In our web application, we want to impersonate the end user so that its identity is carried through to our middle-tier remoting services. We can't use Windows Authentication (the users are located on the internet, with no access to our domain controller), so we need to do the impersonation ourselves (given a username and a password, of course, which will be provided to the ASP.NET somehow. We won't use Basic Authentication). I found quite a bit of code that basically calls LogonUser to receive the impersonated user's token, and then uses WindowsIdentity.Impersonate on that token. As far as I understand, this impersonation needs to be done every time a new page is loaded. Is there a simpler way? When using Windows Authentication with impersonation enabled, ASP.NET impersonates the user automatically. Is there some sort of standard way to hook into this mechanism? Ideally - some place in the session we can place the token (or WindowsIdentity) only once, and have ASP.NET use it every time a page is loaded? And if there isn't, do we really need to call LogonUser every time a page is loaded? What if we cache the token in the session, and only call WindowsIdentity.Impersonate in the Page Loaded event? I'm worried here about tokens becoming stale for some reason (I'm not worried about Kerberos's ticket lifetime, the defaults exceed our usage anyway). Thanks, Itay.
=================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
