Impersonation across threads in ASP.NET

May 30, 2007
Some web applications need to impersonate a user account for one reason or another. This is done from web.config and could look like this:

<identity impersonate="true" />

Threading


The impersonation works fine, but if you create new threads manually you would lose the impersonation if you don’t move it along to the new thread. This gave me a severe headache before I figured out how to pass the impersonation to the newly created thread.  

What you need to do, is to pass the WindowsIdentity object to the new thread and from there impersonate again manually.  Here is an example of how to do it using the ThreadPool:

public void StartAsyncCall()
{
  System.Security.Principal.WindowsIdentity identity = System.Security.Principal.WindowsIdentity.GetCurrent();
  ThreadPool.QueueUserWorkItem(RunAsyncCall, identity);
}

private void RunAsyncCall(object stateInfo)
{
  System.Security.Principal.WindowsIdentity identity = (System.Security.Principal.WindowsIdentity)stateInfo;
  identity.Impersonate();

  DoSomething();
}

As you can see, it is pretty simple once you know how.* Only $4.95/month ASP.NET & Windows 2008 + IIS 7 Hosting! FREE SQL Included
Comments (6)

Comments (6) -

Josh Stodola
Josh Stodola United States
5/30/2007 4:15:32 PM #

Hey, thats a great tip.  Thanks for sharing!

Josh Stodola
Josh Stodola United States
5/30/2007 4:18:07 PM #

Oh yeah, forgot to point out that the title link of your RSS feed is an invalid URL.  Brings me to a 404.

The URL it uses is http://blog.madskristensen.dk/author/

Hope this helps...

Matt Ellis
Matt Ellis
5/30/2007 9:34:43 PM #

Nice tip, but what happens to the thread when it gets returned to the pool? Does the impersonation stop, or does the thread remain impersonating the user? If it's the latter, it's quite a serious security risk...

Cheers
Matt

Matt Ellis
Matt Ellis United Kingdom
5/30/2007 9:36:45 PM #

PS. I specified my website, but I don't get a link on my name. I'll try setting the country this time, and see what happens.

Mads Kristensen
Mads Kristensen Denmark
5/30/2007 9:54:15 PM #

@Josh
Strange about the RSS feed. I can't dublicate the error of the Feedburner feed. I'll look into it. Thanks.

@Matt
Good question. I don't know what happens, but ASP.NET uses the threadpool internally to serve the pages, so I think they get reset once they return to the pool. Otherwise we wouldn't need to pass the identity to new threads.

Josh Stodola
Josh Stodola United States
5/31/2007 12:57:31 PM #

Hi Mads,

I dont think its a problem with the feedburner feed, rather the one coming out of your syndication handler.  See for yourself...

blog.madskristensen.dk/.../syndication.axd

Hope this helps...

Pingbacks and trackbacks (1)+

Comments are closed

About the author

Mads Kristensen

Mads Kristensen
Program Manager at the Microsoft Web Platform team and founder of BlogEngine.NET.

More...

Month List

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer’s view in any way.