What is impersonation?
When you try to execute current request in a different user's context instead of default one so that means you are impersonating.
Any windows process runs under a windows identity assigned to that process or a user account under which a process executes.So all permissions applicable to that identity as per that only process can execute.
In Asp.Net the process runs under its ASPNET account. It has limited privileges. So if sometimes if we want to access resources which are not allowed to be accessed by default windows identity account under which that process is running we might have to use windows account credentials which have access to the resource to be accessed. So running the process under user provided authenticated account instead of default account is called impersonation.
Impersonation can significantly affect performance and scaling. It is generally more expensive to impersonate a client on a call than to make the call directly.
One can set impersonation through IIS at application or page level using Authentication feature.
There are scenarios where you dont want to set impersonation at application level and dont want to share your credentials with the site administrator for security reasons. In that case developer have option where he can change the windows account context which is be default Network Service or ASPNET account to user users domain account.
Following blog entry explains very clearly how to impersonate programatically. In this author has nicely explain the caveats also. http://weblog.west-wind.com/posts/2005/Feb/24/Using-programmatic-Impersonation-from-an-ASPNET-Page
As shown in this link one has to use interop to call Win32 LogonUser and CloseHandle functions. We have to use interop because .NET doesn’t provide the equivalent methods.
So.... IMPERSONATE!! ...but only when required :)!!
No comments:
Post a Comment