Impersonation is possible in number of ways. One of the most common method is to to store encrypted user credentials in registry. Configure web.config to pickup the credentials for authentication as below :-
Use encrypted attributes in the configuration file web.config
So far so good, now consider if the user credentials have failed the following error is displayed
The following section should allow you to display a custom error page:-
this will work only after the user is authorised and a session is created for the user.
Hence in order to display custom error page for invalid user credentials from web.config, error handling for login credentials should be handled in Global.asax as below :-
Now the code for ImpersonateUser()
Hence user authentication is performed in session_start and allows to redirect to custom error page for unauthorised access.
"Many of the great achievements of the world were accomplished by tired and discouraged men who kept on working."
Use encrypted attributes in the configuration file web.config
So far so good, now consider if the user credentials have failed the following error is displayed
The following section should allow you to display a custom error page:-
<customErrors mode="RemoteOnly" defaultRedirect="GeneralError.aspx"/>
this will work only after the user is authorised and a session is created for the user.
Hence in order to display custom error page for invalid user credentials from web.config, error handling for login credentials should be handled in Global.asax as below :-
void Session_Start(object sender, EventArgs e)
{
if (!Impersonate.ImpersonateUser())
Response.Redirect("GeneralError.aspx",true);
}
Now the code for ImpersonateUser()
///
/// Summary description for Impersonate
///
public class Impersonate
{
// Declare signatures for Win32 LogonUser and CloseHandle APIs
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool LogonUser(
string principal,
string authority,
string password,
LogonSessionType logonType,
LogonProvider logonProvider,
out IntPtr token);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool CloseHandle(IntPtr handle);
enum LogonSessionType : uint
{
Interactive = 2,
Network,
Batch,
Service,
NetworkCleartext = 8,
NewCredentials
}
enum LogonProvider : uint
{
Default = 0, // default for platform (use this!)
WinNT35, // sends smoke signals to authority
WinNT40, // uses NTLM
WinNT50 // negotiates Kerb or NTLM
}
public Impersonate()
{
//
// TODO: Add constructor logic here
//
}
public static bool ImpersonateUser()
{
bool bRet = false;
IntPtr token = IntPtr.Zero;
WindowsImpersonationContext impersonatedUser = null;
try
{
// Create a token for DomainName\Bob
// Note: Credentials should be encrypted in configuration file
string user = ConfigurationManager.AppSettings["userid"];
string domain = ConfigurationManager.AppSettings["domain"];
string pass = ConfigurationManager.AppSettings["password"];
bool result = LogonUser(user, domain,
pass,
LogonSessionType.Network,
LogonProvider.Default,
out token);
if (result)
{
WindowsIdentity id = new WindowsIdentity(token);
// Begin impersonation
impersonatedUser = id.Impersonate();
bRet = true;
}
}
catch(Exception ex)
{
string err = ex.Message;
// Prevent any exceptions that occur while the thread is
// impersonating from propagating
}
return bRet;
}
}
Hence user authentication is performed in session_start and allows to redirect to custom error page for unauthorised access.
"Many of the great achievements of the world were accomplished by tired and discouraged men who kept on working."