1

I am using Forms Authorization to login to my web application against the active directory, what I am trying to do is when the user logins, impersonate that user. But I am running into a few problems, when I enable impersonate either via IIS or web.config I get a 500 error, here is that section of my web.config:

<customErrors mode="Off"/>
<authentication mode="Forms">
  <forms name=".ADAuthCookie" loginUrl="~/Login/Index" timeout="45" slidingExpiration="false" protection="All" path="/" />
</authentication>
<identity impersonate="true" />
<membership defaultProvider="ADMembershipProvider">
  <providers>
    <clear />
    <add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" />
  </providers>
</membership>

If I set my credentials in the identity element it works without adjusting my IIS:

<identity impersonate="true" userName="domain\username" password="password" />

Here is my authorization in my IIS, this is what its currently set too:

enter image description here

If I disable Anonymous and enable impersonation, I get a 500 error.

What am I doing wrong and how do I get Forms Authentication to work with Impersonation.

Here is my login Controller:

[HttpPost]
public ActionResult Index(Login model, string returnUrl)
{
    if (!ModelState.IsValid)
    {

        ModelState.AddModelError("", "The user name or password provided is incorrect.");

        return View(model);
    }

    if (Membership.ValidateUser(model.UserName, model.Password))
    {
        FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
        if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
            && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
        {
            return Redirect(returnUrl);
        }

        return RedirectToAction("Index", "Home");
    }

    ModelState.AddModelError("", "The user name or password provided is incorrect.");

    return View(model);
}

UPDATE

I got passed the 500 error via <validation validateIntegratedModeConfiguration="false" />, but the impersonate is still not working unless I set the credentials. Is there away I can set the credentials of the person logging in?

UPDATE

When I run this code, I can see that it is populated with the correct username and impersonate is set to true, what am I doing wrong?

System.Security.Principal.WindowsIdentity.GetCurrent()
Reza Aghaei
  • 120,393
  • 18
  • 203
  • 398
user979331
  • 11,039
  • 73
  • 223
  • 418
  • 2
    What is the content of the HTTP 500 error? That sounds important and relevant. – Dai Feb 07 '20 at 15:02
  • 500 - Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed. – user979331 Feb 07 '20 at 15:06
  • This happens if I goto any page in the web application – user979331 Feb 07 '20 at 15:06
  • You need to enable detailed HTTP 500 error messages. Do you have error-logging configured? – Dai Feb 07 '20 at 15:21
  • I got passed the 500 error via , but the impersonate is still not working unless I set the credentials. Is there away I can set the credentials of the person logging in? – user979331 Feb 07 '20 at 15:31
  • 2
    This has been [answered](https://stackoverflow.com/questions/1066275/impersonate-using-forms-authentication) years ago. – Wiktor Zychla Feb 09 '20 at 21:10
  • what is the error you are getting after having disabled `validateIntegratedModeConfiguration`? – timur Feb 10 '20 at 06:24
  • *Is there away I can set the credentials of the person logging in* → No, without using user's password, you cannot do impersonation. – Reza Aghaei Feb 10 '20 at 15:41

1 Answers1

3

Focusing on this part: What I am trying to do is when the user logins, impersonate that user.

What you are looking for is called delegation.

Delegation without using username and password of the user relies on Integrated Windows Authentication. You cannot achieve it using Forms Authentication unless use username and password of the user and do protocol transition.

For learning purpose, This post shows an example of how you can do it in code by using the username and password which you receive from login page.

I know this may be disappointing, but if you need delegation, you should rely on Windows Authentication and configure browser, IIS and ASP.NET application. To see a complete guide take a look at How to configure an ASP.NET application for a delegation scenario.

This is not a complete guide of the configurations, however shows you the most important configurations:

  • Setup browser : To setup browser, for IE, you need to check Enable Windows Integrated Authentication in Advanced tab of Internet Options.

  • Setup IIS : To setup IIS, you need to disable all authentications on IIS including Anonymous Authentication and just enable Windows Authentication.

  • Setup ASP.NET Application: In the web.config you need to set <authentication mode="Windows" /> and also set <identity impersonate="true" /> and also <allow users="*" /><deny users="?" />

Reza Aghaei
  • 120,393
  • 18
  • 203
  • 398