5

We are trying to use RunImpersonated(handle, action); to be able to perform a REST call from a webserver but we have a hard time doing so. Project i ASP.NET Core 2.0 MVC.

We have the following general method made to establish a imp. context on behalf of the logged in wnd. user:

var user = WindowsIdentity.GetCurrent();

IntPtr token = user.Token;
SafeAccessTokenHandle handle = new SafeAccessTokenHandle(token);

WindowsIdentity.RunImpersonated(handle, action);

and basically in the action we make our REST call.

Thing is that we CAN run through without any problems running locally on our dev machines but we can't do the same on the remote webserver. Hence: impersonation.

Is our approach above for the imp. part right since we can't actually se if we promote any user-credentials?

We have tried different techniques in the REST-GET impl. as well without the above. On the other hand the above call are made closer to our controller and on REST impl. not having any specifics for imp. itself.

TylerH
  • 20,799
  • 66
  • 75
  • 101
Michael Pauli
  • 51
  • 1
  • 6
  • 1
    Did you ever figure this out? We are working on something similar (making calls to an intranet API from within one of our intranet sites). We were getting the server's hostname (when returning Windows.Identity.User.Name as a string from our API). We implemented something similar to your code above and now we are getting 401s, but the correct username appears to be hitting the server... Anyways, we'd appreciate any info on the matter if you figured it out! Thanks! – Derek Foulk Aug 27 '18 at 20:00
  • I am also curious if there is any guidance in regards to this – Jonas Wik Jan 22 '19 at 12:40

1 Answers1

0

I was concerned with some time ago. As far as I can remmember, this worked for me:

  1. Create an asynchronous action filter:
 public class ImpersonationFilter : IAsyncActionFilter
    {
        public async Task OnActionExecutionAsync(
            ActionExecutingContext context,
            ActionExecutionDelegate next)
        {
            var user = (WindowsIdentity)context.HttpContext.User.Identity;
            
            await WindowsIdentity.RunImpersonated(user.AccessToken, async () =>
            {
                await next();
            });
        }
    }

Register it as any other filter.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Filip M.
  • 1
  • 2