Form authentication based using active directory without asp membership

0
votes

I am trying to get a user to enter their domain login details, so the site can obtain a list of groups to determine what database to connect to.

The nearest code i have found, is from microsoft:

How to authenticate against the Active Directory by using forms authentication and Visual Basic .NET

As i am using IIS8, ASP 4.5 the code fails in the web.config referring to

       <identity impersonate="true" />


HTTP Error 500.24 - Internal Server Error

An ASP.NET setting has been detected that does not apply in 
Integrated managed pipeline mode.

Ok, so i remove this entry and it authentications with my domain but when it redirects the same logon page appears, i assume as nothing is telling it impersonate.

Further digging seems that i may not be able to use this code as it doesn't support managed pipeline mode. I do not want to use asp memberships as using domain groups to authenticate rights.

Help!

Want to keep integrated managed pipe and am using ASP.Net impersonation so i can use the authenticated ad user to authenticate against sql database.

2
asp.netiisactive-directoryforms-authenticationintegrated-pipeline-mode
It's not really clear to me what you're trying to accomplish. Impersonate is typically only used when you need to run the IIS worker process as the users credentials (for instance, if you want to access network resources as that user). It's generally not recommended unless absolutely necessary. Can you explain more about your requirements... "obtain a list of groups to determine what database to connect to" is quite vague.. - Erik Funkenbusch
@nickand can you not use Windows authentication instead of Forms authentication? Then do your lookup in System.DirectoryServices using Page.User.Identity - Reg Edit
I have been using windows authentication as this is a intranet application but i need to make this available on the internet so looking at form authentication to get windows user. - nickand

2 Answers

0
votes

The reason that impersonation is not allowed in integrated mode is that it conflicts with async operations, since operations can start as one user and end as another... this gets very confusing.

One way to do what you want is to use a WindowsImpersonationContext. Assuming you're using Windows Authentication:

WindowsIdentity id = (WindowsIdentity)Context.User.Identity;

// impersonation is automatically undone by
// WindowsImpersonationContext.Dispose()
using (WindowsImpersonationContext wic = id.Impersonate())
{
    // log into your database, do your queries, then cleanup
}

The drawback here is that you can't just leave connections laying open for the life of the response, or longer.. which is probably a good thing.. you need to cleanup your database code before you exit the using statement.

Note: The worker process must have rights to impersonate other users, or this won't work.

0
votes

The managed pipeline mode is set per Application Pool in IIS. By default, it is set to Integrated mode.

You may change it to Classic mode. The mode is set using the Edit Application Pool dialog, which opens when you right-click the app pool in IIS Manager and choose Basic Settings:

enter image description here

If you need to find out which app pool your site is using, look in the Advanced settings for the site.