Permalink
Browse files

Add trick to impersonate current Windows user in the ASP.NET application

  • Loading branch information...
1 parent e654b46 commit ed660effc08f2a89ed621b62bbda6b71e72a6e3e @ubikuity committed Apr 27, 2015
@@ -0,0 +1,45 @@
+using DemoImpersonateWindowsUserAspnet.Models;
+using System;
+using System.Web;
+using System.Web.Mvc;
+
+namespace DemoImpersonateWindowsUserAspnet.Controllers
+{
+#if DEBUG // For security/audit reasons, you should not give the ability to impersonate a user on Production
+ public class LogAsController : Controller
+ {
+ [HttpGet]
+ public ActionResult Index()
+ {
+ var userNameWithoutDomain = Request.QueryString["user"];
+ if (!string.IsNullOrEmpty(userNameWithoutDomain) && !userNameWithoutDomain.Contains(@"\"))
+ {
+ var userNameCookie = new HttpCookie(Constants.ImpersonateTrickCookieName) { Domain = null, Value = userNameWithoutDomain, Path = Request.ApplicationPath, HttpOnly = false };
+ HttpContext.Response.Cookies.Add(userNameCookie);
+ }
+ else
+ {
+ // Delete cookie and go back real connected user
+ DeleteImpersonationCookie();
+ }
+ return RedirectToAction("Index", "Home");
+ }
+
+ [HttpGet]
+ public ActionResult Reset()
+ {
+ DeleteImpersonationCookie();
+ return RedirectToAction("Index", "Home");
+ }
+
+ private void DeleteImpersonationCookie()
+ {
+ if (HttpContext.Response.Cookies[Constants.ImpersonateTrickCookieName] != null)
+ {
+ HttpContext.Response.Cookies[Constants.ImpersonateTrickCookieName].Value = null;
+ HttpContext.Response.Cookies[Constants.ImpersonateTrickCookieName].Expires = DateTime.Now.AddMonths(-1);
+ }
+ }
+ }
+#endif
+}
@@ -112,9 +112,11 @@
<Compile Include="App_Start\FilterConfig.cs" />
<Compile Include="App_Start\RouteConfig.cs" />
<Compile Include="Controllers\HomeController.cs" />
+ <Compile Include="Controllers\LogAsController.cs" />
<Compile Include="Global.asax.cs">
<DependentUpon>Global.asax</DependentUpon>
</Compile>
+ <Compile Include="Models\Constants.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
@@ -156,7 +158,6 @@
</ItemGroup>
<ItemGroup>
<Folder Include="App_Data\" />
- <Folder Include="Models\" />
</ItemGroup>
<ItemGroup>
<Content Include="fonts\glyphicons-halflings-regular.woff" />
@@ -1,6 +1,6 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
+using DemoImpersonateWindowsUserAspnet.Models;
+using System;
+using System.Security.Principal;
using System.Web;
using System.Web.Mvc;
using System.Web.Optimization;
@@ -17,5 +17,20 @@ protected void Application_Start()
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
}
+
+#if DEBUG // For security/audit reasons, you should not give the ability to impersonate a user on Production
+ protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
+ {
+ if (HttpContext.Current.Request.Cookies[Constants.ImpersonateTrickCookieName] != null)
+ {
+ string userName = HttpContext.Current.Request.Cookies[Constants.ImpersonateTrickCookieName].Value;
+ if (userName != null)
+ {
+ HttpContext.Current.User = new WindowsPrincipal(new System.Security.Principal.WindowsIdentity(userName, HttpContext.Current.User.Identity.AuthenticationType));
+ }
+ }
+ }
+#endif
+
}
}
@@ -0,0 +1,7 @@
+namespace DemoImpersonateWindowsUserAspnet.Models
+{
+ public class Constants
+ {
+ public const string ImpersonateTrickCookieName = "CookieImpersonateTrick";
+ }
+}
View
@@ -0,0 +1,33 @@
+How to impersonate user (for testing purpose) on ASP.NET application with Windows authentication
+================================================================================================
+
+The goal of this application is to show you how to impersonate the connected Windows user on an ASP.NET application which is using Windows authentication (usually an Intranet application).
+
+The Windows authentication (NTLM) is enabled in the Web.config:
+
+```
+ <system.web>
+ <authentication mode="Windows" />
+ </system.web>
+```
+
+**How to impersonate another user**:
+
+- Open the ASP.NET application project [DemoImpersonateWindowsUserAspnet.sln](https://github.com/ubikuity/impersonate-windows-user-aspnet/DemoImpersonateWindowsUserAspnet/DemoImpersonateWindowsUserAspnet.sln)
+- Run the ASP.NET application (Ctrl+F5)
+- To impersonate a user, add in the URL **/LogAs?user=anotherUser** (where "anotherUser" is the Windows username of the person you want to impersonate in the application)
+- You can act within the application as the impersonated user
+- To log out, type in the URL **/LogAs?reset**
+
+**Notes**:
+
+- **For security/audit reasons, you should not give the ability to impersonate a user on Production.**
+- The username of the user to impersonate should be typed without the Windows domain name: /LogAs?user=johnDoe (and not /LogAs?user=MYDOMAIN\johnDoe)
+
+**Technical information:**
+
+- The trick is to create a cookie containing the username we want to impersonate, then after normal Windows autentication, we redefine on the fly HttpContext.Current.User for each new request (see Global.asax.cs).
+
+**References:**
+
+- Inspired by [http://www.hanselman.com/blog/SystemThreadingThreadCurrentPrincipalVsSystemWebHttpContextCurrentUserOrWhyFormsAuthenticationCanBeSubtle.aspx](http://www.hanselman.com/blog/SystemThreadingThreadCurrentPrincipalVsSystemWebHttpContextCurrentUserOrWhyFormsAuthenticationCanBeSubtle.aspx)

0 comments on commit ed660ef

Please sign in to comment.