If you want to execute a portion of code in a différent sécurity context, you can use this class “Impersonate”.
Just create a instance in a using block.
using(new Impersonate(domain, user, password))
{
//Code with different execution rights
}
Download the class here : Impersonate.cs in zip
Under Windows Server 2003, you will prefer : WindowsIdentity.Impersonate()
Warning : an error 1314 can occured on Windows 2000 system :
Read the note at the end of this article and read this article
You can change the ‘Act as part of the operating system’ in :
- From Administrative Tools, open Local Security Policy. If the Administrative Tools window is no longer open, navigate to Start > Settings > Control Panel> Administrative Tools> Local Security Policy.
- Navigate to Security settings > Local Policies > User Rights Assignment
- Double-click Act as part of the operating system under the policy column in the right-hand pane.
- The Local Security Policy Setting dialog appears. Select Add…
(Then, if the account added is the one that is currently logged…logout and login again !)
For more details on implementation, read those Microsoft resources :
How to use impersonation and delegation with ASP.NET 2.0
Create a service account for an ASP.NET 2.0 application
ASP.NET Application security in hosted environment
Access control list : ASP.NET process account must have the following right to work correctly
| Location |
Access type |
Account |
Comments |
|
%SystemRoot%\Microsoft.NET\Framework\ versionNumber\Temporary ASP.NET Files
|
Read/write
|
Process or configured impersonation.
|
This is the location for dynamically compiled files. Beneath this location, application code generation takes place in a discrete directory for each application. You can configure the root location using the tempDir attribute of the <compilation> configuration section.
|
|
%SystemRoot%\assembly
|
Read
|
Process or configured impersonation.
|
This is the location of the global assembly cache (GAC).
|
|
%SystemRoot%\System32
|
Read
|
Process
|
Contains system DLLs loaded by the .NET Framework.
|
|
%SystemRoot%\Temp
|
Read/write/delete
|
Process
|
Used for Web services support.
|
|
User profile directory
|
Read/write
|
Process
|
Used by the GAC cache lock files and the security configuration caching mechanism of the common language runtime. If the user profile directory for the account does not exist, ASP.NET uses the default user profile directory.
|
|
Web application directory
|
Read
|
Process or configured impersonation.
|
This is the location for application files.
|
|
Web application directory\App_Data
|
Read/write
|
Process or configured impersonation.
|
This is the default location for data files in an ASP.NET Web application. If your application uses the App_Data subdirectory, the ASP.NET process must be able to write to the directory and for some databases, to be able to create temporary files in the subdirectory.
|
|
%SystemRoot%\Microsoft.NET\Framework\ version and subdirectories
|
Read
|
Process or configured impersonation
|
ASP.NET must be able to access the system assemblies referenced in the Machine.config file in the CONFIG subdirectory under %SystemRoot%\Microsoft.NET\Framework\version\.
|
Question : I met a problem in ASP.NET 1.1 context to read the ConfigurationSettings.AppSettings values within an impersonation context ! A idea ?