ISAPI impersonation filter
Here's my scenario:
I'm trying to create an ISAPI filter that will effectively impersonate a user before the web application is accessed, so that the application will act as if the impersonated user had been authenticated by IIS.The catch, however, is that I do not have access to the user's password so I cannot simply use LogonUser to do this. I am aware of the LsaLogonUser API and am considering using it for this purpose, but that function must be called from a process running in the TCB, so I thought it could be a COM+ component that can be called from the filter.
So my questions are:
1) Is this even a viable option? Can I somehow pass the token obtained in the COM+ component back to the filter so it can use it to impersonate the user?
2) Is there a better way to do this?
Any feedback is greatly appreciated!
[1018 byte] By [
cnishigu] at [2007-12-23]
LsaLogonUser will still require either a password or a trusted path to the client (and it's kerberos domain controller) to request a Kerberos ticket (service for user to self). So it's not really a "free pass" for a service in the TCB to impersonate. If you can use LsaLogonUser to impersonate, you're pretty much better off letting IIS or ASP.Net do the impersonation with configuration - the big problem is not having the TCB privledge when getting impersonation and still needing access to kernel objects, but you won't be able to pass the ticket around anyway, so either you have it or you don't. -And if you do, I'd suggest just using .net's WindowsIdentity rather than the LsaLogonUser Function Of Doom. (seriously, can anyone call that thing successfully on the first 10 tries?)
Now, if you want to impersonate a 3rd party user, you will need the password - LsaLogonUser won't help you here. Once you've got that, you may as well use IIS (AppPool) or .Net (WindowsIdentity again) to do the impersonation.
