Impersonating users through NTLM

c# asp.net impersonation ntlm
Vasili Sviridov picture Vasili Sviridov · Aug 6, 2009 · Viewed 9.7k times · Source

I have an internal application which has two levels of security. FormsAuthentication for client-facing application and NTLM Integrated authentication for management interface.

I can easily impersonate clients by just creating the proper .ASPXAUTH cookie with the FormsAuthentication class' methods. However generating HTTP Authentication header for NTLM is beyond me so far.

I had my hopes up when I found this article (http://msdn.microsoft.com/en-us/library/ms998358.aspx#paght000025_usingimpersonation) but then I realized that it only creates a context to run code in for a duration of the request. And I would like to switch my entire session to make the server think I'm using another domain login. I have administrative privileges on my account, so it's not for the purpose of screwing around or stealing domain passwords.

Is it even possible? Thanks.

Answer

Viktor Jevdokimov picture Viktor Jevdokimov · Aug 6, 2009

Let say you have Forms authentication enabled ASP.NET app with login form login.aspx and your users are stored in DB. Now you'd like to support both, Forms and Windows authentication. That's what I do:

For forms auth I use SQL DB with, let say, Users table. I add to this table new column named WindowsUserName in which I'll save Windows user's name in form COMPUTER\User

In login.aspx form I add a method, which will send a response that will shows login window:

private void ActivateWindowsLogin()
{
    Response.StatusCode = 401;
    Response.StatusDescription = "Unauthorized";
    Response.End();
}

Somewhere I have a link like <a href="login.aspx?use=windows">Admin</a>

In login.aspx Page_Load I have added:

if (Request.QueryString["use"] == "windows")
{
    var windowsuser = Request.ServerVariables["LOGON_USER"];
    if (windowsuser.Length == 0)
        ActivateWindowsLogin();
    else
    {
        // get userId from DB for Windows user that was authenticated by IIS
        // I use userId in .ASPXAUTH cookie
        var userId = GetUserIdForWindowsUser(windowsuser);
        if (userId > 0) //user found
        {
            // here we get User object to check roles or other stuff
            var user = GetApplicationUser(userId);
            // perform additional checks here and call ActivateWindowsLogin()
            // to show login again or redirect to access denied page.
            // If everythig is OK, set cookie and redirect
            FormsAuthentication.SetAuthCookie(userId.ToString(), false);
            Response.Redirect(FormsAuthentication.GetRedirectUrl(userId.ToString(), false), true);
        }
        else //user not found
            ActivateWindowsLogin();
    }
}
else
{
    //your Forms auth routine
}

GetUserIdForWindowsUser and GetApplicationUser are my methods just for sample.

Related questions

The right use of <identity impersonate="true"/>

In my Website, Users who has logged in are able to change their profile pictures, and this process includes saving the uploaded image to a folder in the website's root directory. When I tested it, I received an Error that …

Read More
Impersonation and NetworkCredential

I need to pass a NetworkCredential object with the credentials of the currently impersonated user to a web service from an asp.net application. My code looks like this: WindowsIdentity windowsIdentity = HttpContext.Current.User.Identity as WindowsIdentity; WindowsImpersonationContext context = windowsIdentity.…

Read More
Can I turn off impersonation just in a couple instances

I have an app that has impersonation used throughout. But when a user is logged in as an admin, a few operation require them to write to the server itself. Now if these users do not have rights on the …

Read More