Geek Answers Handbook

WindowsIdentity.Impersonate in ASP.NET randomly "Invalid token for impersonation - it cannot be duplicated"

I have an ASP.NET application that requires users to log in with their domain accounts using basic authentication. The user can make a choice, and then press the button.

At some point after clicking the button, this code is located: WindowsIdentity.Impersonate(userIdentity.Token) . userIdentity is of type WindowsIdentity , and it was previously set to (WindowsIdentity) User.Identity .

userIdentity is saved as a session variable, and I think that since after clicking the button, the page containing this code is called via AJAX.

When I click this code, it works for about 2/3 of the time, but 1/3 times I get this exception: Invalid token for impersonation - it cannot be duplicated. I think the biggest head cleaner for me is why it works sometimes, but not at another time? In some sessions, it works several times before a crash. On the other hand, it does not work right away.

Here's the stack trace:

in System.Security.Principal.WindowsIdentity.CreateFromToken (IntPtr userToken)

in System.Security.Principal.WindowsIdentity..ctor (IntPtr userToken, String authType, Int32 isAuthenticated)

in System.Security.Principal.WindowsIdentity.Impersonate (IntPtr userToken)

in Resource_Booker.BLL.ReservationAgent.SubmitReservationRequest (reservation reservation, patron cartridge) in C: \ dev \ RoomRes \ Resource Booker \ BLL \ ReservationAgent.cs: line 101

in Resource_Booker.Reserve.reserve_Click (object sender, EventArgs e) in C: \ dev \ RoomRes \ Resource Booker \ Reserve.aspx.cs: line 474

in System.EventHandler.Invoke (object sender, EventArgs e)

in System.Web.UI.WebControls.Button.RaisePostBackEvent (String eventArgument)

in System.Web.UI.Page.ProcessRequestMain (Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Here's a confounding factor: I can't reproduce this problem on my local Windows 7 x64 workstation - although my authentication is implicitly passed here since I use localhost - or in the 32-bit IIS 6.0 environment of Windows 2003. This only happens on a fairly vanilla environment Windows 2008 R2 All of these environments are members of a domain.

+7
source share
2 answers

Basically, what you see is not a security issue, since the login session is cached by IIS for the life of the TCP connection, but HTTP sometimes shortens the TCP connection requiring re-authentication. This will happen seamlessly and seamlessly (handled by the browser), but it will invalidate the token, since the login session will be destroyed when the TCP connection is completed.

those. in favor of @usr, it only works sometimes because the login session is the same as the token, i.e. the token stored in the session because it is the same actual token as User.Identity. This is not a way to avoid security checks; it is a detail of the implementation of security checks.

You should not save the identifier in the session - this is optional, as this is an authenticated connection.

Just use (WindowsIdentity)User.Identity every time and your problem should go away.

+10
source

Can you share some POCs on this issue .. Actually, I am facing the same problem using a session marker to impersonate.

0
source

More articles:


All Articles