Blogger Widgets
  • Sharing Photos using SignalR
  • TFS Extenstion - allows copy work items between projects
  • Displaying jquery progressbar with ajax call on a modal dialog
  • Managing windows services of a server via a website
  • Exploring technologies available to date. TechCipher is one place that any professional would like to visit, either to get an overview or to have better understanding.

Search This Blog

Wednesday, 30 June 2010

ASP.NET - Handling Impersonation failures of web.config

Impersonation is possible in number of ways. One of the most common method is to to store encrypted user credentials in registry. Configure web.config to pickup the credentials for authentication as below :-

Use encrypted attributes in the configuration file web.config

So far so good, now consider if the user credentials have failed the following error is displayed

The following section should allow you to display a custom error page:-

<customErrors mode="RemoteOnly" defaultRedirect="GeneralError.aspx"/>

this will work only after the user is authorised and a session is created for the user.

Hence in order to display custom error page for invalid user credentials from web.config, error handling for login credentials should be handled in Global.asax as below :-

void Session_Start(object sender, EventArgs e)
if (!Impersonate.ImpersonateUser())


Now the code for ImpersonateUser()

/// Summary description for Impersonate

public class Impersonate
// Declare signatures for Win32 LogonUser and CloseHandle APIs
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool LogonUser(
string principal,
string authority,
string password,
LogonSessionType logonType,
LogonProvider logonProvider,
out IntPtr token);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool CloseHandle(IntPtr handle);
enum LogonSessionType : uint
Interactive = 2,
NetworkCleartext = 8,
enum LogonProvider : uint
Default = 0, // default for platform (use this!)
WinNT35, // sends smoke signals to authority
WinNT40, // uses NTLM
WinNT50 // negotiates Kerb or NTLM

public Impersonate()
// TODO: Add constructor logic here

public static bool ImpersonateUser()
bool bRet = false;
IntPtr token = IntPtr.Zero;
WindowsImpersonationContext impersonatedUser = null;
// Create a token for DomainName\Bob
// Note: Credentials should be encrypted in configuration file
string user = ConfigurationManager.AppSettings["userid"];
string domain = ConfigurationManager.AppSettings["domain"];
string pass = ConfigurationManager.AppSettings["password"];
bool result = LogonUser(user, domain,
out token);
if (result)
WindowsIdentity id = new WindowsIdentity(token);

// Begin impersonation
impersonatedUser = id.Impersonate();
bRet = true;
catch(Exception ex)
string err = ex.Message;
// Prevent any exceptions that occur while the thread is
// impersonating from propagating
return bRet;

Hence user authentication is performed in session_start and allows to redirect to custom error page for unauthorised access.

"Many of the great achievements of the world were accomplished by tired and discouraged men who kept on working."


Post a Comment

Copyright © 2013 Template Doctor . Designed by Malith Madushanka - Cool Blogger Tutorials | Code by CBT | Images by by HQ Wallpapers