Search code examples
c#asp.net-mvcactive-directoryimpersonation

Impersonating any user with ASP?

I am asking this here because perhaps it can be done programmatically. So at my job I just made a web portal for our employees so they can find phone numbers and whatnot on other colleagues, as well as send queries to change their private information to HR. It's an ASP.NET MVC project, hosted on our internal IIS server. The Portal is accessible from outside our company, so Basic Authentication and Windows Authentication is enabled.

What we some times needs as developers, and admins, is to be able to impersonate an existing user from our Active Directory. I know that you can impersonate an existing user but, what I'd like to know is if I can use some method or programming magic, to just pass something like initials (as we use as usernames) and then the portal will accept me as that user when I open the site.

It would be nice if I could do that on my localhost, rather than push it to live of course for testing purposes.

Is that something I can do? If so, how would I go about that? I am unsure on how I'd do it in C#.

Solution

  • The best thing I could recommend if you need to do this is to setup a development AD environment. You'd have to VPN into this environment or have some other way to get into it specifically (dedicated WiFi SSID, for example), as it will necessarily be totally segregated from the rest of your work network.

    From there, you can basically modify AD to essentially take over whatever account you like, simply by changing the password to something you'll know and then logging into a client machine on that segregated network via that user's credentials.

    Long and short, it's no easy thing, and you'd probably want to find an alternate way to test what you need to test. For example, is it not enough to simply set up a test account in AD that mimics the user(s) you need to test? It may have a different corporate email, but you can assign all the same groups and privileges.

    As @Transcendant stated in the comments below your question, to do it the way you want to (assuming you could), there'd essentially have to be a huge security hole in the application. If a malicious user was able to figure out the methodology to "test", they'd be able to assume any identity they liked on your site and wreck havoc. You may think, "how would they ever figure that out?", but do not discount the ingenuity and persistence of the modern hacker. Security through obscurity never pans out in reality.