1
How do you impersonate a user using Claims Authentication
Question asked by Bob Feller - May 13, 2015 at 11:45 AM
Answered
I'm trying to use ADFS Claims authentication for you FileUltimate product. I am following your sample (dynamic.aspx) and modified with impersionation:
 
private void SetDynamicFolderAndPermissions(string userName)
    {
        IClaimsIdentity identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
        string upn = identity.Claims.Where(c => c.ClaimType == ClaimTypes.Upn).First().Value;
        if (String.IsNullOrEmpty(upn))
        {
            throw new Exception("No UPN claim found");
        }
        
        WindowsIdentity windowsIdentity = S4UClient.UpnLogon(upn); 
        string username = windowsIdentity.User.ToString();
        WindowsIdentity wi = WindowsIdentity.GetCurrent();
        WindowsPrincipal wp = new WindowsPrincipal(windowsIdentity);
        using (WindowsImpersonationContext ctxt = windowsIdentity.Impersonate())
        {
            Console.WriteLine("After impersonation: " + WindowsIdentity.GetCurrent().Name);
            var rootFolder = new FileManagerRootFolder
            {
                Name = string.Format("Public"),
                Location = string.Format("/public/")
            };
            var accessControl = new FileManagerAccessControl { Path = @"\" };
            switch (userName)
            {
                case "User1":
                    accessControl.AllowedPermissions = FileManagerPermissions.Full;
                    break;
                case "User2":
                    accessControl.AllowedPermissions = FileManagerPermissions.ReadOnly | FileManagerPermissions.Upload;
                    break;
            }
            rootFolder.AccessControls.Add(accessControl);
            FileManager1.RootFolders.Add(rootFolder);
        }
 
This works with other File access through other web applications, but not with your control.  Is there someway to impersonate without knowing the user's password?
 
Thank you, Bob

3 Replies

Reply to Thread
0
Cem Alacayir Replied
May 13, 2015 at 12:07 PM
Employee Post
There is built-in impersonation feature in FileUltimate. Normally you wouldn't need to write your own impersonation code. By the way impersonating during initializing the control will not work (as you did in your above code) because the control will work out of the context of the original page so what you are doing is impersonating only when the control first loads but the control will constantly send new requests to the server while you are using it. So impersonation should happen per request basis.
 
For using built-in impersonation feature, you should specify Location property of the root folder like below when you can provide a password (first option):
 
Location = "Path=SOMEPATH; User Name=USER; Password=PASSWORD"
 
The second option below is used when you can't provide a password but the current identity is already authenticated, you should specify it like this
 
Location = "Path=SOMEPATH; Authenticated User=true"
 
You should give the second option a try and see if it works. If not let me know and we will add special handling/support for Claims Authentication.
0
Cem Alacayir Replied
May 13, 2015 at 2:50 PM
Employee Post
Hi Bob,
Ok, we have implemented Claims Authentication support. Please download this new version from this link: ---deleted  temporary fix link as v4.5.2.0 is released, please download that instead---
 
Now you will be able to specify "claims" as the value (in addition to "true") for Authenticated User property:
Location = "Path=SOMEPATH; Authenticated User=claims"
Then FileUltimate will figure out the Claims Authentication details and impersonate accordingly.
You will not need to add any custom code for impersonation.
For completeness now the function will look like the original example, except you will only change Location property:
 
private void SetDynamicFolderAndPermissions(string userName) 
{ 
    var rootFolder = new FileManagerRootFolder 
    { 
        Name = string.Format("Folder of {0}", userName), 
        Location = "Path=SOMEPATH; Authenticated User=claims"
    }; 

    var accessControl = new FileManagerAccessControl { Path = @"\" }; 

    switch (userName) 
    { 
        case "User1": 
            accessControl.AllowedPermissions = FileManagerPermissions.Full; 
            break; 
        case "User2": 
            accessControl.AllowedPermissions = FileManagerPermissions.ReadOnly | FileManagerPermissions.Upload; 
            break; 
    } 

    rootFolder.AccessControls.Add(accessControl); 
    fileManager.RootFolders.Add(rootFolder); 
} 
 
Please let me know the result of your testing.
0
Cem Alacayir Replied
May 14, 2015 at 11:13 AM
Employee Post
Ok, I understand the problem, the error probably comes from S4UClient.UpnLogon call. Were you getting the same error "401 Unauthorized" with your code in the original post? If so, the problem is not even impersonation, the problem starts earlier, ie. when trying to logon with the user name via S4UClient.UpnLogon. It seems the web application pool account is not allowed to access the Claims to Windows Token Service (C2WTS). The problem may be this:
To enable acccess in other computers I had to create Service Principal Name (SPN) for the account on which my webapplication was running.
Please see this answer for details: http://stackoverflow.com/a/13645989
 
After you solve this logon configuration problem, impersonation should also work.

Reply to Thread