When I set up impersonation in the web.config file and specify a user and
password I get strange results. This line of code will get me the user
account I set to impersonate:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
This line of code will get me my user account ever time:
System.Threading.Thread.CurrentPrincipal.Identity.Name
What's the difference? shouldn't they both be the user I am trying to
impersonate?
Thanks
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @dotnet.itags.org. h o t m a i l . c o mFrank,
No, they should not. When you impersonate through the WindowsIdentity
object, it does not change the current principal on the thread. The reason
for this is that you can have different implementations of IPrincipal which
don't necessarily map to windows users and groups. To that end, having
WindowsIdentity change the current thread's principal would be wrong.
Hope this helps.
- Nicholas Paldino [.NET/C# MVP]
- mvp@.spam.guard.caspershouse.com
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5cf8c$1_2@.mcse.ms...
> When I set up impersonation in the web.config file and specify a user and
> password I get strange results. This line of code will get me the user
> account I set to impersonate:
> System.Security.Principal.WindowsIdentity.GetCurrent().Name
> This line of code will get me my user account ever time:
> System.Threading.Thread.CurrentPrincipal.Identity.Name
> What's the difference? shouldn't they both be the user I am trying to
> impersonate?
> Thanks
>
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
>
Thanks Nicholas,
But how do you know which Principal is being used by your code. Lets say I
have a routine that writes a file to the local directory, how do I ensure
that code is using my impersonated users rights?
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @. h o t m a i l . c o m
"Nicholas Paldino [.NET/C# MVP]" <mvp@.spam.guard.caspershouse.com> wrote in
message news:%23GhWBSH3EHA.2676@.TK2MSFTNGP12.phx.gbl...
> Frank,
> No, they should not. When you impersonate through the WindowsIdentity
> object, it does not change the current principal on the thread. The
reason
> for this is that you can have different implementations of IPrincipal
which
> don't necessarily map to windows users and groups. To that end, having
> WindowsIdentity change the current thread's principal would be wrong.
> Hope this helps.
>
> --
> - Nicholas Paldino [.NET/C# MVP]
> - mvp@.spam.guard.caspershouse.com
> "Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
> news:41b5cf8c$1_2@.mcse.ms...
and
>
is your server trusted for delegation?
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5cf8c$1_2@.mcse.ms...
> When I set up impersonation in the web.config file and specify a user and
> password I get strange results. This line of code will get me the user
> account I set to impersonate:
> System.Security.Principal.WindowsIdentity.GetCurrent().Name
> This line of code will get me my user account ever time:
> System.Threading.Thread.CurrentPrincipal.Identity.Name
> What's the difference? shouldn't they both be the user I am trying to
> impersonate?
> Thanks
>
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
>
Frank,
The code will use the rights of whomever the thread is currently running
under. If you always want to base this on the Windows identity, you can
call the static GetCurrent method on the WindowsIdentity type, passing true
for the ifImpersonating parameter.
- Nicholas Paldino [.NET/C# MVP]
- mvp@.spam.guard.caspershouse.com
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5d307$1_1@.mcse.ms...
> Thanks Nicholas,
> But how do you know which Principal is being used by your code. Lets say
> I
> have a routine that writes a file to the local directory, how do I ensure
> that code is using my impersonated users rights?
> --
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
> "Nicholas Paldino [.NET/C# MVP]" <mvp@.spam.guard.caspershouse.com> wrote
> in
> message news:%23GhWBSH3EHA.2676@.TK2MSFTNGP12.phx.gbl...
> reason
> which
> and
>
asp.net seperates the thread identity from the authenicated user identity.
when the user is authenicated (not anonymous), your have three options:
1) the thread runs as the asp.net account (default)
2) the thread impersonates the authenication account (must use windows
authenication). set impersonate=true in web config
3) the thread impersonates the account specified in the web config.
you picked the third option, so the CurrentPrincipal is the authenicated
account and WindowsIdentity is the thread identity.
note: CurrentPrincipal is a WindowsIdentity only if windows authenication is
used.
-- bruce (sqlwork.com)
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5cf8c$1_2@.mcse.ms...
| When I set up impersonation in the web.config file and specify a user and
| password I get strange results. This line of code will get me the user
| account I set to impersonate:
| System.Security.Principal.WindowsIdentity.GetCurrent().Name
|
| This line of code will get me my user account ever time:
|
| System.Threading.Thread.CurrentPrincipal.Identity.Name
|
| What's the difference? shouldn't they both be the user I am trying to
| impersonate?
|
| Thanks
|
|
| Frank Wisniewski MCSE 4.0, MCP+I, A+
| f p w 2 3 @. h o t m a i l . c o m
|
|
I am running it from my local machine which is part of the domain, is that
what you are asking?
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @. h o t m a i l . c o m
"Consultant" <consultant_mcngp@.yahoodotcom> wrote in message
news:%23KRylVH3EHA.1152@.TK2MSFTNGP14.phx.gbl...
> is your server trusted for delegation?
> "Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
> news:41b5cf8c$1_2@.mcse.ms...
and
>
no, in order for impersonation to work, the server must be trusted for
delegation within active directory
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5f9bd_1@.mcse.ms...
>I am running it from my local machine which is part of the domain, is that
> what you are asking?
> --
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
> "Consultant" <consultant_mcngp@.yahoodotcom> wrote in message
> news:%23KRylVH3EHA.1152@.TK2MSFTNGP14.phx.gbl...
> and
>
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment