviour is as expected.
> >>
> >> If you know the password for the account you can programmatically
> >> impersonate every user you like - you have to p/invoke LogonUser to
> >> do that.
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Hello,
> >>>
> >>> I have a web application for our intranet.
> >>> Built in ASP.Net using C# running on WinXp and IIS.
> >>> I wanted the application to impersonate the current user that logged
> >>> onto
> >>> Windows.
> >>> So, in IIS, I checked only the Windows authentication.
> >>> In web config, I used
> >>> <authentication mode="Windows"/>
> >>> <identity impersonate="true"/>
> >>> That's all well.
> >>> But now, I want all users to connect as the same one user and it
> >>> doesn't work.
> >>> Right now, when I use the application, the current user is myself:
> >>> "MyBigDomain\ClaudeVernier".
> >>> Off course, if my colleague is using it, the current user is
> >>> himself:
> >>> "MyBigDomain\colleaguehimself".
> >>> I wanted to change only the web.config so any user are impersonating
> >>> a
> >>> new NT user called: "MyBigDomain\ThisUserIsGod"
> >>> <authentication mode="Windows"/>
> >>> <identity impersonate="true" userName="MyBigDomain\ThisUserIsGod"
> >>> password="PasswordForGod"/>
> >>> I have this strange behavior, I guess its ok, but I don't understand
> >>> it. I tried to find the name of the current user using this line:
> >>> User.Identity.Name    //Returns: "MyBigDomain\ClaudeVernier"
> >>>
> >>> while I was expecting God, so I tried this one, and it was ok.
> >>>
> >>> System.Security.Principal.WindowsIdentity.GetCurrent().Name
> >>> //Returns: "MyBigDomain\ThisUserIsGod"
> >>>
> >>> So, I'd like to understand the difference between the two and should
> >>> I
> >>> do
> >>> this differently.
> >>> Also, if anyone knows a trick so the user could change the
> >>> impersonation
> >>> himself, it would be great.
> >>> For example, using a "Login As" button, it would popup the logon
> >>> window
> >>> provided by Windows.
> >>> Thanks a lot,
> >>> Claude Vernier
> >>> ps: Please excuse me if my english is not yet perfect.
>
>
>
>

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:317259632503036381541600@news.microsoft.com...
> Hello Claude,
>
> if AuthenticationMode = Windows - ASP.NET will pick up the client identity
> that IIS retrieved for you (through any of the authentication handshakes
> available - basic, integrated, digest aso). If IIS is set to anonymous -
> Page.User.Identity.Name will be empty (as expected)
>
> if AuthenticationMode = Forms - The FormsAuthentication infrastructure
> sets this value for you.
>
> A better name for Thread.CurrentPrincipal would be IMO
> Thread.CurrentClientPrincipal (this maybe helps when thinking about it).
>
> LogonUser is a WIN32 API - you pass in username and password and get back
> a token which you can impersonate. If you don't really need that - stay
> away from it - it is messy, especially in an ASP.NET app. I know of no way
> to display that windows dialog you are talking about

> "Dominick Baier [DevelopMentor]"
> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> news:317259632503036381541600@news.microsoft.com...
>
>> Hello Claude,
>>
>> if AuthenticationMode = Windows - ASP.NET will pick up the client
>> identity that IIS retrieved for you (through any of the
>> authentication handshakes available - basic, integrated, digest aso).
>> If IIS is set to anonymous - Page.User.Identity.Name will be empty
>> (as expected)
>>
>> if AuthenticationMode = Forms - The FormsAuthentication
>> infrastructure sets this value for you.
>>
>> A better name for Thread.CurrentPrincipal would be IMO
>> Thread.CurrentClientPrincipal (this maybe helps when thinking about
>> it).
>>
>> LogonUser is a WIN32 API - you pass in username and password and get
>> back a token which you can impersonate. If you don't really need that
>> - stay away from it - it is messy, especially in an ASP.NET app. I
>> know of no way to display that windows dialog you are talking about
>>
> In case if your W2k3 member server belongs to W2k3 functional level
> domain, you can use WindowsIdentity constructor that takes principal
> name. Last is creating KERB_S4U logon token, which could be used as
> identity token when you are running in less-privileged context than
> LocalSystem, and impersonation token, if you calling it from
> LocalSystem account.
>
> -Valery.
>

> "Dominick Baier [DevelopMentor]"
> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> news:317259632503036381541600@news.microsoft.com...
>
>> Hello Claude,
>>
>> if AuthenticationMode = Windows - ASP.NET will pick up the client
>> identity that IIS retrieved for you (through any of the
>> authentication handshakes available - basic, integrated, digest aso).
>> If IIS is set to anonymous - Page.User.Identity.Name will be empty
>> (as expected)
>>
>> if AuthenticationMode = Forms - The FormsAuthentication
>> infrastructure sets this value for you.
>>
>> A better name for Thread.CurrentPrincipal would be IMO
>> Thread.CurrentClientPrincipal (this maybe helps when thinking about
>> it).
>>
>> LogonUser is a WIN32 API - you pass in username and password and get
>> back a token which you can impersonate. If you don't really need that
>> - stay away from it - it is messy, especially in an ASP.NET app. I
>> know of no way to display that windows dialog you are talking about
>>
> In case if your W2k3 member server belongs to W2k3 functional level
> domain, you can use WindowsIdentity constructor that takes principal
> name. Last is creating KERB_S4U logon token, which could be used as
> identity token when you are running in less-privileged context than
> LocalSystem, and impersonation token, if you calling it from
> LocalSystem account.
>
> -Valery.
>

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:323224632503632167631552@news.microsoft.com...
> Hello Valery,
>
> but you are right - this is an option i forgot.
>
> Surely i would not recommend implementing that in a scenario Claude
> described : A LogonAs Button where you pick a username :)


:-)

>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>