Impersonation and authentication with ASP.Net
The task: make a web user authenticated (either with him directly providing user ID or password or through domain, if he is already logged in) and run ASP.Net code under his/her ID.
Frankly, that’s very easy, but I noticed that sometimes even very good developers don’t know how to do that. In short, impersonation element in web.config does the trick. If you know the rest, that’s it, you don't need the rest of this post.
Otherwise, let’s just go through the process. First, go to your IIS folder, usually C:\Inetpub\wwwroot, and create a folder for your application/webservice, say C:\Inetpub\wwwroot\Hello. You can do that in Windows Explorer. I will show an example with webservice,
In this folder you will need two files: web.config and Hello.asmx (assuming you want to call your webservice Hello).
Simple web.config looks like that:
<?xml version="1.0"?>
<configuration xmlns="https://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings/>
<connectionStrings/>
<system.web>
<customErrors mode="Off" />
<compilation debug="true" defaultLanguage="c#" />
</system.web>
</configuration>
I have added debugging and set default language to C#, but that’s optional. Hello.asmx file is very simple:
<%@ WebService Language="C#" CodeBehind="~/App_Code/Hello.cs" Class="Hello" %>
Now, create a folder App_Code (C:\Inetpub\wwwroot\Hello\App_Code), that’s where the actual code traditionally lives, and create Hello.cs file, already referenced in Hello.asmx:
using System;
using System.Web;
using System.Web.Services;
using System.Web.Services.Protocols;
[WebService(Namespace = "https://hellomedear.org/test/namespace/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
public class Hello : System.Web.Services.WebService
{
public Hello () {
}
[WebMethod]
public string HelloMeDear()
{
return "Hello, " + System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() + "!";
}
}
This way it will return back the name of the current user, so we can track our progress. So, are we ready? Let’s try. Enter address https://yourmachine/hellome/hello.asmx in the browser. Oops... Error:
Server Error in '/' Application.
Parser Error
Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.
Parser Error Message: Could not create type 'Hello'.
Source Error:
|
Source File: /hellome/hello.asmx Line: 1
Version Information: Microsoft .NET Framework Version:2.0.50727.42; ASP.NET Version:2.0.50727.42
Why? You forgot to tell IIS that there will be ASP.Net code in this folder. Go to Control Panel | Administrative Tools | Internet Information Services, then select default web site, open it and you’ll see your folder shown with a folder icon. Right-click on it, select Properties, and click on “Create” button near the grayed textbox Application name. The click OK, and the icon will become something mechanical. That’s what you want.
Try again. Now you should get the list of available methods, which in our case is simply HelloMeDear. Click on it, and if you do that from the same machine, you will see a button Invoke, which let’s you try the method.
Click on it. A new windows will open with the result:
<?xml version="1.0" encoding="utf-8" ?>
<string xmlns="https://hellomedear.org/test/namespace/ ">Hello, NT AUTHORITY\NETWORK SERVICE! </string>
That’s nice, but NT AUTHORITY\NETWORK SERVICE is not your ID. What happened?
Go again into properties of your folder in IIS management, pick Directory Security tab, and press Edit for Authentication and access control. See “Enable anonymous access” checked? That’s the problem. Even if you’ll get impersonation, it will be that automatic user marked in the textboxes next to it. Actually, let’s try it.
Go to your folder and open web.config file. First add
<identity impersonate="true" />
into <system.web> element. Try again:
<?xml version="1.0" encoding="utf-8" ?>
<string xmlns="https://hellomedear.org/test/namespace/ ">Hello, YOURMACHINE\IUSR_ YOURMACHINE! </string>
You’ve got that impersonated user. To avoid that, go again into IIS configuration for your folder, Directory Security, edit Authentication and access control, and uncheck Enable anonymous access, plus check checkbox Integrated Windows authentication. Try now:
<?xml version="1.0" encoding="utf-8" ?>
<string xmlns="https://hellomedear.org/test/namespace/ ">Hello, YOURMACHINE\yourID! </string>
You’ve got it! Actually, it’s nice to add also:
<authentication mode="Windows"/>
into your web.config file along with impersonation element. That’s it.
So, all steps in a short list:
- Create IIS folder
- Create web.config file (see below to get important element)
- Create .asmx file (see above)
- Create App_Code subfolder and create there .cs file (see above)
- Go to Control Panel | Administrative Tools | Internet Information Services, open, select default website, select your folder under it, right click, Properties.
- Create application (button on the left of Application name:)
- Go to Directory Security tab, click on Edit for Authentication and access control
- Uncheck Anonymous access, check Integrated Windows authentication
- You are done. To try go to https://yourserver/hellome/hello.asmx
Comments
- Anonymous
June 14, 2006
Is this really required ?
<authentication mode="Windows"/> - Anonymous
June 26, 2006
Reasonably. Once you set authentication in IIS, it does most of the work. Impersonation in web.config simply picks it up. I found that everything seems to work without <authentication mode="Windows"/>, but I did not figured yet, what is broken without it. - Anonymous
October 03, 2007
Thanks a lot for this post. Helped me solve "WEbservice - could not create type" error.