Question - How can I retain impersonation in the new thread created from ASP.NET application

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan

Applies to

Answer:

In .NET Framework 1.1, impersonation tokens did not automatically flow to newly created threads. This situation could lead to security vulnerabilities because new threads assume the security context of the process. In .NET Framework 2.0, by default the impersonation token still does not flow across threads, but for ASP.NET applications you can change this default behavior with appropriate configuration of the ASPNET.config file in the %Windir%Microsoft.NET\Framework\{Version Number\ directory. If you need to flow the impersonation token to new threads, set the enabled attribute to true on the alwaysFlowImpersonationPolicy element and enabled attribute to false on legacyImpersonationPolicy element.in the ASPNET.config file, as shown in the following example. 

<configuration>
 <runtime>
   <alwaysFlowImpersonationPolicy enabled="true"/>
   <legacyImpersonationPolicy enabled="false"/>
 </runtime>
</configuration>

If you need to prevent impersonation tokens from being passed to new threads programmatically, you can use the ExecutionContext.SuppressFlow method.

Attributes

  • Author: J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan

  • Category: Impersonation and Delegation

  • filePath: ..\Libraries\patterns & practices Library\faq\89aaa66b-d3c3-4260-980a-ef2b9f40ea80.xml

  • Pri: 2

  • Rule Type: Implementation

  • Source: patterns & practices Library

  • Status: Release

  • Technology: ASP.NET 2.0

  • Title: Question - How can I retain impersonation in the new thread created from ASP.NET application

  • Topic: Security

  • Type: Question and Answer

  • ID: 89aaa66b-d3c3-4260-980a-ef2b9f40ea80