C# – Difference in ASP.Net impersonation methods

asp.netciisimpersonationnet

In this MSDN article on "How to implement impersonation in an ASP.NET application" they list 4 different ways to change the account that's used to execute the web request. Unfortunately, it doesn't describe the differences between these alternatives.

I'm trying to impersonate the IIS authenticated user to copy some files off their local machine. It works when I use the WIN32 api LogonUserA and impersonate a specific user. But I need the webapp to work with many users (I don't have an account that can access everyone's files).

I thought simply setting Impersonate = "true" and configuring IIS should work but something is different. When I check Environment.UserName it appears to be impersonating the correct account but I am getting "Access is denied" errors.

Anyone know the difference between these impersonation methods? Is it possible to impersonate the IIS authenticated user and then do some file operations with it?

Update: From the feedback I've been getting I need to be more clear about what I'm facing.

Environment setup:
IIS: disable anonymous authentication, enable integrated windows authentication
ASP.Net's web.config: authentication mode = "windows", impersonate = true, deny anonymous users

Suppose I'm accessing the page as "userA":

Scenario 1: impersonate the IIS Authenticated user

try{
  File.Copy(srcFile, destFile);   // Access Denied even though userA has access to srcFile.
} catch(Exception ex) {
...
}

Scenario 2: impersonate userA with LogonUser

try{
  // Impersonater is a wrapper around the WIN32 LogonUser API
  using(Impersonater imp = new Impersonator("domain", "userA", "pwd")) 
  {
    File.Copy(srcFile, destFile); // Works
  }
} catch(Exception ex) {
...
}

In both cases, I'm impersonating "userA".

Best Answer

Q: Anyone know the difference between these impersonation methods?

A: First some background on how IIS handles request.

There is a specific system user called IUSR_computername (default in IIS6) which the IIS-server uses to handle file access. And there is a process running on the IIS server called Aspnet_wp.exe which runs under an account called ASPNET or NetworkService.

So when a request is made to the server, the IIS reacts and if the request is to a ASP.NET application it passes the request to that process.

This means that if the IIS-server is setup to use the IUSR_computername (anonymous) access method. The server will use that account to process the request, and if it sees that it is an ASP.NET application it will transfer the request to the ASP.NET process.

By default impersonation is disabled, this means that the request will run under the ASPNET or NetworkService account when the ASP.NET process handles the request.

Now to the difference between the impersonation methods:

Impersonate the IIS authenticated account or user
Uses an account that the IIS is setup to use. Usually IUSR_computername.
Usage: <identity impersonate="true" />
Impersonation enabled for a specific identity
Uses a specific account that is specified.
Usage: <identity impersonate="true" userName="accountname" password="password" />

The third option is the default state, which is to disable impersonation.

Q: Is it possible to impersonate the IIS authenticated user and then do some file operations with it?

A: Depends on the priviliges of the IIS authenticated user. If the account has permission to manipulate files (NTFS permission in Windows), the answer would be yes.

This is the style that Microsoft tends to use in their examples.

It appears that the guidance in this area may have changed, as StyleCop now enforces the use of the C# specific aliases.

C# – the difference between const and readonly in C#

Apart from the apparent difference of

having to declare the value at the time of a definition for a const VS readonly values can be computed dynamically but need to be assigned before the constructor exits.. after that it is frozen.
const's are implicitly static. You use a ClassName.ConstantName notation to access them.

There is a subtle difference. Consider a class defined in AssemblyA.

public class Const_V_Readonly
{
  public const int I_CONST_VALUE = 2;
  public readonly int I_RO_VALUE;
  public Const_V_Readonly()
  {
     I_RO_VALUE = 3;
  }
}

AssemblyB references AssemblyA and uses these values in code. When this is compiled:

in the case of the const value, it is like a find-replace. The value 2 is 'baked into' the AssemblyB's IL. This means that if tomorrow I update I_CONST_VALUE to 20, AssemblyB would still have 2 till I recompile it.
in the case of the readonly value, it is like a ref to a memory location. The value is not baked into AssemblyB's IL. This means that if the memory location is updated, AssemblyB gets the new value without recompilation. So if I_RO_VALUE is updated to 30, you only need to build AssemblyA and all clients do not need to be recompiled.

So if you are confident that the value of the constant won't change, use a const.

public const int CM_IN_A_METER = 100;

But if you have a constant that may change (e.g. w.r.t. precision).. or when in doubt, use a readonly.

public readonly float PI = 3.14;

Update: Aku needs to get a mention because he pointed this out first. Also I need to plug where I learned this: Effective C# - Bill Wagner

Best Answer

Related Solutions

C# – the difference between String and string in C#

This is the style that Microsoft tends to use in their examples.

C# – the difference between const and readonly in C#

Related Topic