CodeSnip: Impersonation in ThreadPool Worker Threads: ASP Alliance

Print Add To Favorites Email To Friend Rate This Article
CodeSnip: Impersonation in ThreadPool Worker Threads

page 1 of 3

Published: 17 Mar 2005

Unedited - Community Contributed

Abstract
This article provides step-by-step directions to enable ThreadPool worker threads to act under the same identity that the main thread does when ASP.NET identity impersonation is being used.

by J. Ambrose Little
Feedback

Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 31516/ 48

Article Contents:

Setting Up Impersonation

This article mainly applies to situations where you are using ASP.NET's built-in identity impersonation feature (without integrated authentication). By default, ASP.NET will run under the ASPNET account identity. There are several ways to change this, but perhaps the easiest and most secure is to change the identity of the virtual directory by going to the IIS manager, right-clicking on the applicable virtual directory or site, choosing Properties, clicking on the Directory Security tab, and then choosing Edit. This will bring up a dialog that will let you control the "anonymous" user for that site or virtual directory.

Ensure that Anonymous access is checked and then choose the account identity you want the application to run under. By default, this will be IUSR_MACHINENAME, but you can create and use any account for this purpose. For this article, we'll leave the default, but if you do change the identity to an account you created, be sure it has all of the appropriate permissions. In IIS 6.0 (Windows Server 2003), it's a simple matter of adding the account to the IIS_WPG group, but it is a little more complex for IIS 5.x (Windows XP/2000). For more information on this, see this KB article.

So, once you've configured the identity you want, you can close out of IIS manager. The next thing you need to do is add the following element under the system.web element in your application's web.config (or you can do this in machine.config to configure impersonation for all applications, as some hosters do).

<identity impersonate="true" />

That should be it, your application should now run under the identity you configured in the first step for the virtual directory or site. In our case, the application is now running under IUSR_MACHINENAME.

View Entire Article

(Page 2) »

User Comments

Title: didn't work
Name: Aisha
Date: 2009-07-21 12:35:25 PM
Comment:
Thanks for the tutorial.
I tried both way. First i did myself and second used your cs file. I didn't get any error about Impersonate() but my user didn't change it remain IUSR even after Impersonate() so i couldn't reach my file..
I use identity impersonate=true in my config file..
Using .net 2005 c#
Any idea?

Title: Director
Name: H Malhotra
Date: 2006-08-17 4:52:50 PM
Comment:
Fixed our production issue.

Thanks

Title: Sweet
Name: Matt
Date: 2006-08-09 12:55:07 PM
Comment:
Thanks for this. It's amazing how simple this code is but yet so complicated to find on the internet!

Title: The Answer To My Problem
Name: Jeff
Date: 2006-05-25 11:13:47 AM
Comment:
This was the exact answer that I needed. It looks like .NET 2.0 offers us the HostingEnvironment class to work with, but our application isn't there yet.
Thanks!

Title: Problem inside a thread
Name: Jack Freudenheim
Date: 2006-03-01 3:56:31 PM
Comment:
I can get your example to work perfectly when I do it from within an aspx page, but when I tried doing the impersonation from within a thread like this:

Thread thread = new Thread( new ThreadStart(myThread.Run));
thread.Start();

I get a security exception, "Unable to impersonate user".

Any ideas? I'm stuck and getting this to work would save me!

Title: Yer Welcome
Name: J. Ambrose Little
Date: 2006-02-22 10:53:07 AM
Comment:
I'm glad I could help, Nois.

Title: Excellent.
Name: Deepak
Date: 2006-02-16 10:01:06 AM
Comment:
Its really excellent article.I was really searching for this for 7-8 days but was not able to locate proper code.This article was really helpful and solved my acute problem.

Title: Good Idea
Name: Ambrose
Date: 2005-03-23 1:30:36 PM
Comment:
Stefan,

Sounds like a great idea for an article (hint hint). Did you do any benchmarks to see how much running in separate contexts affected speed? I imagine it wouldn't be noticeable under most circumstances, and if it were asynchronous, it wouldn't matter at all really.

Title: Nice
Name: Stefan
Date: 2005-03-23 12:57:31 PM
Comment:
Very nice. I did something similar with a RemoteProxy and a custom attribute, so you would have something like

[Impersonate]
private void DoSomething(object blah)
{
...
}

The proxy would then wrap the DoSomething call with the impersonation calls (Impersonate -> DoSomething -> Undo). Like this the app developer does not really need to know how to do the impersonation (simply tag the method that needs impersonation and you are done).

Product Spotlight