3

Background:

I have an MVC 5/C# app that interfaces an outside API. It uses the Active Directory users' Principal Context for authorization. The app checks if the UserPrincipal.Current has their Un/Pw combo stored in the Db to be used for any operations later on the external API.

 public bool IsUserSetup()
    {
        try
        {
            // find currently logged in user
            var user = UserPrincipal.Current; // <- ERRS HERE -----
            // check if this user exists in Db with creds
            if (user != null)
            {
                var u = _userProfileRepository.GetUserProfileByUserSID(user.Sid.ToString());
                if (u != null
                    && !string.IsNullOrEmpty(u.RallyUsername)
                    && !string.IsNullOrEmpty(u.RallyPassword)
                    && u.IsActive // <-- make sure this person is an active user
                    )
                {
                    return true;
                }
            }
        }
        catch (Exception ex)
        {
            string exMessage = ex.Message;
            //throw ex;
        }
        return false;
    }
  • I understand that UserPrincipal.Current will return the App Pool's identity by default.
  • I also understand setting Impersonate to True IIS will use the current user's context as in: <system.web> <identity impersonate="true"/>...

However, if I turn Impersonation on (true), then I get this:

An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.

So, I change the app pool to use 'classic'(Which I don't think is the answer or path I should take), and I get this error:

The page you are requesting cannot be served because of the ISAPI and CGI Restriction list settings on the Web server.

Obviously, this works great in IIS Express, it sees me (domain\username) just fine. But when I switch it to IIS or deploy it to an actual web server, I get these problems.

I need to get the current user/principal so I can store their SID and credentials to the external API in the Db. Then upon using the site/app, it auto-magically uses their creds to do work in the API as needed.

What do I need to do to either:

  • setup IIS to allow impersonation to work
  • adjust my code to do the same
Beau D'Amore
  • 3,174
  • 5
  • 24
  • 56

1 Answers1

1

From here, use option 2, which is:

<system.webServer>
   <!--When using 'Integrated Pipeline' on IIS on the server, and if your application does not rely on impersonating the requesting user in the 'BeginRequest' and 'AuthenticateRequest' stages (the only stages where impersonation is not possible in Integrated mode), but still requires Impersonation in other areas of the application, ignore this error (500 - Internal Server Error) by adding the following to your application’s web.config-->
   <validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • ok, that got me by that one particular stumbling block, but it's not the whole answer. How do I get the current user in an AD Domain environment? – Beau D'Amore Jan 19 '16 at 19:03
  • You can use HttpContext.User.Identity – Gabriel Luci Jan 19 '16 at 19:15
  • No, I can't. If you mean System.Web.HttpContext.Current.User.Identity.Name that still shows as a blank string... It shouldn't be this hard to do. – Beau D'Amore Jan 19 '16 at 19:57
  • That means the user hasn't authenticated with your website using Windows authentication. Do you have it enabled under the system.web and system.webServer sections of your web.config? – Gabriel Luci Jan 19 '16 at 20:05
  • Yes, just figured that part out as well. Had to turn off Anonymous Auth and turn on Windows, now it's showing domain\\user, which is good... – Beau D'Amore Jan 19 '16 at 21:17