copyright © 2006 pilothouse consulting inc. all rights reserved. impersonation in sharepoint...

Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.

Impersonation in SharePoint

• Developers use impersonation when an application needs to perform a task for which the current user does not have permissions

example:• accessing a master list on the WSS site on which the user might not be a member

• creating a list when a user only has reader privileges

• using windows authentication to access SQL database for which the currently logged in user does not have permissions


Impersonation – Web.config

• ASP.Net web.config allows various settings,

<identity impersonate="false"/> - runs as process user<identity impersonate=“true"/> - impersonates the currently logged user<identity impersonate=“true“ userName=“spstraining\admin” password=“testpass”/> - impersonates the user specified

SharePoint always defaults to impersonating the currently logged in user


Impersonation – WindowsIdentity

• In code, we can find out the user under which the code runs:

Response.Write("Process runs as” + WindowsIdentity.GetCurrent().Name);


Impersonation – WindowsImpersonationContext

• In code, we can create WindowsImpersonationContext for a specific user:

//create impersonation context (details are in SDK)WindowsImpersonationContext wic = CreateIdentity(user, domain, password).Impersonate();

//code that will run under impersonated user//Create a listwic.Undo(); //revert back to currently logged in user

• Kerberos delegation needs to be on if trying to connect to resources on different servers


Impersonation – The New SharePoint Way

SPSecurity.RunWithElevatedPrivileges(delegate() { // do things assuming the permission of the "system

account"; using (SPSite site = new SPSite(web.Site.ID)) { Response.Write("content database name for this site is " + site.ContentDatabase.Name); }

});


Demo: Impersonation

Demo: Impersonation

1. Use SharePoint specific impersonation

2. Use ASP.Net impersonation


Authentication Models

• Trusted Subsystem - the application (middle tier) authenticates with fixed identity– Offers database connection pooling.– Is less complex.– The group that owns and manages the back end gives

access to one account that they manage.

• Impersonation and Delegation - the application (middle tier) impersonates the client and authenticates to back-end on client’s behalf– To enable auditing at the back end.– If there is per-user authorization at the back end.


Connection String Options: SQL Authentication

• SQL Authentication:

server=training; uid=sa; pwd=Pilot; database=Pilothou1_Site

Advantage: easy to use, no special requirements.Disadvantage: username and password are clear text


Connection String Options: Windows Authentication

• Windows Authentication

Advantage: username and password are not clear text.Disadvantage: if application runs as a currently logged

in user, that user must have access to DB.

• Windows Authentication with impersonation of the application pool user

Advantage: uses application pool account to access db.Disadvantage: no significant disadvantages

example:Integrated Security = SSPI; server=training; database = Pilothou1_Site


Application Pool Account Impersonation Details

using System.Security.Principal

// revert to selfWindowsImpersonationContext wic =

WindowsIdentity.Impersonate(IntPtr.Zero); try {

// perform db operations}finally {

wic.Undo(); // resume impersonating}


Demo: Using App Pool Account to Access DB

Demo: Using App Pool Account to Access DB

1. Accessing DB using Windows Authentication and application pool account


Links

• How to implement impersonation in ASP.NET application: http://support.microsoft.com/?id=306158

• ASP.NET Impersonation:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspnetimpersonation.asp

• ASP.NET Impersonation (Designing Distributed Applications with Visual Studio .NET)http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconimpersonation.asp

copyright © 2006 pilothouse consulting inc. all rights reserved. impersonation in sharepoint...

Documents