0

I have a web application that has an HTML 5 front end that calls (via Ajax & JSON) to a .NET MVC web app. The goal is to allow domain users to automatically authenticate against Active Directory and impersonate the user so that when IIS accesses network resources in the context of that user. The code that I currently use is based on the following: Impersonate using Forms Authentication. However, I every so often I get “Invalid token for impersonation - it cannot be duplicated”.

Hierarchy of the web site:

Default Web Server
  \-Links_Test     <- This contains the HTML, JavaScript and CSS 
      \-data       <- This is where the C# code runs

I have tried enabling ASP.NET impersonation on both the root level (Links_Test) and the node that contains the MVC code (Links_Test > Data) and all that happens is that the browser goes in a (seemingly) endless loop prompting for a username/password. I have looked on Stack Overflow and tried googling but the results do not apply or point to outdated resources.

Other relevant information:

  • Developing the site on Windows 10 Pro with IIS 10
  • Using .NET 4.7.2
  • Authenticating users against Active Directory

My goal is to push this site onto a proper server and have IIS impersonate the user so that any actions are executed in the context of the user.

UPDATE

This is the error message I am getting:

Invalid token for impersonation - it cannot be duplicated.

at System.Security.Principal.WindowsIdentity.CreateFromToken(IntPtr userToken)
at System.Security.Principal.WindowsIdentity..ctor(SerializationInfo info)
at System.Security.Principal.WindowsIdentity..ctor(SerializationInfo info, StreamingContext context)
at Void .ctor(System.Runtime.Serialization.SerializationInfo, System.Runtime.Serialization.StreamingContext)(Object[] )
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateISerializable(JsonReader reader, JsonISerializableContract contract, JsonProperty member, String id)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)
at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
at TFS.Key2.API.Data_Encryption.EncryptedBuffer.DecryptData[T]() in C:\Source\repos\TFS.Key2.WebSite\TFS.Key2.API.Types\Data Encryption\EncryptedBuffer.cs:line 48
at TFS.Key2.API.Helpers.HttpCookieHelper.GetEncryptedValue[T](HttpCookie Cookie) in C:\Source\repos\TFS.Key2.WebSite\TFS.Key2.API.Types\Helpers\HttpCookieHelper.cs:line 34
at TFS.Key2.WebSite.WebApiApplication.Application_PreRequestHandlerExecute(Object Sender, EventArgs E) in C:\Source\repos\TFS.Key2.WebSite\TFS.Key2.WebSite\Global.asax.cs:line 130
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Graham Harris
  • 319
  • 1
  • 2
  • 16
  • The code in that link is something you should not, and I gather don't want to do. It is collecting the user's Windows Credentials through an HTML form, and then using those credentials to call LogonUser and perform impersonation. Instead you are using Windows Integrated authentication in IIS and then impersonating, correct? If so that code is not what you want. – David Browne - Microsoft May 24 '19 at 20:14
  • You must reveal more information about the error you got, as it can be caused by many things. Overall, the linked approach has its limitation, as the token returned from `LogonUser` is an impersonation token, not a primary token, https://learn.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-logonusera#remarks so its usage cannot cover all possible scenarios. – Lex Li May 25 '19 at 04:49
  • @DavidBrowne-Microsoft that is correct, what I want to be able to do is for the user to point their browser to (for example) DatabaseSearch.html and NOT have to log in using their windows credentials and in code call LogonUser. – Graham Harris May 25 '19 at 07:46
  • @LexLi I will try and capture the error and post it here. – Graham Harris May 25 '19 at 07:47
  • @LexLi I have updated my question with the error I am getting – Graham Harris May 26 '19 at 19:23

0 Answers0