iisnode
iisnode copied to clipboard
tjanczuk
Authentication in C# code hosted in iisnode/Node.js/Edge.js
I want to use a node.js application hosted in IIS (with IISNode) with the Edge.js module used to interact with some existing C# code. At this point everything is alright!
But when I check the current identity in this C# code is not the right one; it’s always the Application Pool identity whereas I expected to have the current logged user identity.
And in my context, it’s not possible to use basic authentication or to ask the credentials to the user. In fact I need to work with the windows authentication and/or the user impersonation.
Tomasz confirmed to me that it's not possible to automatically impersonate the user authenticated by IIS within the C# code embedded in a Node.js application via Edge.js running in iisnode. But it's possible to manually flow the identity of that user to the code.
So to flow the identity of the user authenticated in the IIS pipeline all the way to C# code hosted in iisnode/Node.js/Edge.js, I followed the below steps:
- Promote the AUTH_USER and AUTH_TYPE IIS variables using iisnode's configuration file: https://github.com/tjanczuk/iisnode/blob/master/src/samples/configuration/iisnode.yml#L139-L144
- Extract these values on a per-request basis from the HTTP request headers
x-iisnode-AUTH_USERandx-issnode-AUTH_TYPE, respectively. - Explicitly pass them into the C# code when making a call using Edge.js.
OK so now I have the right information in my C# code! So next step for me was to change the current windows identity of the process.
I use the following code:
// set up domain context PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
// find the user, iisAuthUser is the user received from Node UserPrincipal iisuser = UserPrincipal.FindByIdentity(ctx, iisAuthUser);
// Create a new windows identity with this user to impersonate it WindowsIdentity windowsIdentity = new WindowsIdentity(iisuser.UserPrincipalName); using (WindowsImpersonationContext wic = windowsIdentity.Impersonate()) { // method call to process request, under impersonation }
In the above using section, the user seems to be the right one however I still have a problem. It’s like the access token was not the right one…
Is there a way to validate the token of this impersonate identity? Or maybe get the token from information sent by Node to create a WindowsIdentity with this token rather than with the UPN?
Thanks in advance.
Find below the current configuration I used: My computer is a Windows 8.1 64 bits IISnode 64 bits v0.2.18 node.exe 32 bits 4.3.0 (32 bits because my C# application is in 32 bits too).
Node application in IIS has the following authentication flags:
- Anonymous Authentication: Disabled
- Basic Authentication: Disabled
- Windows Authentication: Enabled
- Forms Authentication: Disabled
- ASP.NET Impersonation: Enabled
Related application pool:
- V4.0 Integrated with LocalSystem as identity with Enable 32 bits application flag enabled
For information after impersonating the user, I'm trying to open a named pipe between my computer and a server. The opening fails, the returned handle is invalid and the error is "Access Denied". Like this is not the right user...
@Kahuna64 the mechanism I outlined allows you to understand what the identity of the caller is, but you cannot impersonate that identity for downstream calls.
@tjanczuk, what do you mean by "you can not impersonate"?
I need to enable impersonate for a specific http request... I cannot do it using iisnode?
I have a stackoverfolow questions open : https://stackoverflow.com/questions/70499908/run-impersonate-in-iisnode
Please help me , I already spent 2 days on it and I 'm stuck!
