Use ImpersonationToken for IIS Windows Auth

BrennanConroy · BrennanConroy · commit c13def586191 · 2024-09-23T13:58:31.000-07:00
diff --git a/src/Servers/IIS/AspNetCoreModuleV2/InProcessRequestHandler/managedexports.cpp b/src/Servers/IIS/AspNetCoreModuleV2/InProcessRequestHandler/managedexports.cpp
@@ -513,7 +513,7 @@ http_get_authentication_information(
 )
 {
     *pstrAuthType = SysAllocString(pInProcessHandler->QueryHttpContext()->GetUser()->GetAuthenticationType());
-    *pvToken = pInProcessHandler->QueryHttpContext()->GetUser()->GetPrimaryToken();
+    *pvToken = pInProcessHandler->QueryHttpContext()->GetUser()->GetImpersonationToken();
 
     return S_OK;
 }
diff --git a/src/Servers/IIS/AspNetCoreModuleV2/OutOfProcessRequestHandler/forwardinghandler.cpp b/src/Servers/IIS/AspNetCoreModuleV2/OutOfProcessRequestHandler/forwardinghandler.cpp
@@ -815,11 +815,12 @@ FORWARDING_HANDLER::GetHeaders(
         (_wcsicmp(m_pW3Context->GetUser()->GetAuthenticationType(), L"negotiate") == 0 ||
             _wcsicmp(m_pW3Context->GetUser()->GetAuthenticationType(), L"ntlm") == 0))
     {
-        if (m_pW3Context->GetUser()->GetPrimaryToken() != NULL &&
-            m_pW3Context->GetUser()->GetPrimaryToken() != INVALID_HANDLE_VALUE)
+        HANDLE impersonationToken = m_pW3Context->GetUser()->GetImpersonationToken();
+        if (impersonationToken != NULL &&
+            impersonationToken != INVALID_HANDLE_VALUE)
         {
             HANDLE hTargetTokenHandle = NULL;
-            RETURN_IF_FAILED(pServerProcess->SetWindowsAuthToken(m_pW3Context->GetUser()->GetPrimaryToken(),
+            RETURN_IF_FAILED(pServerProcess->SetWindowsAuthToken(impersonationToken,
                 &hTargetTokenHandle));
 
             //
diff --git a/src/Servers/IIS/IIS/test/Common.FunctionalTests/Infrastructure/RequiresIISAttribute.cs b/src/Servers/IIS/IIS/test/Common.FunctionalTests/Infrastructure/RequiresIISAttribute.cs
@@ -136,7 +136,7 @@ public RequiresIISAttribute(IISCapability capabilities)
                 IsMet &= available;
                 if (!available)
                 {
-                    SkipReason += $"The machine does have {module.Capability} available.";
+                    SkipReason += $"The machine does not have {module.Capability} available.";
                 }
             }
         }
diff --git a/src/Servers/IIS/IIS/test/Common.FunctionalTests/WindowsAuthTests.cs b/src/Servers/IIS/IIS/test/Common.FunctionalTests/WindowsAuthTests.cs
@@ -2,7 +2,9 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System;
+using System.Net;
 using System.Net.Http;
+using System.Security.Principal;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Server.IIS.FunctionalTests.Utilities;
 using Microsoft.AspNetCore.Server.IntegrationTesting;
@@ -58,4 +60,51 @@ public async Task WindowsAuthTest(TestVariant variant)
         Assert.StartsWith("Windows:", responseText);
         Assert.Contains(Environment.UserName, responseText);
     }
+
+    [ConditionalTheory]
+    [RequiresIIS(IISCapability.WindowsAuthentication)]
+    [MemberData(nameof(TestVariants))]
+    public async Task WindowsAuthWithImpersonationLevelTest(TestVariant variant)
+    {
+        var deploymentParameters = Fixture.GetBaseDeploymentParameters(variant);
+        deploymentParameters.SetAnonymousAuth(enabled: false);
+        deploymentParameters.SetWindowsAuth();
+
+        // The default in hosting sets windows auth to true.
+        var deploymentResult = await DeployAsync(deploymentParameters);
+
+        var impersonationLevels = new TokenImpersonationLevel[]
+            {
+                TokenImpersonationLevel.None,
+                TokenImpersonationLevel.Identification,
+                TokenImpersonationLevel.Impersonation,
+                TokenImpersonationLevel.Delegation,
+                TokenImpersonationLevel.Anonymous
+            };
+
+        foreach (var impersonationLevel in impersonationLevels)
+        {
+            // TokenImpersonationLevel is not supported by HttpClient so we need to use HttpWebRequest to test it.
+#pragma warning disable SYSLIB0014 // Type or member is obsolete
+            var request = HttpWebRequest.CreateHttp($"{deploymentResult.HttpClient.BaseAddress}Auth");
+#pragma warning restore SYSLIB0014 // Type or member is obsolete
+            request.ImpersonationLevel = impersonationLevel;
+            request.Method = "GET";
+            request.UseDefaultCredentials = true;
+
+            using var response = request.GetResponse();
+            using var reader = new StreamReader(response.GetResponseStream());
+            var responseText = await reader.ReadToEndAsync();
+
+            try
+            {
+                Assert.StartsWith("Windows:", responseText);
+                Assert.Contains(Environment.UserName, responseText);
+            }
+            catch (Exception ex)
+            {
+                Assert.Fail($"'TokenImpersonationLevel.{impersonationLevel}' failed with: {ex.Message}");
+            }
+        }
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -513,7 +513,7 @@ http_get_authentication_information(`
`513`	`513`	`)`
`514`	`514`	`{`
`515`	`515`	`*pstrAuthType = SysAllocString(pInProcessHandler->QueryHttpContext()->GetUser()->GetAuthenticationType());`
`516`		`- *pvToken = pInProcessHandler->QueryHttpContext()->GetUser()->GetPrimaryToken();`
	`516`	`+ *pvToken = pInProcessHandler->QueryHttpContext()->GetUser()->GetImpersonationToken();`
`517`	`517`
`518`	`518`	`return S_OK;`
`519`	`519`	`}`
Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,7 @@ public RequiresIISAttribute(IISCapability capabilities)`
`136`	`136`	`IsMet &= available;`
`137`	`137`	`if (!available)`
`138`	`138`	`{`
`139`		`- SkipReason += $"The machine does have {module.Capability} available.";`
	`139`	`+ SkipReason += $"The machine does not have {module.Capability} available.";`
`140`	`140`	`}`
`141`	`141`	`}`
`142`	`142`	`}`