Temporarily disable impersonation in ASP

Question

I'm coding an intranet system that writes files locally to the webserver, through a script using ADODB.Stream. The problem is, it uses the logged Windows/AD user account to do so, as impersonation is activated by default in IIS - and I actually need it activated most of the time. Since I don't want to give write access to the webserver to anyone that needs to make use of the system, I need to temporarily "unimpersonate" the session back to the "IUSR" account.

How could I do that? Preferentially in classic ASP, as the whole site is coded in it, but could be something in ASP.net (C#) too.

I work for a large company, and my access to the IIS control panel/server machine is a bit limited (need to deal with another department). And I can't install any custom modules or DLLs either.

possible duplicate: http://stackoverflow.com/questions/125096/can-i-turn-off-impersonation-just-in-a-couple-instances. Though it's done in C# and not Classic ASP. — Steven V, Jun 18 '14 at 17:34

user692942 · Answer 1 · 2014-06-23T11:59:21.323

In the past I've used the Msxml2.ServerXMLHTTP to make a server-side call that switches the impersonation context using the HTTP Authorization Headers. This allows me to create a file using a different context to what the website is running in.

Sub ExecuteContext(url, data, user, password)
  Dim http

  Set http = Server.CreateObject("Msxml2.ServerXMLHTTP")
  Response.CharSet = "utf-8"

  Call http.open("POST", url, False, user, password)

  'Called using Basic Authentication (not as secure as Windows Authenticated by should be adequate)
  Call http.setRequestHeader("Authorization", "Basic " & Base64Encode(user & ":" & password))
  Call http.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")
  Call http.send(data)
End Sub

'Supporting functions to do the Base64 encoded Authorization header.
Function Base64Encode(inData)
  'ripped from: 
  'http://www.pstruh.cz/tips/detpg_Base64Encode.htm
  'rfc1521
  '2001 Antonin Foller, PSTRUH Software, http://pstruh.cz
  Const Base64 = _
    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  Dim sOut, I

  'For each group of 3 bytes
  For I = 1 To Len(inData) Step 3
    Dim nGroup, pOut

    'Create one long from this 3 bytes.
    nGroup = &H10000 * Asc(Mid(inData, I, 1)) + _
      &H100 * MyASC(Mid(inData, I + 1, 1)) + _
      MyASC(Mid(inData, I + 2, 1))

    'Oct splits the long To 8 groups with 3 bits
    nGroup = Oct(nGroup)

    'Add leading zeros
    nGroup = String(8 - Len(nGroup), "0") & nGroup

    'Convert To base64
    pOut = Mid(Base64, CLng("&o" & Mid(nGroup, 1, 2)) + 1, 1) + _
      Mid(Base64, CLng("&o" & Mid(nGroup, 3, 2)) + 1, 1) + _
      Mid(Base64, CLng("&o" & Mid(nGroup, 5, 2)) + 1, 1) + _
      Mid(Base64, CLng("&o" & Mid(nGroup, 7, 2)) + 1, 1)

    'Add the part To OutPut string
    sOut = sOut + pOut

  Next
  Select Case Len(inData) Mod 3
    Case 1: '8 bit final
      sOut = Left(sOut, Len(sOut) - 2) + "=="
    Case 2: '16 bit final
      sOut = Left(sOut, Len(sOut) - 1) + "="
  End Select
  Base64Encode = sOut
End Function

Function MyASC(OneChar)
  If OneChar = "" Then MyASC = 0 Else MyASC = Asc(OneChar)
End Function

This approach is extremely flexible, in my implementation I use to it to change the context in the same page by POSTing to itself but with different data.

I've already found the answer myself, but I'm upvoting this as it's an very interesting technique. — Fabio Pereira, Jun 23 '14 at 12:39

score 1 · Accepted Answer · edited May 23 '17 at 10:26

1

I've got around the impersonation problem in a different way. Just wrote an ASP.net script to save files using HttpPostedFile, based on this one, and it worked like a charm. The files are (probably) being written under the app pool user configured in IIS.

edited May 23 '17 at 10:26

Community

1
1

answered Jun 23 '14 at 12:36

Fabio Pereira

338
1
8

Temporarily disable impersonation in ASP

2 Answers2