Search code examples
c#asp.netasp.net-coreiisimpersonation

How to get user configured at <identity impersonate="true"> in web.config to execute some code with it own privileges (ASP.NET Core)


I'm having access denied errors when trying to create directories, move files etc. So I added (web.config) the impersonate user that have the right privileges to execute that functions.

So, in my web.config I have the current code:

<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>...</handlers>
      <aspNetCore .../>
    </system.webServer>
  </location>
  <system.web>
    <identity impersonate="true" password="password123" userName="DOMAIN\user123" />
  </system.web>
</configuration>

And in my IIS, the DefaultAppPool pool have the Identity property set to ApplicationPoolIdentity.
iis pool configuration identity

And now I use WindowsIdentity.RunImpersonated() to run my code that create the folders and etc that I talked earlier with the purpose to use the configured user (DOMAIN\user123), and not the current User.Identity logged into, like DOMAIN\anyOtherCurrentUser:

WindowsIdentity.RunImpersonated(WindowsIdentity.GetCurrent().AccessToken, () => {
      // create directory, move files, etc
});

The problem is when I run this code, calling WindowsIdentity.Getcurrent(), The user that I'm getting is the current one set on IIS Configuration IIS APPPOOL\DefaultAppPool and not the configured user in web.config DOMAIN\user123. Why this happens? How should I use this user configured in web.config?


Solution

  • You simply cannot.

    Anything under <system.web> applies to only ASP.NET 4.x or older, and ASP.NET Core does not honor such.

    Even for ASP.NET 4.x you should grant all permissions based on the application pool identity, not relying on impersonation for your own good.