Permalink
Browse files

Add trick to impersonate current Windows user in the ASP.NET application

  • Loading branch information...
ubikuity committed Apr 27, 2015
1 parent e654b46 commit ed660effc08f2a89ed621b62bbda6b71e72a6e3e
@@ -0,0 +1,45 @@
using DemoImpersonateWindowsUserAspnet.Models;
using System;
using System.Web;
using System.Web.Mvc;
namespace DemoImpersonateWindowsUserAspnet.Controllers
{
#if DEBUG // For security/audit reasons, you should not give the ability to impersonate a user on Production
public class LogAsController : Controller
{
[HttpGet]
public ActionResult Index()
{
var userNameWithoutDomain = Request.QueryString["user"];
if (!string.IsNullOrEmpty(userNameWithoutDomain) && !userNameWithoutDomain.Contains(@"\"))
{
var userNameCookie = new HttpCookie(Constants.ImpersonateTrickCookieName) { Domain = null, Value = userNameWithoutDomain, Path = Request.ApplicationPath, HttpOnly = false };
HttpContext.Response.Cookies.Add(userNameCookie);
}
else
{
// Delete cookie and go back real connected user
DeleteImpersonationCookie();
}
return RedirectToAction("Index", "Home");
}
[HttpGet]
public ActionResult Reset()
{
DeleteImpersonationCookie();
return RedirectToAction("Index", "Home");
}
private void DeleteImpersonationCookie()
{
if (HttpContext.Response.Cookies[Constants.ImpersonateTrickCookieName] != null)
{
HttpContext.Response.Cookies[Constants.ImpersonateTrickCookieName].Value = null;
HttpContext.Response.Cookies[Constants.ImpersonateTrickCookieName].Expires = DateTime.Now.AddMonths(-1);
}
}
}
#endif
}
@@ -112,9 +112,11 @@
<Compile Include="App_Start\FilterConfig.cs" />
<Compile Include="App_Start\RouteConfig.cs" />
<Compile Include="Controllers\HomeController.cs" />
<Compile Include="Controllers\LogAsController.cs" />
<Compile Include="Global.asax.cs">
<DependentUpon>Global.asax</DependentUpon>
</Compile>
<Compile Include="Models\Constants.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
@@ -156,7 +158,6 @@
</ItemGroup>
<ItemGroup>
<Folder Include="App_Data\" />
<Folder Include="Models\" />
</ItemGroup>
<ItemGroup>
<Content Include="fonts\glyphicons-halflings-regular.woff" />
@@ -1,6 +1,6 @@
using System;
using System.Collections.Generic;
using System.Linq;
using DemoImpersonateWindowsUserAspnet.Models;
using System;
using System.Security.Principal;
using System.Web;
using System.Web.Mvc;
using System.Web.Optimization;
@@ -17,5 +17,20 @@ protected void Application_Start()
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
}
#if DEBUG // For security/audit reasons, you should not give the ability to impersonate a user on Production
protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
if (HttpContext.Current.Request.Cookies[Constants.ImpersonateTrickCookieName] != null)
{
string userName = HttpContext.Current.Request.Cookies[Constants.ImpersonateTrickCookieName].Value;
if (userName != null)
{
HttpContext.Current.User = new WindowsPrincipal(new System.Security.Principal.WindowsIdentity(userName, HttpContext.Current.User.Identity.AuthenticationType));
}
}
}
#endif
}
}
@@ -0,0 +1,7 @@
namespace DemoImpersonateWindowsUserAspnet.Models
{
public class Constants
{
public const string ImpersonateTrickCookieName = "CookieImpersonateTrick";
}
}
View
@@ -0,0 +1,33 @@
How to impersonate user (for testing purpose) on ASP.NET application with Windows authentication
================================================================================================
The goal of this application is to show you how to impersonate the connected Windows user on an ASP.NET application which is using Windows authentication (usually an Intranet application).
The Windows authentication (NTLM) is enabled in the Web.config:
```
<system.web>
<authentication mode="Windows" />
</system.web>
```
**How to impersonate another user**:
- Open the ASP.NET application project [DemoImpersonateWindowsUserAspnet.sln](https://github.com/ubikuity/impersonate-windows-user-aspnet/DemoImpersonateWindowsUserAspnet/DemoImpersonateWindowsUserAspnet.sln)
- Run the ASP.NET application (Ctrl+F5)
- To impersonate a user, add in the URL **/LogAs?user=anotherUser** (where "anotherUser" is the Windows username of the person you want to impersonate in the application)
- You can act within the application as the impersonated user
- To log out, type in the URL **/LogAs?reset**
**Notes**:
- **For security/audit reasons, you should not give the ability to impersonate a user on Production.**
- The username of the user to impersonate should be typed without the Windows domain name: /LogAs?user=johnDoe (and not /LogAs?user=MYDOMAIN\johnDoe)
**Technical information:**
- The trick is to create a cookie containing the username we want to impersonate, then after normal Windows autentication, we redefine on the fly HttpContext.Current.User for each new request (see Global.asax.cs).
**References:**
- Inspired by [http://www.hanselman.com/blog/SystemThreadingThreadCurrentPrincipalVsSystemWebHttpContextCurrentUserOrWhyFormsAuthenticationCanBeSubtle.aspx](http://www.hanselman.com/blog/SystemThreadingThreadCurrentPrincipalVsSystemWebHttpContextCurrentUserOrWhyFormsAuthenticationCanBeSubtle.aspx)

0 comments on commit ed660ef

Please sign in to comment.