0

I have several intranet-only web sites written in ASP.NET MVC 5 and hosted on IIS7.
For these I want to enable impersonation when accessing the database.

I don't want the complete impersonation that lasts for the whole request - because I don't need it and because it is not supported in the integrated mode and requires suppressing the error.

The important note is that impersonation here is not related to security. I don't want to prevent anyone from accessing the web site (if they are on the company's network, that is already a granted permission).
Rather, I need to store the Windows user name in the database against certain actions for logging purposes only. If no Windows user name is available for logging, that is fine and the user must be able to proceed.

The code I'm going to be using will be

var identity = User.Identity as System.Security.Principal.WindowsIdentity;
if (identity != null && !identity.IsAnonymous)
{
    using (var context = identity.Impersonate())
    {
        // access SQL Server who will get the user name from SUSER_SNAME()
    }
}

The problem is that in order for IIS to pick up the Windows credentials, the anonymous access must be disabled, otherwise IIS will not even try to request credentials in some way or another.

This is a problem, because I want to keep the anonymous access.

Is it possible to somehow configure IIS or the application to let anonymous users in too?

Ideally this should be happening transparently, but if that is not possible, I will probably be happy with the browser displaying the username/password dialog, which the user would dismiss by clicking OK, which would provide blank username/password to IIS, which would allow them and map them to the anonymous situation (ish).

It is, however, not okay to request credentials from users whose browsers can provide Windows credentials automatically (IE does that by default, Firefox does that after changing a setting).

I have seen this .NET v1.1 era hack that involves reflection on private fields and this question on writing a custom HttpModule - but it is said to be called after IIS completes its authentication business, which is too late, and I have no idea how to initiate an NTLM handshake from such a custom handler.

Community
  • 1
  • 1
GSerg
  • 76,472
  • 17
  • 159
  • 346
  • So domain users will actually be granted direct access to sql server? Sounds like a bit of a security concern. Wouldn't it be safer to have your application handle the logging and storing the current identity as needed, but actually connect as itself and controlled through its connectionstring/appPool identity? Basically avoiding impersonation entirely. – Pablo Romeo Dec 06 '14 at 22:50
  • 1
    Since you are using MVC, you could actually allow anonymous at the IIS level, but allow the user to log in through some action in the system (a log in button, or maybe even a separate incoming url), which would ultimately be a controller/action using the [Authorize] attribute. – Pablo Romeo Dec 06 '14 at 22:52
  • @PabloRomeo The database contains business logic, a part of which is logging. The current user for logging purposes is captured inside the database with `suser_sname()`. The database has many front-ends, the website is only one of the front-ends. All database logic is encapsulated in stored procedures. Providing the user name from outside of the DB would require passing it to all stored procedures (hundreds of them) as a parameter. This is inconvenient. – GSerg Dec 06 '14 at 23:58
  • Also, as I already said, the whole thing is not about security - everyone on the network is allowed to use the website. I don't want anyone to log in - they have already logged in to their Windows workstations. Those who are accessing the web site from e.g. Android tablets must be allowed to proceed too, without any signing in, because they have connected to the protected local wireless network, so they are already authorized to use the website too. The fact that their Windows user name will be missing from the log (because Androids don't have any) is not important in this case. – GSerg Dec 07 '14 at 00:02

0 Answers0