With IIS with Windows authentication on domain, can I start a process as the domain user who initiated request to IIS?

Question

Let's say I'm on a domain (paddyspub.com) and user dennisreynolds@paddyspub.com calls a web service that is configured in IIS to use NTLM / windows authentication. Is there a way for me to start a process on the web server as dennisreynolds@paddyspub.com from the method in web service that was called?

Answer 1

Take a look at ASP.NET Impersonation:

When using impersonation, ASP.NET applications can execute with the Windows identity (user account) of the user making the request. Impersonation is commonly used in applications that rely on Microsoft Internet Information Services (IIS) to authenticate the user.

ASP.NET impersonation is disabled by default. If impersonation is enabled for an ASP.NET application, that application runs in the context of the identity whose access token IIS passes to ASP.NET. That token can be either an authenticated user token, such as a token for a logged-in Windows user, or the token that IIS provides for anonymous users (typically, the IUSR_MACHINENAME identity).

When impersonation is enabled, only your application code runs under the context of the impersonated user. Applications are compiled and configuration information is loaded using the identity of the ASP.NET process. For more information, see Configuring ASP.NET Process Identity. The compiled application is put in the Temporary ASP.NET files directory. The application identity that is being impersonated needs to have read/write access to this directory. The impersonated application identity also requires at least read access to the files in your application directory and subdirectories. For more information, see ASP.NET Required Access Control Lists (ACLs).