Enabling Impersonation Module:
This post is part of series Enabling Impersonation Module in OAM11G R2PS2 IIS7.5
1) Registering Impersonation Module
·
We need to register the impersonation module at
Global level and so that other sites can configure it at their end.
·
Go to the Global site level, open Modules
·
Go to “Configure Native Module” (see at the top
right corner)
·
Click Register.
o
Provide a name -> “OAMImpersonation” & path to the IISImpersonationModule.dll
(present in webgate install directory).
o
Press OK
o
As you can see the Module is added to the list.
o But beware don’t
add this module at Global Level. We only need to register it here & we will
be adding this per site level.
2) Adding Impersonation Module at Site Level:
·
Go to your site -> Open Modules
· Configure Native Module:
·
The moment we add the module, web.config of the
site gets updated.
Extract from it:
Note: The above configuration is valid for the site running
in Integrated Mode.
·
Thus now we have configured the IISImpersonationModule.dll
with our site.
·
Restart
the IIS Server.
·
Now we need to do some configuration at OAM
Console end.
·
Open OAM Console ->
1)
Adding Response Header in Authorization Policy
·
Go to Application Domain -> Open WebGate
Profile -> Authorization Policy -> Protected Policy
Note- It is not mandate to use ‘Protected Policy’, we are
using because we have explicitly not specified the Policy.
·
Open Responses Tab (in authorization policy)
& add a new response field.
Note: The header field name should be “IMPERSONATE” and value “$user.userid”.
·
Add the Response Header & Apply the changes.
·
Now at User defined parameter in Webgate
Profile:
MSImpersonationCredential=clk:Welcome1
Remember: This user defined parameter
contains username & password, this should be an admin user. Because an
admin user has the rights to perform impersonation.
·
Apply the changes.
3) Performing Impersonation:
1)
Deploy the ASP.NET application in your created
site.
2)
Impersonation feature is activated.
3)
Now we will access the resource
/WebApp/default.aspx. <we have created a sample app>
o
Provide login credentials – try using some other
user login rather than using admin login.
o
Before you sign in to the system, Open Event
Viewer -> Under Windows Logs -> Click Security
o
Now do the login, after user authn & authz
checks, user is provided the resource access.
Note: This is a sample app created.
·
Now to check whether user is impersonated or
not.
For this we check the system security event
logs, to see that user ‘test’ is impersonated by the admin user ‘clk’.
As we have already opened the event log
viewer, now see we have an entry ‘Credential Validation’ entry log.
It shows
that system is authenticating the user with credentials of the admin user ‘clk’
that we have provided in the user defined parameters.
o
Now Click ‘Log
on’ event log above the ‘Credential Validation’ Log. It shows that the system
has authenticated the user with ‘clk’. Thus it proves that user ‘test’ has
logged in to the system with the credentials of ‘clk’ thus it is impersonated.
