copyright © 2006 pilothouse consulting inc. all rights reserved. impersonation in sharepoint...
TRANSCRIPT
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Impersonation in SharePoint
• Developers use impersonation when an application needs to perform a task for which the current user does not have permissions
example:• accessing a master list on the WSS site on which the user might not be a member
• creating a list when a user only has reader privileges
• using windows authentication to access SQL database for which the currently logged in user does not have permissions
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Impersonation – Web.config
• ASP.Net web.config allows various settings,
<identity impersonate="false"/> - runs as process user<identity impersonate=“true"/> - impersonates the currently logged user<identity impersonate=“true“ userName=“spstraining\admin” password=“testpass”/> - impersonates the user specified
SharePoint always defaults to impersonating the currently logged in user
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Impersonation – WindowsIdentity
• In code, we can find out the user under which the code runs:
Response.Write("Process runs as” + WindowsIdentity.GetCurrent().Name);
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Impersonation – WindowsImpersonationContext
• In code, we can create WindowsImpersonationContext for a specific user:
//create impersonation context (details are in SDK)WindowsImpersonationContext wic = CreateIdentity(user, domain, password).Impersonate();
//code that will run under impersonated user//Create a listwic.Undo(); //revert back to currently logged in user
• Kerberos delegation needs to be on if trying to connect to resources on different servers
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Impersonation – The New SharePoint Way
SPSecurity.RunWithElevatedPrivileges(delegate() { // do things assuming the permission of the "system
account"; using (SPSite site = new SPSite(web.Site.ID)) { Response.Write("content database name for this site is " + site.ContentDatabase.Name); }
});
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Demo: Impersonation
Demo: Impersonation
1. Use SharePoint specific impersonation
2. Use ASP.Net impersonation
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Authentication Models
• Trusted Subsystem - the application (middle tier) authenticates with fixed identity– Offers database connection pooling.– Is less complex.– The group that owns and manages the back end gives
access to one account that they manage.
• Impersonation and Delegation - the application (middle tier) impersonates the client and authenticates to back-end on client’s behalf– To enable auditing at the back end.– If there is per-user authorization at the back end.
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Connection String Options: SQL Authentication
• SQL Authentication:
server=training; uid=sa; pwd=Pilot; database=Pilothou1_Site
Advantage: easy to use, no special requirements.Disadvantage: username and password are clear text
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Connection String Options: Windows Authentication
• Windows Authentication
Advantage: username and password are not clear text.Disadvantage: if application runs as a currently logged
in user, that user must have access to DB.
• Windows Authentication with impersonation of the application pool user
Advantage: uses application pool account to access db.Disadvantage: no significant disadvantages
example:Integrated Security = SSPI; server=training; database = Pilothou1_Site
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Application Pool Account Impersonation Details
using System.Security.Principal
// revert to selfWindowsImpersonationContext wic =
WindowsIdentity.Impersonate(IntPtr.Zero); try {
// perform db operations}finally {
wic.Undo(); // resume impersonating}
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Demo: Using App Pool Account to Access DB
Demo: Using App Pool Account to Access DB
1. Accessing DB using Windows Authentication and application pool account
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved.
Links
• How to implement impersonation in ASP.NET application: http://support.microsoft.com/?id=306158
• ASP.NET Impersonation:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspnetimpersonation.asp
• ASP.NET Impersonation (Designing Distributed Applications with Visual Studio .NET)http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconimpersonation.asp