Privilege Elevation in an MVC3 web application with Windows authentication

Question

I have a requirement to implement user privilege elevation in an MVC3 web app, for both Forms and Windows authentication, but this question is critical for Windows auth. This is for a higher privileged user to give assistance to a lower privileged user, e.g. when a clerical user is performing a task and requires an admin user to do a task before the clerical user can continue, the admin user should be able to elevate the same session to their privilege level, perform the admin task, and restore the lower privilege to the session. I don't see a way here without the clerical user logging off and the admin user logging on, given that we want to achieve this on the desktop of the clerical user alone. Maybe user switching is tidier than a whole new session, but I would very much like a "run as" equivalent for Windows authenticated web apps.

Is this even possible, and if so, how can I achieve this? I have no idea where to even begin looking.

Answer 1

You could put an anchor somewhere on your site:

@Html.ActionLink("elevate to admin", "SwitchToAdmin", "Home")

and then have a controller action which will allow for inputting the administrator credentials:

public ActionResult SwitchToAdmin()
{
    // TODO: Adjust the role name that your administrators will have
    if (!User.IsInRole(@"DOMAIN\Administrators"))
    {
        // The user is not currently an admin => popup a Logon box
        // so that the administrator could authenticate himself
        return new HttpUnauthorizedResult();
    }
    else
    {
        // After inputting the correct username and password for the
        // admin, we can now redirect to the home action and start performing
        // the admin tasks
        return RedirectToAction("index", "home");
    }
}

The revert process will be the inverse. You could have a link which will call a controller action that will throw 401 if the user is an admin allowing for the normal user to enter his username and password.

Answer 2

Allow the "power user" to temporary set a specific role for other users and for example setting also an expiration of the role with a DateTime.

Answer 3

In order to use Windows authentication to do this I think you will need:

• The run as command
• A shortcut on the user's desktop to start the other logon
• Either a batch script to prompt for the user's logon information or a separate desktop program to gather the information (the shortcut points to whichever of these you choose)
• once the information for the run as commandline is ready you could either start a browser or perhaps a custom program with an embedded browser.

An advantage of the program with embedded browser approach is that it can have extra security precautions such as forcibly closing itself after a timeout.

Anyway that's one possible solution. You might also try to come up with a less complicated way to solve the business need. Perhaps a remote desktop session for the admin?

Answer 4

The equivalent of the run as command is using user impersonation. That is running the commands that requires higher privileges as another user. It should work as follows: 1) User try to access privileged resources. The webapp detect this either because it has a kind of table of all task reuiring higher privileges, or by intercepting the security exception it gets trying to perform the operation. 2)When this is detected you throw a "RequiresPrivilegesElevationException"(an exception you have to define). This exception i catched by the controller, that now knows it must prompt the user for higher privileges 3) the controller prompt the user for the admin (or higher privileges user password) 4) when the user send the credentilas (via https) credentials are used to create an impersonation context, and all operations are done within this impersonation context.

The drawback of thos approach is that the credentials and the privilege elevetion last for just one trip to the server...for any other request the user is forced to re insert the credentials. THERE IS NO SAFE WAY TO AVOID THIS due to security browser limitations