Hi all,

I am developing a module to access our CRM corporate database (custom). Right now the front end for this database is MS Access but we are trying to get rid of it and make the front-end web-based, so we decided to use the framework provided by DNN to access our data (this data is on a different SQL database, not into the DotNetNuke database, and has its own user permissions, views, SPs, and so on). I have set DNN to use Windows Authentication, but it seems that after the initial automatic logon (provided by admin/Security/WindowsSignin.aspx) the rest of the navigation uses Form Authentication. I want, however, DNN to be able to impersonate the user currently browsing the site. Somewhere in our code, just before running our database queries we need to something like the example shown in: http://support.microsoft.com/kb/306158/en-us

Dim impersonationContext As System.Security.Principal.WindowsImpersonationContext
Dim currentWindowsIdentity As System.Security.Principal.WindowsIdentity

currentWindowsIdentity = CType(HttpContext.Current.User.Identity, System.Security.Principal.WindowsIdentity)
impersonationContext = currentWindowsIdentity.Impersonate()

'Insert your code that runs under the security context of the authenticating user here.

impersonationContext.Undo()

This throws an exception since at runtime HttpContext.Current.User.Identity is a FormsIdentity object and it cannot be converted into a WindowsIdentity object. Is this WindowsIdentity object supposedly created by WindowsSignin.aspx stored somewhere that can be accessible afterwards? Any way to re-create a WindowsIdentity based on the FormsIdentity (which is in fact created after the windows authentication is done).

Summing up, is there any way to temporarily impersonate to the current user, so that we can execute custom queries to our database (with its own permissions) on behalf of this user and then go back to IWAM_MACHINE account to run the rest of the DNN code?

Thanks to everyone in advance.

Mike: Thanks for your suggestion but that was the obvious thing that we tried first:

When you disable Forms authentication in web.config and set it to Windows auth (and impersonate=true), the automatic creation of user acounts in DNN does not work anymore, even though the users are authenticated correctly in IIS and in our SQL database, DNN is not aware of them. Besides, we don't want the whole portal to require the users to exist in Active Directory, we just want this module to connect to our database IF the user has the rights to do it, but leave the rest of the portal untouched (using its default settings where possible). More side effects are that we cannot either log-in with admin nor host accounts, we need to set web.config again back to Forms auth, whenever we need to login with those accounts (to make an update to any module, etc.).

Even though it migth the simple solution at first sight, we'd rather be able to do the impersonation at runtime whenever we need to access our database. If we achieve this now, this solution will give us less headaches afterwards.

Any other idea? Thanks again and regards.