0

Let's say I'm on a domain (paddyspub.com) and user dennisreynolds@paddyspub.com calls a web service that is configured in IIS to use NTLM / windows authentication. Is there a way for me to start a process on the web server as dennisreynolds@paddyspub.com from the method in web service that was called?

Matt
  • 25,943
  • 66
  • 198
  • 303
  • I think in theory you should be able to as incoming credentials are valid on the server. You clearly will not be able to call out of the server under such credentials... – Alexei Levenkov Jul 14 '14 at 19:59
  • @AlexeiLevenkov You should be able to call out to other servers on the domain using those credentials as your service is authenticated as that user. Or am I missing something? – SilverlightFox Jul 15 '14 at 08:20
  • @SilverlightFox - no, you've lost your hop at that point - user machine -> server is one hop already, as result you can't call out of server box with user credentials. Search term - "NTLM one hop". – Alexei Levenkov Jul 15 '14 at 14:24
  • @AlexeiLevenkov aha, you're right - I was thinking of Kerberos. – SilverlightFox Jul 15 '14 at 14:29

1 Answers1

1

Take a look at ASP.NET Impersonation:

When using impersonation, ASP.NET applications can execute with the Windows identity (user account) of the user making the request. Impersonation is commonly used in applications that rely on Microsoft Internet Information Services (IIS) to authenticate the user.

ASP.NET impersonation is disabled by default. If impersonation is enabled for an ASP.NET application, that application runs in the context of the identity whose access token IIS passes to ASP.NET. That token can be either an authenticated user token, such as a token for a logged-in Windows user, or the token that IIS provides for anonymous users (typically, the IUSR_MACHINENAME identity).

When impersonation is enabled, only your application code runs under the context of the impersonated user. Applications are compiled and configuration information is loaded using the identity of the ASP.NET process. For more information, see Configuring ASP.NET Process Identity. The compiled application is put in the Temporary ASP.NET files directory. The application identity that is being impersonated needs to have read/write access to this directory. The impersonated application identity also requires at least read access to the files in your application directory and subdirectories. For more information, see ASP.NET Required Access Control Lists (ACLs).

Community
  • 1
  • 1
Orlando Helmer
  • 403
  • 1
  • 4
  • 14