33036

ASP.NET Authentication with Siteminder

Question:

Our site currently is setup to use windows authentication. The user security principal is automatically set when the request gets to our code and authorization to specific files is controlled with authorization elements in our web.config.

We've now been mandated to install siteminder on our server to handle authentication. Because of this the user security principal is not automatically set and our code without modification doesn't know who the user is to determine authorization.

I've developed the following code to solve that problem. It takes the user name from a header that siteminder injects into the request and it creates a user security principal.

protected void Application_AuthenticateRequest(object sender, EventArgs e) protected void Application_AuthenticateRequest(object sender, EventArgs e) { string userSSO = null; //Siteminder gives us user like in this format domain\user userSSO = HttpContext.Current.Request.Headers["SMUser"]; if (userSSO != null && userSSO != "") { //we have to take the id in the format siteminder gives us and switch it over to upn format like this user@domain string [] delimiters = {"\\"}; string [] aryUserSSO = userSSO.Split(delimiters, StringSplitOptions.RemoveEmptyEntries); string UPN = aryUserSSO[1] + "@" + aryUserSSO[0] + "domain.com"; //now we create identity and princal objects using the UPN WindowsIdentity identity = new WindowsIdentity(UPN, "WindowsAuthentication"); WindowsPrincipal principal = new WindowsPrincipal(identity); HttpContext.Current.User = principal; } }

This code works fine so long as the identity of the AppPool on IIS is set to run as LocalSystem. However, if you set the identity of the AppPool to anything else with fewer permissions like NetworkService or ApplicationPoolIdentity you get the following error message.

<blockquote> <h2>Server Error in '/Form1' Application.</h2>

Attempted to perform an unauthorized operation. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.

ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[UnauthorizedAccessException: Attempted to perform an unauthorized operation.]<br /> System.Security.Principal.WindowsIdentity.get_AuthenticationType() +300 System.Web.Hosting.IIS7WorkerRequest.SetPrincipal(IPrincipal user, IntPtr pManagedPrincipal) +181<br /> System.Web.HttpContext.SetPrincipalNoDemand(IPrincipal principal, Boolean needToSetNativePrincipal) +701<br /> System.Web.HttpContext.set_User(IPrincipal value) +49<br /> System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +182 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +266

-------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1022

</blockquote>

Also, the event viewer on the servers shows this.

<blockquote>

The following exception was thrown by the web event provider 'EventLogProvider' in the application '/Form1' (in an application lifetime a maximum of one exception will be logged per provider instance):

System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at System.Security.Principal.WindowsIdentity.get_AuthenticationType()<br /> at System.Web.Management.EventLogWebEventProvider.AddWebRequestInformationDataFields(ArrayList dataFields, WebRequestInformation reqInfo) at System.Web.Management.EventLogWebEventProvider.ProcessEvent(WebBaseEvent eventRaised) at System.Web.Management.WebBaseEvent.RaiseInternal(WebBaseEvent eventRaised, ArrayList firingRuleInfos, Int32 index0, Int32 index1)

</blockquote>

Per this article (<a href="https://stackoverflow.com/questions/8290791/the-following-exception-was-thrown-by-the-web-event-provider-eventlogprovider" rel="nofollow">The following exception was thrown by the web event provider 'EventLogProvider'</a>) I thought the problem must be that my code was trying to write to the EventLog but didn't have permissions. However, after following the steps outlined in thie artcile (<a href="http://support.thycotic.com/KB/a220/giving-application-pool-access-to-event-log.aspx" rel="nofollow">http://support.thycotic.com/KB/a220/giving-application-pool-access-to-event-log.aspx</a>) istill doesn't work.

I'm hoping someone can tell me what it is my code is trying to do on the server that ApplicationPoolIdentity doesn't have access to do and that we can figure out what additional permissions need to be granted to ApplicationPoolIdentity.

Answer1:

Your problem isn't Siteminder but rather that you want to impersonate arbitrary user accounts the name of which you're getting from the siteminder header.

//now we create identity and princal objects using the UPN WindowsIdentity identity = new WindowsIdentity(UPN, "WindowsAuthentication"); WindowsPrincipal principal = new WindowsPrincipal(identity); HttpContext.Current.User = principal;

In order to do this you'd need the "Act as part of the operating system" privilege.

As the <a href="http://msdn.microsoft.com/en-us/library/ms813614.aspx" rel="nofollow">msdn article</a> notes LocalSystem already has this which is why it worked when that was the account.

There are lots of warnings inside the article about why you shouldn't grant that privilege.

This does make me wonder exactly why you are doing this?

Recommend

  • Get UserName in Web App
  • IIS not serving static content (css/js/images, etc) 404
  • Randomly slow page loading
  • Computing mean of all tuple values where 1st number is similar
  • Populate Multiple Forms Symfony2
  • The path is not of a legal form
  • rename javascript object in order to use a php array
  • How to load an image in ASP.NET from a database as a file in a web browser?
  • libcurl compile errors
  • c# open webrowser in many tab
  • Retrieve list of sent friend requests from friend_request FQL table
  • CakePHP 2.0.4 - findBy magic methods with conditions
  • Problem deserializing objects from cache on MyBatis 3/Java
  • d3 v4 drag and drop with TypeScript
  • Word Open XML Mail Merge
  • Meteor: Do Something On Email Verification Confirmation
  • why do I get the error when installing the gem 'pg'? [duplicate]
  • NHibernate Validation Localization with S#arp Architecture
  • SignalR .NET Client Invoke throws an exception
  • Using variable in a value field in jMeter
  • How can I send an e-mail from a vbs script
  • Using $this when not in object context
  • Is there any way to access browser form field suggestions from JavaScript?
  • Array.prototype.includes - not transformed with babel
  • Volley JsonObjectRequest send headers in GET Request
  • Accessing IRQ description array within a module and displaying action names
  • Resize panoramic image to fixed size
  • Volusion's generic SQL folder, functionality
  • Can a Chrome extension content script make an jQuery AJAX request for an html file that is itself a
  • Build own AppleScript numerical error handling
  • Websockets service method fails during R startup
  • Google cloud sdk not working when python points python3
  • Is there a mandatory requirement to switch app.yaml?
  • Hits per day in Google Big Query
  • How do you join a server to an Active Directory (domain)?
  • coudnt use logback because of log4j
  • FormattedException instead of throw new Exception(string.Format(…)) in .NET
  • Getting Messege Twice Using IMvxMessenger
  • Linking SubReports Without LinkChild/LinkMaster
  • XCode 8, some methods disappeared ? ex: layoutAttributesClass() -> AnyClass