0

I have a ASP.NET MVC 5 site that uses forms authentication via a custom membership class.

My site's login procedure:

  1. An anonymous visitor tries to navigate to my site. He's allowed to do so, but is redirected to my login page.

  2. The visitor keys his username and password, configured in my network's active directory (AD).

  3. .NET AD code validates the credential, then responds with a cookie for the visitor containing basic info (his name, email address, etc).
  4. The visitor is redirected to the home page. He's authenticated, but the site is actually running as its app pool identity, not the logged in user's AD identity.

My problem: In #4, how do I make my site's identity run as the authenticated user's AD identity, instead of the site's app pool identity? I need to do this because a certain service my app consumes requires the AD user's identity, not the app pool's identity.

Possible solution: In #2, I'm getting the vistor's username and password and using it to authenticate he is a valid AD identity. I could encrypt and save the user's password, then whenever I need to use the service which requires the user's AD identity, I could just create a new NetworkCredential from his username and password. I don't like this solution though, because I'd rather not store the user's password, if I can avoid it.

Thanks for any help!

David Alan Condit
  • 1,243
  • 11
  • 20
  • You need to use impersonation. I have created many apps like that. Either use impersonation the whole time or only during the time needed. The shorter, the better for security purposes. See [this](https://stackoverflow.com/questions/1405612/impersonation-in-asp-net-mvc#1405666) question or research for it online. – CodingYoshi Apr 19 '19 at 15:31
  • If I use impersonation for a short time, I would need to save the user's password to his cookie (encrypted) so I could impersonate his credential when I need to use the service that requires it. Otherwise, how would I impersonate for his entire session? From the time he logs in until the time he leaves or his cookie expires? – David Alan Condit Apr 19 '19 at 15:35
  • See what this gives you: `(System.Security.Principal.WindowsIdentity)User.Identity` and you'll get what I mean. – CodingYoshi Apr 19 '19 at 15:40
  • That just returns an anonymous identity. My web.config is this, so maybe I'm mispeaking when I say it's forms auth. It basically works just like forms auth but is technically set as Windows. IIS enables Windows Idenity, Impersonation, and Anonymous. "Connect as" is pass through as the app pool's identity. – David Alan Condit Apr 19 '19 at 16:00
  • 1
    I believe what you really mean is this: `var currentWindowsIdentity = System.Security.Principal.WindowsIdentity.GetCurrent();`, which returns MyADDomain\MyAppPoolIdentityName. – David Alan Condit Apr 19 '19 at 16:12
  • Did you do any research? See [this](https://stackoverflow.com/questions/18205458/why-do-thread-currentprincipal-identity-and-windowsidentity-getcurrent-differ) please. – CodingYoshi Apr 19 '19 at 16:23
  • Yeah. From your first link, it seems I need to configure my IIS server for delegation, so the visitor's AD credential can be passed. Maybe a better solution would be [this](https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff647248(v=pandp.10)#how-do-i-impersonate-a-specific-fixed-identity), which would seem to let me impersonate a user using his user principal name. I wouldn't need to save his password this way. – David Alan Condit Apr 19 '19 at 17:15
  • I never had to store the password. – CodingYoshi Apr 19 '19 at 20:14

0 Answers0