C# Impersonation of an AD user
Question
Here's a scenario I need some help with:
Client passes files to a webservice, which stores them on a unique generated folder (just for that operation). The webservice saves the information about that files (location, health, etc) in a database. A windows service (running as system) checks that database frequently for changes to process the files. The files will be stored in a seperate database (like a library) for later use. This operation needs to be done via the user who uploaded the files to the webservice. I tried impersonation without password by passing the token but I never got it to work.
Any chance to impersonate an active directory user without his password to start the operation as this specific user?
1 answers
solution1
3 ACCPTED 2014-10-16 12:41:02
This almost certainly cannot work using impersonation, and the reason is that impersonation requires end-to-end support across every single function to achieve a result. In this case, that means that the entire connection stack to the database needs to support impersonation, and this is almost certainly not the case. Raymond Chen has a nice article on impersonation that explains the trouble.
SQL Server (if that is your server) supports a form of impersonation itself through EXECUTE AS , but I don't recommend doing this with dynamic credentials -- it sounds like a security nightmare. You're better off getting the user identity and passing this along to a stored procedure that handles the security checks without actually impersonating the user. This procedure, of course, should be callable by the service only.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.