How do you impersonate a user using Claims Authentication
Question asked by Bob Feller - May 13, 2015 at 11:45 AM
Answered
I'm trying to use ADFS Claims authentication for you FileUltimate product. I am following your sample (dynamic.aspx) and modified with impersionation:
 
private void SetDynamicFolderAndPermissions(string userName)
    {
        IClaimsIdentity identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
        string upn = identity.Claims.Where(c => c.ClaimType == ClaimTypes.Upn).First().Value;
        if (String.IsNullOrEmpty(upn))
        {
            throw new Exception("No UPN claim found");
        }
        
        WindowsIdentity windowsIdentity = S4UClient.UpnLogon(upn); 
        string username = windowsIdentity.User.ToString();
        WindowsIdentity wi = WindowsIdentity.GetCurrent();
        WindowsPrincipal wp = new WindowsPrincipal(windowsIdentity);
        using (WindowsImpersonationContext ctxt = windowsIdentity.Impersonate())
        {
            Console.WriteLine("After impersonation: " + WindowsIdentity.GetCurrent().Name);
            var rootFolder = new FileManagerRootFolder
            {
                Name = string.Format("Public"),
                Location = string.Format("/public/")
            };
            var accessControl = new FileManagerAccessControl { Path = @"\" };
            switch (userName)
            {
                case "User1":
                    accessControl.AllowedPermissions = FileManagerPermissions.Full;
                    break;
                case "User2":
                    accessControl.AllowedPermissions = FileManagerPermissions.ReadOnly | FileManagerPermissions.Upload;
                    break;
            }
            rootFolder.AccessControls.Add(accessControl);
            FileManager1.RootFolders.Add(rootFolder);
        }
 
This works with other File access through other web applications, but not with your control.  Is there someway to impersonate without knowing the user's password?
 
Thank you, Bob

8 Replies

Reply to Thread
0
Cem Alacayir Replied
Employee Post
There is built-in impersonation feature in FileUltimate. Normally you wouldn't need to write your own impersonation code. By the way impersonating during initializing the control will not work (as you did in your above code) because the control will work out of the context of the original page so what you are doing is impersonating only when the control first loads but the control will constantly send new requests to the server while you are using it. So impersonation should happen per request basis.
 
For using built-in impersonation feature, you should specify Location property of the root folder like below when you can provide a password (first option):
 
Location = "Path=SOMEPATH; User Name=USER; Password=PASSWORD"
 
The second option below is used when you can't provide a password but the current identity is already authenticated, you should specify it like this
 
Location = "Path=SOMEPATH; Authenticated User=true"
 
You should give the second option a try and see if it works. If not let me know and we will add special handling/support for Claims Authentication.
0
Bob Feller Replied
I tried using Authenticated Users=true, but fails with a 401 Unauthorized. We are demoing this control, and really like it, but we use Claims Authentication throughout the site. If we can impersonate a claims user, we will definitely buy this product.

0
Cem Alacayir Replied
Employee Post Marked As Answer
Hi Bob,
Ok, we have implemented Claims Authentication support. Please download this new version from this link: ---deleted  temporary fix link as v4.5.2.0 is released, please download that instead---
 
Now you will be able to specify "claims" as the value (in addition to "true") for Authenticated User property:
Location = "Path=SOMEPATH; Authenticated User=claims"
Then FileUltimate will figure out the Claims Authentication details and impersonate accordingly.
You will not need to add any custom code for impersonation.
For completeness now the function will look like the original example, except you will only change Location property:
 
private void SetDynamicFolderAndPermissions(string userName) 
{ 
    var rootFolder = new FileManagerRootFolder 
    { 
        Name = string.Format("Folder of {0}", userName), 
        Location = "Path=SOMEPATH; Authenticated User=claims"
    }; 

    var accessControl = new FileManagerAccessControl { Path = @"\" }; 

    switch (userName) 
    { 
        case "User1": 
            accessControl.AllowedPermissions = FileManagerPermissions.Full; 
            break; 
        case "User2": 
            accessControl.AllowedPermissions = FileManagerPermissions.ReadOnly | FileManagerPermissions.Upload; 
            break; 
    } 

    rootFolder.AccessControls.Add(accessControl); 
    fileManager.RootFolders.Add(rootFolder); 
} 
 
Please let me know the result of your testing.
0
Bob Feller Replied
I tried the new DLL, and cut and pasted your code, but still fails with 401 Unauthorized...
0
Cem Alacayir Replied
Employee Post
I don't understand how and where you get "401 Unauthorized". If impersonation fails when you browse a folder, you would simply receive an error like "access to the path is denied". I hope you are not changing IIS settings. You don't need to turn on Windows Authentication in IIS. Are you sure you are getting this message in a window that pops up over FileUltimate (error message box)? I am not talking about not being able to access pages here.
0
Bob Feller Replied
I am not changing IIS settings. It is set up only to use anonymous authentication only. I get the error in a popup window, not the page. The page loads fine, but the FileManger is empty. The same code works when using Windows Auth.
0
Cem Alacayir Replied
Employee Post
Ok, I understand the problem, the error probably comes from S4UClient.UpnLogon call. Were you getting the same error "401 Unauthorized" with your code in the original post? If so, the problem is not even impersonation, the problem starts earlier, ie. when trying to logon with the user name via S4UClient.UpnLogon. It seems the web application pool account is not allowed to access the Claims to Windows Token Service (C2WTS). The problem may be this:
To enable acccess in other computers I had to create Service Principal Name (SPN) for the account on which my webapplication was running.
Please see this answer for details: http://stackoverflow.com/a/13645989
 
After you solve this logon configuration problem, impersonation should also work.
0
Bob Feller Replied
Do I need the S4UClient.UpnLogon? I removed this after putting in the claims parameter, and did not work. I then put the S4UClient,UPNLogon, but still receiving 402 in the dialog box.

When I set up claims, what claims are you looing for? Maybe I have the wrong claims being passed.

Thanks, for your quick responses, I look forward to working with you on this and get us working. My Directory really likes the interface, so we would really like to get this working.

I also added the SPNs, and delegates, but to no avail.

Reply to Thread