使用表单授权模拟用户

Question

I am using Forms Authorization to login to my web application against the active directory, what I am trying to do is when the user logins, impersonate that user. But I am running into a few problems, when I enable impersonate either via IIS or web.config I get a 500 error, here is that section of my web.config:

<customErrors mode="Off"/>
<authentication mode="Forms">
  <forms name=".ADAuthCookie" loginUrl="~/Login/Index" timeout="45" slidingExpiration="false" protection="All" path="/" />
</authentication>
<identity impersonate="true" />
<membership defaultProvider="ADMembershipProvider">
  <providers>
    <clear />
    <add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" />
  </providers>
</membership>

If I set my credentials in the identity element it works without adjusting my IIS:

<identity impersonate="true" userName="domain\username" password="password" />

Here is my authorization in my IIS, this is what its currently set too:

If I disable Anonymous and enable impersonation, I get a 500 error.

What am I doing wrong and how do I get Forms Authentication to work with Impersonation.

Here is my login Controller:

[HttpPost]
public ActionResult Index(Login model, string returnUrl)
{
    if (!ModelState.IsValid)
    {

        ModelState.AddModelError("", "The user name or password provided is incorrect.");

        return View(model);
    }

    if (Membership.ValidateUser(model.UserName, model.Password))
    {
        FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
        if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
            && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
        {
            return Redirect(returnUrl);
        }

        return RedirectToAction("Index", "Home");
    }

    ModelState.AddModelError("", "The user name or password provided is incorrect.");

    return View(model);
}

UPDATE

I got passed the 500 error via <validation validateIntegratedModeConfiguration="false" /> , but the impersonate is still not working unless I set the credentials. Is there away I can set the credentials of the person logging in?

UPDATE

When I run this code, I can see that it is populated with the correct username and impersonate is set to true, what am I doing wrong?

System.Security.Principal.WindowsIdentity.GetCurrent()

Answer 1

Focusing on this part: What I am trying to do is when the user logins, impersonate that user.

What you are looking for is called delegation.

Delegation without using username and password of the user relies on Integrated Windows Authentication . You cannot achieve it using Forms Authentication unless use username and password of the user and do protocol transition .

For learning purpose, This post shows an example of how you can do it in code by using the username and password which you receive from login page.

I know this may be disappointing, but if you need delegation, you should rely on Windows Authentication and configure browser, IIS and ASP.NET application. To see a complete guide take a look at How to configure an ASP.NET application for a delegation scenario .

This is not a complete guide of the configurations, however shows you the most important configurations:

• Setup browser : To setup browser, for IE, you need to check Enable Windows Integrated Authentication in Advanced tab of Internet Options .

• Setup IIS : To setup IIS, you need to disable all authentications on IIS including Anonymous Authentication and just enable Windows Authentication .

• Setup ASP.NET Application : In the web.config you need to set <authentication mode="Windows" /> and also set <identity impersonate="true" /> and also <allow users="*" /><deny users="?" /> <allow users="*" /><deny users="?" />