Threading & Impersonation

[Guest]

I have an ASP.NET web service whose Web.Config is set to use impersonation

<authentication mode="Windows" />
<identity impersonate="true" />


Within a Web Method, I want to use Multi-threading to spawn off an
asynchronous process, as it takes quite long to return. How could I get the
worker thread to runas the same impersonated user on ASP.NET?

Dim worker As System.Threading.Thread = New
System.Threading.Thread(AddressOf reportManager.RunReport)
worker.Start()

 

[Steven Cheng[MSFT]]

Welcome to the ASPNET newsgroup.

From your description, I understand you have an ASP.NET web application
which uses windows authentication & impersonation. And in your web pages,
you'll create new sub threads to do some tasks, however you're wondering
how to make those new created sub threads also running under the current
impersonated user in the main worker thread, correct?

Based on my understanding, for new created sub threads in ASP.NET web
application(e.g in web page), by default they will run under the ASP.NET
worker process's process identity(machine\ASPNET account for IIS5 and
Network Service account for IIS6). To change this behavior, we need to
explicitly do the impersonation in code within the new created sub thread's
code. We can first cached the current Context's WindowsIdentity in a shared
variable(page's member variable) and them use it to do the impersonation in
sub thread. Here is a msdn article discussing on impersonation in ASP.NET
2.0:

#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000023.asp?frame=tr
ue

You can have a look at the code of programmatic impersonation. In addition,
here is a simple page I used to test , this page programmatically
impersonate the current HttpContext's user and create a file.

=======================
public partial class _Default : System.Web.UI.Page
{
private WindowsIdentity _cachedId;

protected void Page_Load(object sender, EventArgs e)
{


_cachedId = Context.User.Identity as WindowsIdentity;

Thread thread = new Thread(new ThreadStart(ThreadProc));

thread.Start();

Thread.Sleep(3000);


CreateFileUnderCurrentUser();

}

protected void CreateFileUnderCurrentUser()
{
string fname = @"D:\users\stcheng\temp\imp{0}.txt";

FileStream fs = new FileStream(string.Format(fname,
DateTime.Now.Ticks), FileMode.Create);
StreamWriter sw = new StreamWriter(fs, System.Text.Encoding.UTF8);

sw.WriteLine("Hello txt file!");

sw.Close();

fs.Close();
}


protected void ThreadProc()
{
IntPtr token = IntPtr.Zero;
WindowsImpersonationContext impersonatedUser = null;

try
{
WindowsIdentity id = _cachedId;

impersonatedUser = id.Impersonate();

CreateFileUnderCurrentUser();

}
catch
{

}
finally
{
if (impersonatedUser != null)
impersonatedUser.Undo();

if (token != IntPtr.Zero)
CloseHandle(token);
}


}




#region ----PINVOKE FUNCTIONS----

[DllImport("advapi32.dll", SetLastError = true)]
static extern bool LogonUser(
string principal,
string authority,
string password,
LogonSessionType logonType,
LogonProvider logonProvider,
out IntPtr token);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool CloseHandle(IntPtr handle);
enum LogonSessionType : uint
{
Interactive = 2,
Network,
Batch,
Service,
NetworkCleartext = 8,
NewCredentials
}
enum LogonProvider : uint
{
Default = 0, // default for platform (use this!)
WinNT35, // sends smoke signals to authority
WinNT40, // uses NTLM
WinNT50 // negotiates Kerb or NTLM
}


#endregion
}

==========================

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)