Home/ Questions/Q 549291
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T11:10:08+00:00

I have a web application using Kerberos to access an external resource useing ASP.NET

  • 0

I have a web application using Kerberos to access an external resource useing ASP.NET 3.5 and IIS.

When a user connects with the application, Kerberos authentication auto-magically allows me to connect to external resources acting as the user using delegation. This was not easy to do. It is nice, but I’ve a problem. Sometimes I need to connect to an external resource using an account with more rights than the user. The service account which the app-pool is running under has the addition rights I need. How can I remove the user’s Kerberos identification and connect with Kerberos using the service account running the application pool?

UPDATE

I’m not sure why I am getting no responses at all. I’ve never seen that before. Please post questions, they may clarify the problem (to me too).

Woring in Kerberos and need an overview of delegation? Read the first part of this answer: https://stackoverflow.com/a/19103747/215752.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I have a class:

    public class ProcessIdentityScope : IDisposable
{
    private System.Security.Principal.WindowsImpersonationContext _impersonationContext;
    private bool _disposed;

    public ProcessIdentityScope()
    {
        _impersonationContext = System.Security.Principal.WindowsIdentity.Impersonate(IntPtr.Zero);
    }

    #region IDisposable Members

    public void Dispose()
    {
        Dispose(true);
        GC.SuppressFinalize(this);
    }

    protected virtual void Dispose(bool disposing)
    {
        if (!_disposed)
        {
            _impersonationContext.Undo();
            _impersonationContext.Dispose();
            _disposed = true;
        }
        else
            throw new ObjectDisposedException("ProcessIdentityScope");
    }

    #endregion
}

    And I use it like so:

    using(ProcessIdentityScope identityScope = new ProcessIdentityScope())
{
    // Any code in here runs under the Process Identity.
}

    This code is based on this MSDN article: http://msdn.microsoft.com/en-us/library/ms998351.aspx

    • 0