Impersonate using Forms Authentication

by

Impersonating a user using Forms Authentication can be done. The following code does work.

The Visual Studio Magazine article referred to by Robert is an excellent resource. There are a some issues with the example code in the article, so I’ve included some working code below.

Note: If you are using Visual Studio, make sure to launch it “Run as Administrator” to avoid problems with UAC blocking impersonation.

// in your login page (hook up to OnAuthenticate event)
protected void LoginControl_Authenticate(object sender, AuthenticateEventArgs e)
{
    int token;
    // replace "YOURDOMAIN" with your actual domain name
    e.Authenticated = LogonUser(LoginUser.UserName,"YOURDOMAIN",LoginUser.Password,8,0,out token);
    if (e.Authenticated) {
        Session.Add("principal", new WindowsPrincipal(new WindowsIdentity(new IntPtr(token))));
    }
}

[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword,
    int dwLogonType, int dwLogonProvider, out int TokenHandle);


// in global.asax.cs
void Application_PreRequestHandlerExecute(object send, EventArgs e)
{
    if (Thread.CurrentPrincipal.Identity.IsAuthenticated == true && HttpContext.Current.Session != null) {
        WindowsPrincipal windowsPrincipal = (WindowsPrincipal)Session["principal"];
        Session["principal"] = (GenericPrincipal)Thread.CurrentPrincipal;
        Thread.CurrentPrincipal = windowsPrincipal;
        HttpContext.Current.User = windowsPrincipal;
        HttpContext.Current.Items["identity"] = ((WindowsIdentity)windowsPrincipal.Identity).Impersonate();
    }
}

// in global.asax.cs
void Application_PostRequestHandlerExecute(object send, EventArgs e)
{
    if (HttpContext.Current.Session != null && Session["principal"] as GenericPrincipal != null) {
        GenericPrincipal genericPrincipal = (GenericPrincipal)Session["principal"];
        Session["principal"] = (WindowsPrincipal)Thread.CurrentPrincipal;
        Thread.CurrentPrincipal = genericPrincipal;
        HttpContext.Current.User = genericPrincipal;
        ((WindowsImpersonationContext)HttpContext.Current.Items["identity"]).Undo();
    }
}

// test that impersonation is working (add this and an Asp:Label to a test page)
protected void Page_Load(object sender, EventArgs e)
{
    try {
        // replace YOURSERVER and YOURDB with your actual server and database names
        string connstring = "data source=YOURSERVER;initial catalog=YOURDB;integrated security=True";
        using (SqlConnection conn = new SqlConnection(connstring)) {
            conn.Open();
            SqlCommand cmd = new SqlCommand("SELECT SUSER_NAME()", conn);
            using (SqlDataReader rdr = cmd.ExecuteReader()) {
                rdr.Read();
                Label1.Text = "SUSER_NAME() = " + rdr.GetString(0);
            }
        }
    }
    catch {
    }
}

Update:

You should also handle Application_EndRequest, because calls like Response.End() will bypass Application_PostRequestHandlerExecute.

Another issue is that the WindowsIdentity may get garbage collected, so you should create a new WindowsIdentity and WindowsPrincipal from the logon token on every request.

Update2:

I’m not sure why this is getting downvoted, because it works. I’ve added the pinvoke signature and some test code. Again, launch Visual Studio using “Run as Administrator“. Google how to do that if you don’t know how.

More Related Contents:

  1. Mixing Forms authentication with Windows authentication
  2. ASP.NET MVC – Set custom IIdentity or IPrincipal
  3. Can some hacker steal a web browser cookie from a user and login with that name on a web site?
  4. FormsAuthentication.SignOut() does not log the user out
  5. Receiving login prompt using integrated windows authentication
  6. IIS7 folder permissions for web application
  7. ASP.NET Windows Authentication logout
  8. How can I fix the Kerberos double-hop issue?
  9. Passing FormsAuthentication cookie to a WCF service
  10. Asp.net forms authentication and multiple domains
  11. Store/assign roles of authenticated users
  12. How to remove returnurl from url?
  13. Forms Authentication Ignoring Default Document
  14. Allow access for unathenticated users to specific page using ASP.Net Forms Authentication
  15. IIS application using application pool identity loses primary token?
  16. Forms authentication: disable redirect to the login page
  17. Can I change the FormsAuthentication cookie name?
  18. ASP.NET MVC and Windows Authentication with custom roles
  19. Different users get the same cookie – value in .ASPXANONYMOUS
  20. Where does Console.WriteLine go in ASP.NET?
  21. How does IsMobileDevice work?
  22. asp.net mvc Adding to the AUTHORIZE attribute
  23. Entity Framework 4 – Update database schema from model. Without wiping the table data
  24. ASP.Net Text with LineBreak from Multi-Line-TextBox to save in a database
  25. web.config and app.config confusion
  26. what is the use of Eval() in asp.net
  27. IIS Session Timeout vs ASP.NET Session Timeout
  28. ASP.NET session state and multiple worker processes
  29. Canceling the default submit button in ASP.NET
  30. ASP.NET Return image from .aspx link

Leave a Comment