Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

impersonation in a sub thread

2 views
Skip to first unread message

Christian

unread,
Nov 3, 2003, 5:27:45 PM11/3/03
to
When you create a new thread it inherits the original
security context of the parent process.
E.g. when a webapplication that is set to impersonate
some domain account creates a new thread, the new thread
runs as the original user (e.g. localmachine\ASPNET) not
the user the application is impersonating.

Does anyone know how to create a thread and make it
impersonate the same user as the parent process is
impersonating?

I tried making the child thread explicitely impersonate
the domain user, but it was not able/allowed to.

Basically I am doing

WindowsIdentity _winID;
public static void StartThread()
{
// runs as domain user set to impersonate in web.config
// or IIS control
_winID = WindowsIdentity.GetCurrent();
Thread _thread = new Thread(_threadStart);

_thread.Start();
}

private static void DoWork()
{
//runs as localbox\ASPNET

// fails with "Unable to impersonate user"
_winID.Impersonate();

// more code supposed to run as impersonated user
}


It succeeds when I set asp to run as SYSTEM. (in set
<processModel userName="SYSTEM"> in machine.config)

http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q306158

indicates that the process would need the "act as part of
the OS" privilege.
After giving that privilege to ASPNET, it still
impersonation still fails.

Anybody know how I can get the subthread to execute as the
same (impersonated) user as the web app? Additional
privileges required for ASPNET? is there a way to start
the subthread off with the right user?

Thanks
Christian

charlie

unread,
Nov 7, 2003, 6:59:20 PM11/7/03
to
Christian,

I am quite aware of your pain with this issue. This is a problem for which
I was unable to find a solution while working within the context of the web
server (the ASPNET process).

If you want to solve this issue quickly and with the desired effect, I would
point you in the same direction some others on this group pointed me - COM+.
A COM+ server runs outside the ASPNET context and can assume any identity
you would like it to assume. It is very robust and has good security
associated with it. I was able to solve in one day a problem I had been
battling for more than a week by just taking my code out of the services
application and creating a COM+ application.

Charlie
"Christian" <anon...@discussions.microsoft.com> wrote in message
news:04b701c3a259$b40b89f0$a501...@phx.gbl...

Christian

unread,
Nov 10, 2003, 1:12:50 PM11/10/03
to
To answer my own question (and thanks for the com+
suggestion):

I didn't actually necessary need a separate thread.
An asynchronous method call worked just as well, and then
the subthread (created by the .net framework to run the
asynchronous call) IS able to impersonate.

e.g.

public MyClass
{
private delegate void MyDelegate(WindowsIdentity winID);

public static void Start()
{
MyDelegate del = new MyDelegate(DBCleanup);
del.BeginInvoke(WindowsIdentity.GetCurrent(), null,
null);
}
}

private static void DBCleanup(WindowsIdentity winID)
{
WindowsImpersonationContext ctx = winID.Impersonate
();

// do stuff as impersonated user.
if (ctx != null)
ctx.Undo();
}
}

So somehow by calling it as a delegate I am able to create
a thread that can impersonate an authenticated winID.
But I still don't know how to do it if I were to for
whatever reason to create my own Thread. I don't need to
right now, but would still like to find out just for
future reference.

>.
>

news.microsoft.com

unread,
Dec 9, 2003, 3:55:26 PM12/9/03
to
May be this article help you:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158

may be not :)


"Christian" <anon...@discussions.microsoft.com> wrote in message

news:00a101c3a7b6$4070da10$a401...@phx.gbl...

0 new messages