I am trying to get a user to enter their domain login details, so the site can obtain a list of groups to determine what database to connect to.
The nearest code i have found, is from microsoft:
How to authenticate against the Active Directory by using forms authentication and Visual Basic .NET
As i am using IIS8, ASP 4.5 the code fails in the web.config referring to
<identity impersonate="true" />
HTTP Error 500.24 - Internal Server Error
An ASP.NET setting has been detected that does not apply in
Integrated managed pipeline mode.
Ok, so i remove this entry and it authentications with my domain but when it redirects the same logon page appears, i assume as nothing is telling it impersonate.
Further digging seems that i may not be able to use this code as it doesn't support managed pipeline mode. I do not want to use asp memberships as using domain groups to authenticate rights.
Help!
Want to keep integrated managed pipe and am using ASP.Net impersonation so i can use the authenticated ad user to authenticate against sql database.
The reason that impersonation is not allowed in integrated mode is that it conflicts with async operations, since operations can start as one user and end as another... this gets very confusing.
One way to do what you want is to use a WindowsImpersonationContext. Assuming you're using Windows Authentication:
WindowsIdentity id = (WindowsIdentity)Context.User.Identity;
// impersonation is automatically undone by
// WindowsImpersonationContext.Dispose()
using (WindowsImpersonationContext wic = id.Impersonate())
{
// log into your database, do your queries, then cleanup
}
The drawback here is that you can't just leave connections laying open for the life of the response, or longer.. which is probably a good thing.. you need to cleanup your database code before you exit the using statement.
Note: The worker process must have rights to impersonate other users, or this won't work.