Privilege Elevation in an MVC3 web application with Windows authentication

E

4

10

I have a requirement to implement user privilege elevation in an MVC3 web app, for both Forms and Windows authentication, but this question is critical for Windows auth. This is for a higher privileged user to give assistance to a lower privileged user, e.g. when a clerical user is performing a task and requires an admin user to do a task before the clerical user can continue, the admin user should be able to elevate the same session to their privilege level, perform the admin task, and restore the lower privilege to the session. I don't see a way here without the clerical user logging off and the admin user logging on, given that we want to achieve this on the desktop of the clerical user alone. Maybe user switching is tidier than a whole new session, but I would very much like a "run as" equivalent for Windows authenticated web apps.

Is this even possible, and if so, how can I achieve this? I have no idea where to even begin looking.

Exscind answered 26/5, 2012 at 9:41 Comment(0)

A

3

You could put an anchor somewhere on your site:

@Html.ActionLink("elevate to admin", "SwitchToAdmin", "Home")

and then have a controller action which will allow for inputting the administrator credentials:

public ActionResult SwitchToAdmin()
{
    // TODO: Adjust the role name that your administrators will have
    if (!User.IsInRole(@"DOMAIN\Administrators"))
    {
        // The user is not currently an admin => popup a Logon box
        // so that the administrator could authenticate himself
        return new HttpUnauthorizedResult();
    }
    else
    {
        // After inputting the correct username and password for the
        // admin, we can now redirect to the home action and start performing
        // the admin tasks
        return RedirectToAction("index", "home");
    }
}

The revert process will be the inverse. You could have a link which will call a controller action that will throw 401 if the user is an admin allowing for the normal user to enter his username and password.

Amphibolous answered 29/6, 2012 at 8:46 Comment(3)

It's my understanding that Windows authentication uses the currently logged in user and does not prompt for credentials. At least in my MVC apps that is how it works. Is there some way to make it work like you have written? It would be helpful for testing some of my apps. – Wizardry 29/6, 2012 at 14:13

When you return 401 status code, the browser will prompt for credentials allowing you to switch the currently connected user. Of course you have no control over the log on box that will pop up because it is browser dependent. – Amphibolous 29/6, 2012 at 14:14

It's not working for me, I don't get any prompt. I'm going to research that some more, but I wanted to add that I don't think this will work for the OP's problem because they use forms and windows authentication and the forms authentication part might take over the 401's according to this page: weblogs.asp.net/jgalloway/archive/2011/04/28/… – Wizardry 29/6, 2012 at 14:47

A

5

Allow the "power user" to temporary set a specific role for other users and for example setting also an expiration of the role with a DateTime.

Ansela answered 26/5, 2012 at 9:48 Comment(3)

With reference to this answer, how can I give the power user access, on the same machine, without requiring the normal user to log off? – Exscind 25/6, 2012 at 16:2

You might mitigate the risk of Admin Adam giving user Bob admin role, then Bob giving Sally admin role by locking the admin table while Bob is temporarly promoted. – Gamophyllous 25/6, 2012 at 16:14

@Gamophyllous Thanks, but how does Adam get access to promote Bob, on Bob's machine? That is the crux of my question. – Exscind 25/6, 2012 at 18:50

A

3

You could put an anchor somewhere on your site:

@Html.ActionLink("elevate to admin", "SwitchToAdmin", "Home")

and then have a controller action which will allow for inputting the administrator credentials:

public ActionResult SwitchToAdmin()
{
    // TODO: Adjust the role name that your administrators will have
    if (!User.IsInRole(@"DOMAIN\Administrators"))
    {
        // The user is not currently an admin => popup a Logon box
        // so that the administrator could authenticate himself
        return new HttpUnauthorizedResult();
    }
    else
    {
        // After inputting the correct username and password for the
        // admin, we can now redirect to the home action and start performing
        // the admin tasks
        return RedirectToAction("index", "home");
    }
}

The revert process will be the inverse. You could have a link which will call a controller action that will throw 401 if the user is an admin allowing for the normal user to enter his username and password.

Amphibolous answered 29/6, 2012 at 8:46 Comment(3)

It's my understanding that Windows authentication uses the currently logged in user and does not prompt for credentials. At least in my MVC apps that is how it works. Is there some way to make it work like you have written? It would be helpful for testing some of my apps. – Wizardry 29/6, 2012 at 14:13

When you return 401 status code, the browser will prompt for credentials allowing you to switch the currently connected user. Of course you have no control over the log on box that will pop up because it is browser dependent. – Amphibolous 29/6, 2012 at 14:14

It's not working for me, I don't get any prompt. I'm going to research that some more, but I wanted to add that I don't think this will work for the OP's problem because they use forms and windows authentication and the forms authentication part might take over the 401's according to this page: weblogs.asp.net/jgalloway/archive/2011/04/28/… – Wizardry 29/6, 2012 at 14:47

W

1

In order to use Windows authentication to do this I think you will need:

The run as command
A shortcut on the user's desktop to start the other logon
Either a batch script to prompt for the user's logon information or a separate desktop program to gather the information (the shortcut points to whichever of these you choose)
once the information for the run as commandline is ready you could either start a browser or perhaps a custom program with an embedded browser.

An advantage of the program with embedded browser approach is that it can have extra security precautions such as forcibly closing itself after a timeout.

Anyway that's one possible solution. You might also try to come up with a less complicated way to solve the business need. Perhaps a remote desktop session for the admin?

Wizardry answered 27/6, 2012 at 13:58 Comment(1)

Wow, thanks @Austin, I appreciate your input; this is your grandad's trivial requirement, but I hope you are correct I may find a simpler solution than an embedded browser or remote session. Shiver me timbers. – Exscind 27/6, 2012 at 18:29

C

1

The equivalent of the run as command is using user impersonation. That is running the commands that requires higher privileges as another user. It should work as follows: 1) User try to access privileged resources. The webapp detect this either because it has a kind of table of all task reuiring higher privileges, or by intercepting the security exception it gets trying to perform the operation. 2)When this is detected you throw a "RequiresPrivilegesElevationException"(an exception you have to define). This exception i catched by the controller, that now knows it must prompt the user for higher privileges 3) the controller prompt the user for the admin (or higher privileges user password) 4) when the user send the credentilas (via https) credentials are used to create an impersonation context, and all operations are done within this impersonation context.

The drawback of thos approach is that the credentials and the privilege elevetion last for just one trip to the server...for any other request the user is forced to re insert the credentials. THERE IS NO SAFE WAY TO AVOID THIS due to security browser limitations

Compilation answered 30/6, 2012 at 8:52 Comment(2)

Nice thinking, user impersonation is an interesting approach. Another drawback with it though is that then you are gathering their credentials at an app level rather than having the system handle it for you. – Wizardry 30/6, 2012 at 19:10

There are not too many options: Either the user has already the privilege and just neeed to confirm he want to use it or he needs to furnish credentilas. In the second case the authorization ticket maybe created either on the client or on the server. 3 logical options!. case 1 is easy to handle: just do the same I already explained in my answer without requiring new credentilas, but just a confirmation(https to avoid fake confirmations). Creating the ticket on the client substantially requires impersonation to be done on the client and require some further software added to the browser. – Compilation 30/6, 2012 at 21:35

Recommended topics

Hot tags