locked
Windows identity flow weird behavior using ASP.NET + Task + Windows Authentication + Impersonation RRS feed

  • Question

  • Hi,

    I have a simple ASP.NET application that runs under the LocalSystem account for its application pool with a single page (Default.aspx). Windows Authentication and ASP.NET Impersonation are enabled. Here is the code I run in the Page_Load event:

    protected void Page_Load(object sender, EventArgs e)
    {
        this._windowsIdentityName.Text = WindowsIdentity.GetCurrent().Name;
        this._windowsIdentityAuthenticationType.Text = WindowsIdentity.GetCurrent().AuthenticationType;
        this._executionContextFlowSuppressed.Text = ExecutionContext.IsFlowSuppressed().ToString();
        this._securityContextFlowSuppressed.Text = SecurityContext.IsFlowSuppressed().ToString();
        this._securityContextWindowsIdentityFlowSuppressed.Text = SecurityContext.IsWindowsIdentityFlowSuppressed().ToString();
    
        var t = Task.Factory.StartNew(() => 
        {
            //using (WindowsIdentity.Impersonate(IntPtr.Zero))
            //{
                this._windowsIdentityNameTask.Text = WindowsIdentity.GetCurrent().Name;
                this._windowsIdentityAuthenticationTypeTask.Text = WindowsIdentity.GetCurrent().AuthenticationType;
                this._executionContextFlowSuppressedTask.Text = ExecutionContext.IsFlowSuppressed().ToString();
                this._securityContextFlowSuppressedTask.Text = SecurityContext.IsFlowSuppressed().ToString();
                this._securityContextWindowsIdentityFlowSuppressedTask.Text = SecurityContext.IsWindowsIdentityFlowSuppressed().ToString();
            //}
        });
    
        t.Wait();
    }


    And here is the output I get when I refresh the page:

    Name Outside Task Inside Task
    WindowsIdentity.GetCurrent().Name DOMAIN\user NT AUTHORITY\SYSTEM
    WindowsIdentity.GetCurrent().AuthenticationType Kerberos Negotiate
    ExecutionContext.IsFlowSuppressed() False False
    SecurityContext.IsFlowSuppressed() False False
    SecurityContext.IsWindowsIdentityFlowSuppressed() True True

    Name Outside Task Inside Task
    WindowsIdentity.GetCurrent().Name DOMAIN\user DOMAIN\user
    WindowsIdentity.GetCurrent().AuthenticationType Kerberos Kerberos
    ExecutionContext.IsFlowSuppressed() False False
    SecurityContext.IsFlowSuppressed() False False
    SecurityContext.IsWindowsIdentityFlowSuppressed() True True

    Sometimes I get the NT AUTHORITY\SYSTEM user inside the task and sometimes I get my domain user which is impersonated.

    Also, if I uncomment the impersonate method with IntPtr.Zero call, I ALWAYS get NT AUTHORITY\SYSTEM user.

    I also tried to combine legacyImpersonationPolicy and alwaysFlowImpersonationPolicy but it doesn't seem to have any effect on the code.

    I want to know why sometimes the windows identity flows as I do NOT want it to flow? And is it a good practice to impersonate as IntPtr.Zero user?

    Thanks.




    Wednesday, October 17, 2012 9:10 PM

Answers

  • Hi Marc-Andre-

    Task.Wait() has the potential to "inline" the task if another thread hasn't yet started running it.  In other words, rather than blocking this thread and waiting for some other thread to come along and process the queued task, the Wait() method may look to see if the target task is still queued, and if it is, run it there and then rather than relying on someone else to do it.  If that happens, it'll be running on the current thread; otherwise, it'll be running on a different thread.

    As such, what you're seeing is likely not about whether identity flows or not, but whether you're seeing the identity on the current thread or an identity on a different thread.

    Wednesday, November 14, 2012 8:24 PM
    Moderator