Add trick to impersonate current Windows user in the ASP.NET application

Author: ubikuity

DemoImpersonateWindowsUserAspnet/DemoImpersonateWindowsUserAspnet/Controllers/LogAsController.cs

@@ -0,0 +1,45 @@
+using DemoImpersonateWindowsUserAspnet.Models;
+using System;
+using System.Web;
+using System.Web.Mvc;
+
+namespace DemoImpersonateWindowsUserAspnet.Controllers
+{
+#if DEBUG // For security/audit reasons, you should not give the ability to impersonate a user on Production
+    public class LogAsController : Controller
+    {
+        [HttpGet]
+        public ActionResult Index()
+        {
+            var userNameWithoutDomain = Request.QueryString["user"];
+            if (!string.IsNullOrEmpty(userNameWithoutDomain) && !userNameWithoutDomain.Contains(@"\"))
+            {
+                var userNameCookie = new HttpCookie(Constants.ImpersonateTrickCookieName) { Domain = null, Value = userNameWithoutDomain, Path = Request.ApplicationPath, HttpOnly = false };
+                HttpContext.Response.Cookies.Add(userNameCookie);
+            }
+            else
+            {
+                // Delete cookie and go back real connected user
+                DeleteImpersonationCookie();
+            }
+            return RedirectToAction("Index", "Home");
+        }
+
+        [HttpGet]
+        public ActionResult Reset()
+        {
+            DeleteImpersonationCookie();
+            return RedirectToAction("Index", "Home");
+        }
+
+        private void DeleteImpersonationCookie()
+        {
+            if (HttpContext.Response.Cookies[Constants.ImpersonateTrickCookieName] != null)
+            {
+                HttpContext.Response.Cookies[Constants.ImpersonateTrickCookieName].Value = null;
+                HttpContext.Response.Cookies[Constants.ImpersonateTrickCookieName].Expires = DateTime.Now.AddMonths(-1);
+            }
+        }
+    }
+#endif
+}

DemoImpersonateWindowsUserAspnet/DemoImpersonateWindowsUserAspnet/DemoImpersonateWindowsUserAspnet.csproj

@@ -112,9 +112,11 @@
     <Compile Include="App_Start\FilterConfig.cs" />
     <Compile Include="App_Start\RouteConfig.cs" />
     <Compile Include="Controllers\HomeController.cs" />
+    <Compile Include="Controllers\LogAsController.cs" />
     <Compile Include="Global.asax.cs">
       <DependentUpon>Global.asax</DependentUpon>
     </Compile>
+    <Compile Include="Models\Constants.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
   </ItemGroup>
   <ItemGroup>
@@ -156,7 +158,6 @@
   </ItemGroup>
   <ItemGroup>
     <Folder Include="App_Data\" />
-    <Folder Include="Models\" />
   </ItemGroup>
   <ItemGroup>
     <Content Include="fonts\glyphicons-halflings-regular.woff" />

DemoImpersonateWindowsUserAspnet/DemoImpersonateWindowsUserAspnet/Global.asax.cs

@@ -1,6 +1,6 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
+using DemoImpersonateWindowsUserAspnet.Models;
+using System;
+using System.Security.Principal;
 using System.Web;
 using System.Web.Mvc;
 using System.Web.Optimization;
@@ -17,5 +17,20 @@ protected void Application_Start()
             RouteConfig.RegisterRoutes(RouteTable.Routes);
             BundleConfig.RegisterBundles(BundleTable.Bundles);
         }
+
+#if DEBUG // For security/audit reasons, you should not give the ability to impersonate a user on Production
+        protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
+        {
+            if (HttpContext.Current.Request.Cookies[Constants.ImpersonateTrickCookieName] != null)
+            {
+                string userName = HttpContext.Current.Request.Cookies[Constants.ImpersonateTrickCookieName].Value;
+                if (userName != null)
+                {
+                    HttpContext.Current.User = new WindowsPrincipal(new  System.Security.Principal.WindowsIdentity(userName, HttpContext.Current.User.Identity.AuthenticationType));
+                }
+            }
+        }
+#endif
+
     }
 }

DemoImpersonateWindowsUserAspnet/DemoImpersonateWindowsUserAspnet/Models/Constants.cs

@@ -0,0 +1,7 @@
+namespace DemoImpersonateWindowsUserAspnet.Models
+{
+    public class Constants
+    {
+        public const string ImpersonateTrickCookieName = "CookieImpersonateTrick";
+    }
+}

README.md

@@ -0,0 +1,33 @@
+How to impersonate user (for testing purpose) on ASP.NET application with Windows authentication
+================================================================================================
+
+The goal of this application is to show you how to impersonate the connected Windows user on an ASP.NET application which is using Windows authentication (usually an Intranet application).
+
+The Windows authentication (NTLM) is enabled in the Web.config:
+
+```
+  <system.web>
+    <authentication mode="Windows" />
+  </system.web>
+```
+
+**How to impersonate another user**:
+
+- Open the ASP.NET application project [DemoImpersonateWindowsUserAspnet.sln](https://github.com/ubikuity/impersonate-windows-user-aspnet/DemoImpersonateWindowsUserAspnet/DemoImpersonateWindowsUserAspnet.sln)
+- Run the ASP.NET application (Ctrl+F5)
+- To impersonate a user, add in the URL **/LogAs?user=anotherUser** (where "anotherUser" is the Windows username of the person you want to impersonate in the application)  
+- You can act within the application as the impersonated user
+- To log out, type in the URL **/LogAs?reset**
+
+**Notes**:
+
+- **For security/audit reasons, you should not give the ability to impersonate a user on Production.**
+- The username of the user to impersonate should be typed without the Windows domain name: /LogAs?user=johnDoe (and not /LogAs?user=MYDOMAIN\johnDoe)
+
+**Technical information:**
+
+- The trick is to create a cookie containing the username we want to impersonate, then after normal Windows autentication, we redefine on the fly HttpContext.Current.User for each new request (see Global.asax.cs).
+
+**References:**
+
+- Inspired by [http://www.hanselman.com/blog/SystemThreadingThreadCurrentPrincipalVsSystemWebHttpContextCurrentUserOrWhyFormsAuthenticationCanBeSubtle.aspx](http://www.hanselman.com/blog/SystemThreadingThreadCurrentPrincipalVsSystemWebHttpContextCurrentUserOrWhyFormsAuthenticationCanBeSubtle.aspx)