Miscellaneous Debris

Avner Kashtan's Frustrations and Exultations
Double Hop and ASP.NET - a workaround.

<Background>
Many people have stumbled across the IIS Double-Hop issue when trying to access Active Directory information on an ASP.NET page.
In short - when we access an ASP.NET page, IIS can impersonate our user credentials for code execution (if set in the web.config). On Windows networks, impersonated credentials can't be used to access network resources - this prevents a web-server from maliciously or accidently using the credentials of a user who innocently logged on to it to access protected network resources.
The problem is that when we try to access the Active Directory for legitimate purposes (to display the current user's details, for instance) while impersonating the user (as SPS does by default) we can't pass the credentials on and our AD query uses the understandbly-limited Anonymous Logon account.

The suggested workaround is to supply teh DirectoryServices request with a username and password so as not to use the impersonated credentials - but this, of course, opens up a whole set of problems relating to security and maintainability.
</Background>

<Solution>
This workaround will work only if the IIS worker process is running under a domain account.
Under IIS 6 - this is the user specified in the Identity tab of the Application Pool.
Under IIS 5 - this is the user specified in the Identity tab of the COM+ application that is generated for the IIS application.

Since our problem arises from having our code run in an impersonation context, the solution is simply to undo the impersonation so that the executing identity isn't the connecting user, but the user who started the process. Since we don't have any convenient .NET WindowsImpersonationContext object we can Undo(), we'll simply have to go deeper into Win32 code:

[DllImport("advapi32.dll")]
private static extern int RevertToSelf();

This very simple function (no parameters - no marshalling! Yipee!) will cancel the current impersonation session and return the actual running user - our IIS WP identity.
It would be prudent to re-impersonate the connected user after our code runs:

WindowsIdentity connectedUser = WindowsIdentity.GetCurrent();
RevertToSelf();
// DirectoryServices code here.
connectedUser.Impersonate()

If this revert/reimpersonate code is something we'll be running a lot, it would be nice to wrap this in a nice disposable object so we can wrap our code in a using() block:

using (new UnImpersonator())
{
   // Code running as the Worker Process identity.
}

This is similar to the ImpersonationContext class I described here - the constructor will save the current Identity in a member and call Revert, and the Dispose() will re-impersonate the user.

 </Solution>

Published Wednesday, September 22, 2004 9:18 PM by AvnerK

Filed under: ,

Comments

# re: Double Hop and ASP.NET - a workaround.@ Wednesday, September 22, 2004 3:21 PM

I wish that worked for me.. Unfortunately it did not... My app pool is a Domain Admin but I still have issues.... Hopefully this will solve someone elses problems

Jack

# re: Double Hop and ASP.NET - a workaround.@ Wednesday, September 22, 2004 4:00 PM

Thank you. This solves my problem.

Dody Gunawinata

# re: Double Hop and ASP.NET - a workaround.@ Wednesday, September 22, 2004 4:03 PM

Never mind..... I just had to make sure it was on the first directory access and not the one that was failing.

Jack

# re: Double Hop and ASP.NET - a workaround.@ Wednesday, September 22, 2004 6:43 PM

Jack: Good, I was getting worried. :)
My guess is the first AD access cached the credentials, so even if you Reverted it still connected using the old account.

Avner Kashtan

# NT Networks, Delegation, Kerberos and Impersonation. @ Wednesday, May 04, 2005 7:42 AM

TrackBack

# re: Double Hop and ASP.NET - a workaround.@ Thursday, September 07, 2006 5:21 AM

My application pool currently uses the network service. How can I change that to a domain account without having it constantly asking for a login? There seems to be some sort of a problem with my setup.

Thomas Barns

# re: Double Hop and ASP.NET - a workaround.@ Friday, November 03, 2006 11:24 AM

Hello Guys

i have the same problem like Thomas. after changing the account to a domain user it is contantly asking for a login. no mather what i input. do someone has a solution yet?

Jens

# re: Double Hop and ASP.NET - a workaround.@ Thursday, May 10, 2007 12:18 PM

I bow down at your feet....  been working this issue for about a week now... spending about 8 1/2 of my 12 hour days googling...

Can you believe that I didn't start getting good answers until I hit Ask.com?  who would have thought... ?

Anyways... implemented this fix into a SharePoint web part... worked like a dream.

Cory Loriot

# re: Double Hop and ASP.NET - a workaround.@ Thursday, May 10, 2007 12:29 PM

Concerning the issues of thomas and jen...  I am sure that they have been addressed by now, but consider checking if you are authenticating through Basic Authentication or NTLM...  Basic authentication on the IIS Virtual server will cause a username and password to have to be entered multiple times.

Cory

# re: Double Hop and ASP.NET - a workaround.@ Friday, July 20, 2007 3:22 PM

Also concerning the issues of Thomas and Jens, I had the same thing happen.  In my case, if I checked the security event log I had a Kerberos error KRB_AP_ERR_MODIFIED with event id 4.  Adding an SPN worked for me (see msdn2.microsoft.com/.../ms998297.aspx)

NaR883

# re: Double Hop and ASP.NET - a workaround.@ Monday, March 17, 2008 10:05 AM

the following code does very similar:

SPSecurity.RunWithElevatedPrivileges(delegate()

{

listService.AllowAutoRedirect = false;

listService.PreAuthenticate = true;

listService.Credentials = (NetworkCredential)System.Net.CredentialCache.DefaultNetworkCredentials;

T101

Leave a Comment

(required) 
(required) 
(optional)
(required)