cs795.net impersonation… why & how? presented by: vijay reddy mara
TRANSCRIPT
CS795
.Net Impersonation… why & How?
Presented by: Vijay Reddy Mara
CS795
Introduction
What is Impersonation? Why Impersonation? How Impersonation? Levels of Impersonation Advantages and Disadvantages
CS795
What is impersonation?
Impersonation is the process of assigning a user account to an unknown user.
Impersonation is one of the most useful mechanisms in Windows security .
CS795
Mechanism
This mechanism allows a server process to run using the security credentials of the client. When the server is impersonating the client, any operations performed by the server are performed using the client's credentials.
Impersonation does not allow the server to access remote resources on behalf of the client
CS795
Impersonation
CS795
Why Impersonation?
The usual reason for doing this is to avoid dealing with authentication and authorization issues in the ASP.NET application code.
Instead, you rely on Microsoft Internet Information Services (IIS) to authenticate the user
CS795
How to configure Impersonation?
By default the impersonation is disabled at the machine level
<impersonation enable="false"/>
A minimal configuration file to enable impersonation is as follows
<!-- Web.config file. -->
<identity impersonate="true"/>
CS795
Different types of impersonation
Impersonate the IIS Authenticated Account or User
Impersonate a Specific User for All the Requests of an ASP.NET Application
Impersonate the Authenticating User in Code
CS795
Impersonate the IIS Authenticated Account or User
<identity impersonate="true" />
Impersonate a Specific User for All the Requests of an ASP.NET Application
<identity impersonate="true" userName="accountname" password="password" />
CS795
Impersonate the Authenticating User in Code:
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonat
e(); //Insert your code that runs under the security context of the authenticating user here.
impersonationContext.Undo();
CS795
Impersonating by using LogonUserbool loggedOn = LogonUser(
user, domain, password, LogonType.Interactive, LogonProvider.Default, out userHandle);if(!loggedOn) // Begin impersonating the userWindowsImpersonationContext impersonationContext = WindowsIdentity.Impersonate(userHandle.Token);
DoSomeWorkWhileImpersonating();
// Clean upCloseHandle(userHandle);impersonationContext.Undo();
CS795
Impersonating by using the WindowsIdentity Constructor
using System.Security.Principal;...WindowsIdentity wi = new WindowsIdentity(userName@fullyqualifieddomainName);WindowsImpersonationContext ctx = null;try{ ctx = wi.Impersonate(); // Thread is now impersonating}catch{ // Prevent exceptions propagating.}finally{ // Ensure impersonation is reverted ctx.Undo();}
CS795
Levels of Impersonation
A Server process can control to what extent a service is able to act as the client by selecting an impersonation level when it connects to the service.
CS795
Four levels of Impersonation
Anonymous Identify Impersonate Delegate
CS795
Anonymous The client is anonymous to the service. The service can impersonate the client but the impersonation token does not contain any information about the client.
Identify The service can get the identity of the client and use this information in its own security mechanism, but it cannot impersonate the client.
CS795
Impersonate The service can impersonate the client. If the service is on the same computer as the client process, it can access network resources as the client.
Delegate The service can impersonate the client not only when it accesses resources on the service's computer but also when it accesses resources on other computers.
CS795
Advantages Auditing
Auditing across tiers
Granular access controls
CS795
Disadvantages
Scalability
Increased administration effort
CS795
References
http://msdn2.microsoft.com/en-us/library/ms998351.aspx
http://blogs.msdn.com/shawnfa/archive/2005/03/21/400088.aspx
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook.WhatIsImpersonation
CS795
Questions?