I have an ASP.NET 4.0 intranet site which uses Windows authentication and normally runs as the default IIS user. I would like to impersonate the authenticated user and act on their behalf. Specifically, if that user is a domain admin, I want them to be able to monitor services running on a number of servers, start and stop those services, and reboot those servers, all from the intranet page.
So far I can switch over the context to impersonate the authenticated user and I can check the user's AD groups to determine if they're a domain admin. But when I try to get the status of the services running on the other servers, I get the following error:
Cannot open Service Control Manager on computer 'MyServer'. This operation might require other privileges. ---> System.ComponentModel.Win32Exception: Access is denied
It works fine in Visual Studio locally. But not when the intranet site is deployed to the internal web server.
In the Page_Load I do this:
'Switch from IIS User to the currently authenticated Admin user
Dim impersonationContext As WindowsImpersonationContext = Nothing
Dim authenticatedIdentity As WindowsIdentity = DirectCast(HttpContext.Current.User.Identity, WindowsIdentity)
impersonationContext = authenticatedIdentity.Impersonate()
And then in the GridView's RowDataBound event, I do this:
'Check if service exists and is running
Dim arrServices() As ServiceController = ServiceController.GetServices(machineName)
If Not arrServices.Any(Function(o) o.ServiceName = SERVICE_NAME) Then
' Service is missing...
Else
Dim oServiceController As New ServiceController(SERVICE_NAME, machineName)
If oServiceController.Status = ServiceControllerStatus.Running Then
' Service is running...
Else
' Service has stopped...
End If
End If
How can I manage other servers on the user's behalf using Windows authentication on this intranet site?
Turns out there are basically two levels of the Windows Identity token you can get.
The one you get automatically when using Windows authentication on an intranet site is good for authentication against AD and getting the user's AD groups. When you switch over to impersonating this identity, you can access local resources on the web server as the authenticated Windows user, but you can't start accessing network resources outside of the web server the intranet site is running on.
To get network access, you need to use the Windows Logon Win32 API. You need to perform an "interactive" level login and get the token from that login. Then you can impersonate the user over the network. So you need the user's password, not just the token ASP.NET gives you in the request object.