Access File Share from ASP.NET using Unmanaged Code

Discussion in 'ASP .Net Security' started by Mark Duregon, Jul 14, 2004.

  1. Mark Duregon

    Mark Duregon Guest

    Hi,

    We have an application that requires appropriate users to run command files on an adhoc basis. We have implmented a library that uses the following code:

    using System;
    using System.Runtime.InteropServices;
    using System.Security.Principal;
    using System.Security.Permissions;

    namespace SAMIS.Porteco.Utilities
    {
    public enum LogonType : int
    {
    LOGON32_LOGON_INTERACTIVE = 2,
    LOGON32_LOGON_NETWORK = 3,
    LOGON32_LOGON_BATCH = 4,
    LOGON32_LOGON_SERVICE = 5,
    LOGON32_LOGON_UNLOCK = 7,
    LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or higher
    LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or higher
    };

    public enum LogonProvider : int
    {
    LOGON32_PROVIDER_DEFAULT = 0,
    LOGON32_PROVIDER_WINNT35 = 1,
    LOGON32_PROVIDER_WINNT40 = 2,
    LOGON32_PROVIDER_WINNT50 = 3
    };

    class SecuUtil32
    {
    [DllImport("advapi32.dll", SetLastError=true)]
    public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,
    int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);

    [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
    public extern static bool CloseHandle(IntPtr handle);

    [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
    public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
    int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
    }

    /// <summary>
    /// Summary description for NetworkSecurity.
    /// </summary>
    public class NetworkSecurity
    {
    private NetworkSecurity() {}

    public static WindowsImpersonationContext ImpersonateUser(string domain, string login, string password,
    LogonType logonType, LogonProvider logonProvider)
    {
    IntPtr tokenHandle = new IntPtr(0);
    IntPtr dupeTokenHandle = new IntPtr(0);
    try
    {
    const int SecurityImpersonation = 2;

    tokenHandle = IntPtr.Zero;
    dupeTokenHandle = IntPtr.Zero;

    //
    // Call LogonUser to obtain a handle to an access token.
    //
    bool returnValue = SecuUtil32.LogonUser(login, domain, password, (int)logonType,
    (int)logonProvider, ref tokenHandle);

    if (false == returnValue)
    {
    int ret = Marshal.GetLastWin32Error();
    string strErr = String.Format("LogonUser failed with error code : {0}", ret);
    throw new ApplicationException(strErr, null);
    }

    bool retVal = SecuUtil32.DuplicateToken(tokenHandle, SecurityImpersonation, ref dupeTokenHandle);

    if (false == retVal)
    {
    SecuUtil32.CloseHandle(tokenHandle);
    throw new ApplicationException("Failed to duplicate token", null);
    }

    //
    // The token that is passed to the following constructor must
    // be a primary token in order to use it for impersonation.
    //
    WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
    WindowsImpersonationContext impersonatedUser = newId.Impersonate();

    return impersonatedUser;
    }
    catch (Exception ex)
    {
    throw new ApplicationException(ex.Message, ex);
    }

    return null;
    }
    }
    }

    The problem we are having is that while network resources are not restricted entirely because the batch files are able to run sql scripts against the Oracle database, FTP etc. but the user cannot access a network share either by unc path or trying to map a drive as part of the script. This problem only occurs when trying to run the script in this fashion as it works when run manually through a command prompt whic is expected, an also on a scheduled basis by the Windows Scheduler.

    Is their a permission I need to request/grant on the assembly and if so which assembly (the library/web or both). I have tried granting full trust to the assemblies without success.

    Alternatively is their a way to run a defined task from the scheduler. I read the documentation (all 2 lines of it) for the scheduler and did not get the impression that it is possible.

    Regards,
    Mark.

    P.S. I cannot give you an exception or error messages that occur when I try to run the task from the web application, because as soon as I try to access a network resource using the page I have created it simply hangs/timesout but works perfectly when dealing with only local file resources. FYI all command files are on the local machine but need to access network shares to ctp then delete files.

    Platform: Windows 2000 Server w/ 1.0 Framework
     
    Mark Duregon, Jul 14, 2004
    #1
    1. Advertising

  2. Do you have impersonation enabled in your web.config file, and Windows authentication setup in IIS?

    "Mark Duregon" wrote:

    > Hi,
    >
    > We have an application that requires appropriate users to run command files on an adhoc basis. We have implmented a library that uses the following code:
    >
    > using System;
    > using System.Runtime.InteropServices;
    > using System.Security.Principal;
    > using System.Security.Permissions;
    >
    > namespace SAMIS.Porteco.Utilities
    > {
    > public enum LogonType : int
    > {
    > LOGON32_LOGON_INTERACTIVE = 2,
    > LOGON32_LOGON_NETWORK = 3,
    > LOGON32_LOGON_BATCH = 4,
    > LOGON32_LOGON_SERVICE = 5,
    > LOGON32_LOGON_UNLOCK = 7,
    > LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or higher
    > LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or higher
    > };
    >
    > public enum LogonProvider : int
    > {
    > LOGON32_PROVIDER_DEFAULT = 0,
    > LOGON32_PROVIDER_WINNT35 = 1,
    > LOGON32_PROVIDER_WINNT40 = 2,
    > LOGON32_PROVIDER_WINNT50 = 3
    > };
    >
    > class SecuUtil32
    > {
    > [DllImport("advapi32.dll", SetLastError=true)]
    > public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,
    > int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);
    >
    > [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
    > public extern static bool CloseHandle(IntPtr handle);
    >
    > [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
    > public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
    > int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
    > }
    >
    > /// <summary>
    > /// Summary description for NetworkSecurity.
    > /// </summary>
    > public class NetworkSecurity
    > {
    > private NetworkSecurity() {}
    >
    > public static WindowsImpersonationContext ImpersonateUser(string domain, string login, string password,
    > LogonType logonType, LogonProvider logonProvider)
    > {
    > IntPtr tokenHandle = new IntPtr(0);
    > IntPtr dupeTokenHandle = new IntPtr(0);
    > try
    > {
    > const int SecurityImpersonation = 2;
    >
    > tokenHandle = IntPtr.Zero;
    > dupeTokenHandle = IntPtr.Zero;
    >
    > //
    > // Call LogonUser to obtain a handle to an access token.
    > //
    > bool returnValue = SecuUtil32.LogonUser(login, domain, password, (int)logonType,
    > (int)logonProvider, ref tokenHandle);
    >
    > if (false == returnValue)
    > {
    > int ret = Marshal.GetLastWin32Error();
    > string strErr = String.Format("LogonUser failed with error code : {0}", ret);
    > throw new ApplicationException(strErr, null);
    > }
    >
    > bool retVal = SecuUtil32.DuplicateToken(tokenHandle, SecurityImpersonation, ref dupeTokenHandle);
    >
    > if (false == retVal)
    > {
    > SecuUtil32.CloseHandle(tokenHandle);
    > throw new ApplicationException("Failed to duplicate token", null);
    > }
    >
    > //
    > // The token that is passed to the following constructor must
    > // be a primary token in order to use it for impersonation.
    > //
    > WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
    > WindowsImpersonationContext impersonatedUser = newId.Impersonate();
    >
    > return impersonatedUser;
    > }
    > catch (Exception ex)
    > {
    > throw new ApplicationException(ex.Message, ex);
    > }
    >
    > return null;
    > }
    > }
    > }
    >
    > The problem we are having is that while network resources are not restricted entirely because the batch files are able to run sql scripts against the Oracle database, FTP etc. but the user cannot access a network share either by unc path or trying to map a drive as part of the script. This problem only occurs when trying to run the script in this fashion as it works when run manually through a command prompt whic is expected, an also on a scheduled basis by the Windows Scheduler.
    >
    > Is their a permission I need to request/grant on the assembly and if so which assembly (the library/web or both). I have tried granting full trust to the assemblies without success.
    >
    > Alternatively is their a way to run a defined task from the scheduler. I read the documentation (all 2 lines of it) for the scheduler and did not get the impression that it is possible.
    >
    > Regards,
    > Mark.
    >
    > P.S. I cannot give you an exception or error messages that occur when I try to run the task from the web application, because as soon as I try to access a network resource using the page I have created it simply hangs/timesout but works perfectly when dealing with only local file resources. FYI all command files are on the local machine but need to access network shares to ctp then delete files.
    >
    > Platform: Windows 2000 Server w/ 1.0 Framework
     
    David Coe, MCAD, Jul 14, 2004
    #2
    1. Advertising

  3. Mark Duregon

    Mark Duregon Guest

    We use Forms authentication and if I set impersonate to true then I get an Access Denied excpetion when trying to access our Business Facade layer:

    Access is denied: 'BusinessFacade'.
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.IO.FileLoadException: Access is denied: 'BusinessFacade'.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:


    [FileLoadException: Access is denied: 'BusinessFacade'.]
    SAMIS.Porteco.Web.Global.Application_AuthenticateRequest(Object sender, EventArgs e) +0
    System.Web.SyncEventExecutionStep.Execute() +60
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87




    --------------------------------------------------------------------------------
    Version Information: Microsoft .NET Framework Version:1.0.3705.288; ASP.NET Version:1.0.3705.288



    "David Coe, MCAD" wrote:

    > Do you have impersonation enabled in your web.config file, and Windows authentication setup in IIS?
    >
    > "Mark Duregon" wrote:
    >
    > > Hi,
    > >
    > > We have an application that requires appropriate users to run command files on an adhoc basis. We have implmented a library that uses the following code:
    > >
    > > using System;
    > > using System.Runtime.InteropServices;
    > > using System.Security.Principal;
    > > using System.Security.Permissions;
    > >
    > > namespace SAMIS.Porteco.Utilities
    > > {
    > > public enum LogonType : int
    > > {
    > > LOGON32_LOGON_INTERACTIVE = 2,
    > > LOGON32_LOGON_NETWORK = 3,
    > > LOGON32_LOGON_BATCH = 4,
    > > LOGON32_LOGON_SERVICE = 5,
    > > LOGON32_LOGON_UNLOCK = 7,
    > > LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or higher
    > > LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or higher
    > > };
    > >
    > > public enum LogonProvider : int
    > > {
    > > LOGON32_PROVIDER_DEFAULT = 0,
    > > LOGON32_PROVIDER_WINNT35 = 1,
    > > LOGON32_PROVIDER_WINNT40 = 2,
    > > LOGON32_PROVIDER_WINNT50 = 3
    > > };
    > >
    > > class SecuUtil32
    > > {
    > > [DllImport("advapi32.dll", SetLastError=true)]
    > > public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,
    > > int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);
    > >
    > > [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
    > > public extern static bool CloseHandle(IntPtr handle);
    > >
    > > [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
    > > public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
    > > int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
    > > }
    > >
    > > /// <summary>
    > > /// Summary description for NetworkSecurity.
    > > /// </summary>
    > > public class NetworkSecurity
    > > {
    > > private NetworkSecurity() {}
    > >
    > > public static WindowsImpersonationContext ImpersonateUser(string domain, string login, string password,
    > > LogonType logonType, LogonProvider logonProvider)
    > > {
    > > IntPtr tokenHandle = new IntPtr(0);
    > > IntPtr dupeTokenHandle = new IntPtr(0);
    > > try
    > > {
    > > const int SecurityImpersonation = 2;
    > >
    > > tokenHandle = IntPtr.Zero;
    > > dupeTokenHandle = IntPtr.Zero;
    > >
    > > //
    > > // Call LogonUser to obtain a handle to an access token.
    > > //
    > > bool returnValue = SecuUtil32.LogonUser(login, domain, password, (int)logonType,
    > > (int)logonProvider, ref tokenHandle);
    > >
    > > if (false == returnValue)
    > > {
    > > int ret = Marshal.GetLastWin32Error();
    > > string strErr = String.Format("LogonUser failed with error code : {0}", ret);
    > > throw new ApplicationException(strErr, null);
    > > }
    > >
    > > bool retVal = SecuUtil32.DuplicateToken(tokenHandle, SecurityImpersonation, ref dupeTokenHandle);
    > >
    > > if (false == retVal)
    > > {
    > > SecuUtil32.CloseHandle(tokenHandle);
    > > throw new ApplicationException("Failed to duplicate token", null);
    > > }
    > >
    > > //
    > > // The token that is passed to the following constructor must
    > > // be a primary token in order to use it for impersonation.
    > > //
    > > WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
    > > WindowsImpersonationContext impersonatedUser = newId.Impersonate();
    > >
    > > return impersonatedUser;
    > > }
    > > catch (Exception ex)
    > > {
    > > throw new ApplicationException(ex.Message, ex);
    > > }
    > >
    > > return null;
    > > }
    > > }
    > > }
    > >
    > > The problem we are having is that while network resources are not restricted entirely because the batch files are able to run sql scripts against the Oracle database, FTP etc. but the user cannot access a network share either by unc path or trying to map a drive as part of the script. This problem only occurs when trying to run the script in this fashion as it works when run manually through a command prompt whic is expected, an also on a scheduled basis by the Windows Scheduler.
    > >
    > > Is their a permission I need to request/grant on the assembly and if so which assembly (the library/web or both). I have tried granting full trust to the assemblies without success.
    > >
    > > Alternatively is their a way to run a defined task from the scheduler. I read the documentation (all 2 lines of it) for the scheduler and did not get the impression that it is possible.
    > >
    > > Regards,
    > > Mark.
    > >
    > > P.S. I cannot give you an exception or error messages that occur when I try to run the task from the web application, because as soon as I try to access a network resource using the page I have created it simply hangs/timesout but works perfectly when dealing with only local file resources. FYI all command files are on the local machine but need to access network shares to ctp then delete files.
    > >
    > > Platform: Windows 2000 Server w/ 1.0 Framework
     
    Mark Duregon, Jul 14, 2004
    #3
  4. How are you calling the script files in this app? Are you using the Process
    class? In that case, you need to be aware that it will start the new
    process with the current process' token, not the impersonation token. Since
    it would appear that you have a primary token, you could get around this by
    calling CreateProcessWithTokenW instead.

    If that isn't how you are calling the scripts, then how are you doing it?

    Joe K.

    "Mark Duregon" <> wrote in message
    news:...
    > Hi,
    >
    > We have an application that requires appropriate users to run command

    files on an adhoc basis. We have implmented a library that uses the
    following code:
    >
    > using System;
    > using System.Runtime.InteropServices;
    > using System.Security.Principal;
    > using System.Security.Permissions;
    >
    > namespace SAMIS.Porteco.Utilities
    > {
    > public enum LogonType : int
    > {
    > LOGON32_LOGON_INTERACTIVE = 2,
    > LOGON32_LOGON_NETWORK = 3,
    > LOGON32_LOGON_BATCH = 4,
    > LOGON32_LOGON_SERVICE = 5,
    > LOGON32_LOGON_UNLOCK = 7,
    > LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or higher
    > LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or higher
    > };
    >
    > public enum LogonProvider : int
    > {
    > LOGON32_PROVIDER_DEFAULT = 0,
    > LOGON32_PROVIDER_WINNT35 = 1,
    > LOGON32_PROVIDER_WINNT40 = 2,
    > LOGON32_PROVIDER_WINNT50 = 3
    > };
    >
    > class SecuUtil32
    > {
    > [DllImport("advapi32.dll", SetLastError=true)]
    > public static extern bool LogonUser(String lpszUsername, String

    lpszDomain, String lpszPassword,
    > int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);
    >
    > [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
    > public extern static bool CloseHandle(IntPtr handle);
    >
    > [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
    > public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
    > int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
    > }
    >
    > /// <summary>
    > /// Summary description for NetworkSecurity.
    > /// </summary>
    > public class NetworkSecurity
    > {
    > private NetworkSecurity() {}
    >
    > public static WindowsImpersonationContext ImpersonateUser(string

    domain, string login, string password,
    > LogonType logonType, LogonProvider logonProvider)
    > {
    > IntPtr tokenHandle = new IntPtr(0);
    > IntPtr dupeTokenHandle = new IntPtr(0);
    > try
    > {
    > const int SecurityImpersonation = 2;
    >
    > tokenHandle = IntPtr.Zero;
    > dupeTokenHandle = IntPtr.Zero;
    >
    > //
    > // Call LogonUser to obtain a handle to an access token.
    > //
    > bool returnValue = SecuUtil32.LogonUser(login, domain, password,

    (int)logonType,
    > (int)logonProvider, ref tokenHandle);
    >
    > if (false == returnValue)
    > {
    > int ret = Marshal.GetLastWin32Error();
    > string strErr = String.Format("LogonUser failed with error code

    : {0}", ret);
    > throw new ApplicationException(strErr, null);
    > }
    >
    > bool retVal = SecuUtil32.DuplicateToken(tokenHandle,

    SecurityImpersonation, ref dupeTokenHandle);
    >
    > if (false == retVal)
    > {
    > SecuUtil32.CloseHandle(tokenHandle);
    > throw new ApplicationException("Failed to duplicate token",

    null);
    > }
    >
    > //
    > // The token that is passed to the following constructor must
    > // be a primary token in order to use it for impersonation.
    > //
    > WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
    > WindowsImpersonationContext impersonatedUser =

    newId.Impersonate();
    >
    > return impersonatedUser;
    > }
    > catch (Exception ex)
    > {
    > throw new ApplicationException(ex.Message, ex);
    > }
    >
    > return null;
    > }
    > }
    > }
    >
    > The problem we are having is that while network resources are not

    restricted entirely because the batch files are able to run sql scripts
    against the Oracle database, FTP etc. but the user cannot access a network
    share either by unc path or trying to map a drive as part of the script.
    This problem only occurs when trying to run the script in this fashion as it
    works when run manually through a command prompt whic is expected, an also
    on a scheduled basis by the Windows Scheduler.
    >
    > Is their a permission I need to request/grant on the assembly and if so

    which assembly (the library/web or both). I have tried granting full trust
    to the assemblies without success.
    >
    > Alternatively is their a way to run a defined task from the scheduler. I

    read the documentation (all 2 lines of it) for the scheduler and did not get
    the impression that it is possible.
    >
    > Regards,
    > Mark.
    >
    > P.S. I cannot give you an exception or error messages that occur when I

    try to run the task from the web application, because as soon as I try to
    access a network resource using the page I have created it simply
    hangs/timesout but works perfectly when dealing with only local file
    resources. FYI all command files are on the local machine but need to
    access network shares to ctp then delete files.
    >
    > Platform: Windows 2000 Server w/ 1.0 Framework
     
    Joe Kaplan \(MVP - ADSI\), Jul 14, 2004
    #4
  5. Mark Duregon

    Mark Duregon Guest

    Thanks, but I did mention that I am using Windows 2000 and 1.0 of the framework.

    "Joe Kaplan (MVP - ADSI)" wrote:

    > How are you calling the script files in this app? Are you using the Process
    > class? In that case, you need to be aware that it will start the new
    > process with the current process' token, not the impersonation token. Since
    > it would appear that you have a primary token, you could get around this by
    > calling CreateProcessWithTokenW instead.
    >
    > If that isn't how you are calling the scripts, then how are you doing it?
    >
    > Joe K.
    >
    > "Mark Duregon" <> wrote in message
    > news:...
    > > Hi,
    > >
    > > We have an application that requires appropriate users to run command

    > files on an adhoc basis. We have implmented a library that uses the
    > following code:
    > >
    > > using System;
    > > using System.Runtime.InteropServices;
    > > using System.Security.Principal;
    > > using System.Security.Permissions;
    > >
    > > namespace SAMIS.Porteco.Utilities
    > > {
    > > public enum LogonType : int
    > > {
    > > LOGON32_LOGON_INTERACTIVE = 2,
    > > LOGON32_LOGON_NETWORK = 3,
    > > LOGON32_LOGON_BATCH = 4,
    > > LOGON32_LOGON_SERVICE = 5,
    > > LOGON32_LOGON_UNLOCK = 7,
    > > LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or higher
    > > LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or higher
    > > };
    > >
    > > public enum LogonProvider : int
    > > {
    > > LOGON32_PROVIDER_DEFAULT = 0,
    > > LOGON32_PROVIDER_WINNT35 = 1,
    > > LOGON32_PROVIDER_WINNT40 = 2,
    > > LOGON32_PROVIDER_WINNT50 = 3
    > > };
    > >
    > > class SecuUtil32
    > > {
    > > [DllImport("advapi32.dll", SetLastError=true)]
    > > public static extern bool LogonUser(String lpszUsername, String

    > lpszDomain, String lpszPassword,
    > > int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);
    > >
    > > [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
    > > public extern static bool CloseHandle(IntPtr handle);
    > >
    > > [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
    > > public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
    > > int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
    > > }
    > >
    > > /// <summary>
    > > /// Summary description for NetworkSecurity.
    > > /// </summary>
    > > public class NetworkSecurity
    > > {
    > > private NetworkSecurity() {}
    > >
    > > public static WindowsImpersonationContext ImpersonateUser(string

    > domain, string login, string password,
    > > LogonType logonType, LogonProvider logonProvider)
    > > {
    > > IntPtr tokenHandle = new IntPtr(0);
    > > IntPtr dupeTokenHandle = new IntPtr(0);
    > > try
    > > {
    > > const int SecurityImpersonation = 2;
    > >
    > > tokenHandle = IntPtr.Zero;
    > > dupeTokenHandle = IntPtr.Zero;
    > >
    > > //
    > > // Call LogonUser to obtain a handle to an access token.
    > > //
    > > bool returnValue = SecuUtil32.LogonUser(login, domain, password,

    > (int)logonType,
    > > (int)logonProvider, ref tokenHandle);
    > >
    > > if (false == returnValue)
    > > {
    > > int ret = Marshal.GetLastWin32Error();
    > > string strErr = String.Format("LogonUser failed with error code

    > : {0}", ret);
    > > throw new ApplicationException(strErr, null);
    > > }
    > >
    > > bool retVal = SecuUtil32.DuplicateToken(tokenHandle,

    > SecurityImpersonation, ref dupeTokenHandle);
    > >
    > > if (false == retVal)
    > > {
    > > SecuUtil32.CloseHandle(tokenHandle);
    > > throw new ApplicationException("Failed to duplicate token",

    > null);
    > > }
    > >
    > > //
    > > // The token that is passed to the following constructor must
    > > // be a primary token in order to use it for impersonation.
    > > //
    > > WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
    > > WindowsImpersonationContext impersonatedUser =

    > newId.Impersonate();
    > >
    > > return impersonatedUser;
    > > }
    > > catch (Exception ex)
    > > {
    > > throw new ApplicationException(ex.Message, ex);
    > > }
    > >
    > > return null;
    > > }
    > > }
    > > }
    > >
    > > The problem we are having is that while network resources are not

    > restricted entirely because the batch files are able to run sql scripts
    > against the Oracle database, FTP etc. but the user cannot access a network
    > share either by unc path or trying to map a drive as part of the script.
    > This problem only occurs when trying to run the script in this fashion as it
    > works when run manually through a command prompt whic is expected, an also
    > on a scheduled basis by the Windows Scheduler.
    > >
    > > Is their a permission I need to request/grant on the assembly and if so

    > which assembly (the library/web or both). I have tried granting full trust
    > to the assemblies without success.
    > >
    > > Alternatively is their a way to run a defined task from the scheduler. I

    > read the documentation (all 2 lines of it) for the scheduler and did not get
    > the impression that it is possible.
    > >
    > > Regards,
    > > Mark.
    > >
    > > P.S. I cannot give you an exception or error messages that occur when I

    > try to run the task from the web application, because as soon as I try to
    > access a network resource using the page I have created it simply
    > hangs/timesout but works perfectly when dealing with only local file
    > resources. FYI all command files are on the local machine but need to
    > access network shares to ctp then delete files.
    > >
    > > Platform: Windows 2000 Server w/ 1.0 Framework

    >
    >
    >
     
    Mark Duregon, Jul 14, 2004
    #5
  6. Mark Duregon

    [MSFT] Guest

    [MSFT], Jul 14, 2004
    #6
  7. Yes, but my question was how are you launching the vbscript processes? I
    understand the Win2K/1.0 part.

    Joe K.

    "Mark Duregon" <> wrote in message
    news:...
    > Thanks, but I did mention that I am using Windows 2000 and 1.0 of the

    framework.
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    > > How are you calling the script files in this app? Are you using the

    Process
    > > class? In that case, you need to be aware that it will start the new
    > > process with the current process' token, not the impersonation token.

    Since
    > > it would appear that you have a primary token, you could get around this

    by
    > > calling CreateProcessWithTokenW instead.
    > >
    > > If that isn't how you are calling the scripts, then how are you doing

    it?
    > >
    > > Joe K.
    > >
    > > "Mark Duregon" <> wrote in message
    > > news:...
    > > > Hi,
    > > >
    > > > We have an application that requires appropriate users to run command

    > > files on an adhoc basis. We have implmented a library that uses the
    > > following code:
    > > >
    > > > using System;
    > > > using System.Runtime.InteropServices;
    > > > using System.Security.Principal;
    > > > using System.Security.Permissions;
    > > >
    > > > namespace SAMIS.Porteco.Utilities
    > > > {
    > > > public enum LogonType : int
    > > > {
    > > > LOGON32_LOGON_INTERACTIVE = 2,
    > > > LOGON32_LOGON_NETWORK = 3,
    > > > LOGON32_LOGON_BATCH = 4,
    > > > LOGON32_LOGON_SERVICE = 5,
    > > > LOGON32_LOGON_UNLOCK = 7,
    > > > LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or higher
    > > > LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or higher
    > > > };
    > > >
    > > > public enum LogonProvider : int
    > > > {
    > > > LOGON32_PROVIDER_DEFAULT = 0,
    > > > LOGON32_PROVIDER_WINNT35 = 1,
    > > > LOGON32_PROVIDER_WINNT40 = 2,
    > > > LOGON32_PROVIDER_WINNT50 = 3
    > > > };
    > > >
    > > > class SecuUtil32
    > > > {
    > > > [DllImport("advapi32.dll", SetLastError=true)]
    > > > public static extern bool LogonUser(String lpszUsername, String

    > > lpszDomain, String lpszPassword,
    > > > int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);
    > > >
    > > > [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
    > > > public extern static bool CloseHandle(IntPtr handle);
    > > >
    > > > [DllImport("advapi32.dll", CharSet=CharSet.Auto,

    SetLastError=true)]
    > > > public extern static bool DuplicateToken(IntPtr

    ExistingTokenHandle,
    > > > int SECURITY_IMPERSONATION_LEVEL, ref IntPtr

    DuplicateTokenHandle);
    > > > }
    > > >
    > > > /// <summary>
    > > > /// Summary description for NetworkSecurity.
    > > > /// </summary>
    > > > public class NetworkSecurity
    > > > {
    > > > private NetworkSecurity() {}
    > > >
    > > > public static WindowsImpersonationContext ImpersonateUser(string

    > > domain, string login, string password,
    > > > LogonType logonType, LogonProvider logonProvider)
    > > > {
    > > > IntPtr tokenHandle = new IntPtr(0);
    > > > IntPtr dupeTokenHandle = new IntPtr(0);
    > > > try
    > > > {
    > > > const int SecurityImpersonation = 2;
    > > >
    > > > tokenHandle = IntPtr.Zero;
    > > > dupeTokenHandle = IntPtr.Zero;
    > > >
    > > > //
    > > > // Call LogonUser to obtain a handle to an access token.
    > > > //
    > > > bool returnValue = SecuUtil32.LogonUser(login, domain,

    password,
    > > (int)logonType,
    > > > (int)logonProvider, ref tokenHandle);
    > > >
    > > > if (false == returnValue)
    > > > {
    > > > int ret = Marshal.GetLastWin32Error();
    > > > string strErr = String.Format("LogonUser failed with error

    code
    > > : {0}", ret);
    > > > throw new ApplicationException(strErr, null);
    > > > }
    > > >
    > > > bool retVal = SecuUtil32.DuplicateToken(tokenHandle,

    > > SecurityImpersonation, ref dupeTokenHandle);
    > > >
    > > > if (false == retVal)
    > > > {
    > > > SecuUtil32.CloseHandle(tokenHandle);
    > > > throw new ApplicationException("Failed to duplicate token",

    > > null);
    > > > }
    > > >
    > > > //
    > > > // The token that is passed to the following constructor must
    > > > // be a primary token in order to use it for impersonation.
    > > > //
    > > > WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
    > > > WindowsImpersonationContext impersonatedUser =

    > > newId.Impersonate();
    > > >
    > > > return impersonatedUser;
    > > > }
    > > > catch (Exception ex)
    > > > {
    > > > throw new ApplicationException(ex.Message, ex);
    > > > }
    > > >
    > > > return null;
    > > > }
    > > > }
    > > > }
    > > >
    > > > The problem we are having is that while network resources are not

    > > restricted entirely because the batch files are able to run sql scripts
    > > against the Oracle database, FTP etc. but the user cannot access a

    network
    > > share either by unc path or trying to map a drive as part of the script.
    > > This problem only occurs when trying to run the script in this fashion

    as it
    > > works when run manually through a command prompt whic is expected, an

    also
    > > on a scheduled basis by the Windows Scheduler.
    > > >
    > > > Is their a permission I need to request/grant on the assembly and if

    so
    > > which assembly (the library/web or both). I have tried granting full

    trust
    > > to the assemblies without success.
    > > >
    > > > Alternatively is their a way to run a defined task from the scheduler.

    I
    > > read the documentation (all 2 lines of it) for the scheduler and did not

    get
    > > the impression that it is possible.
    > > >
    > > > Regards,
    > > > Mark.
    > > >
    > > > P.S. I cannot give you an exception or error messages that occur when

    I
    > > try to run the task from the web application, because as soon as I try

    to
    > > access a network resource using the page I have created it simply
    > > hangs/timesout but works perfectly when dealing with only local file
    > > resources. FYI all command files are on the local machine but need to
    > > access network shares to ctp then delete files.
    > > >
    > > > Platform: Windows 2000 Server w/ 1.0 Framework

    > >
    > >
    > >
     
    Joe Kaplan \(MVP - ADSI\), Jul 14, 2004
    #7
  8. Mark Duregon

    Mark Duregon Guest

    Sorry Joe,

    I read your suggestion and looked at the documentation for CreateProcessWithTokenW and saw that it stated it was a Win2003 feature only. I then saw [MSFT] post a reply with a link that does suggest an article that does give an example that suggests it was introduced as part of Win2000. I am now grappling with trying to convert that example to C# with my extremly rusty VB skills, gave up on that and tried to create a VB.NET library of just that code but it appears to be VB6 and not VB.NET.

    Does anyone have this code in C#? I think my VB skills are too rusty and I am not having any luck whatsoever with this.

    "Joe Kaplan (MVP - ADSI)" wrote:

    > Yes, but my question was how are you launching the vbscript processes? I
    > understand the Win2K/1.0 part.
    >
    > Joe K.
    >
    > "Mark Duregon" <> wrote in message
    > news:...
    > > Thanks, but I did mention that I am using Windows 2000 and 1.0 of the

    > framework.
    > >
    > > "Joe Kaplan (MVP - ADSI)" wrote:
    > >
    > > > How are you calling the script files in this app? Are you using the

    > Process
    > > > class? In that case, you need to be aware that it will start the new
    > > > process with the current process' token, not the impersonation token.

    > Since
    > > > it would appear that you have a primary token, you could get around this

    > by
    > > > calling CreateProcessWithTokenW instead.
    > > >
    > > > If that isn't how you are calling the scripts, then how are you doing

    > it?
    > > >
    > > > Joe K.
    > > >
    > > > "Mark Duregon" <> wrote in message
    > > > news:...
    > > > > Hi,
    > > > >
    > > > > We have an application that requires appropriate users to run command
    > > > files on an adhoc basis. We have implmented a library that uses the
    > > > following code:
    > > > >
    > > > > using System;
    > > > > using System.Runtime.InteropServices;
    > > > > using System.Security.Principal;
    > > > > using System.Security.Permissions;
    > > > >
    > > > > namespace SAMIS.Porteco.Utilities
    > > > > {
    > > > > public enum LogonType : int
    > > > > {
    > > > > LOGON32_LOGON_INTERACTIVE = 2,
    > > > > LOGON32_LOGON_NETWORK = 3,
    > > > > LOGON32_LOGON_BATCH = 4,
    > > > > LOGON32_LOGON_SERVICE = 5,
    > > > > LOGON32_LOGON_UNLOCK = 7,
    > > > > LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or higher
    > > > > LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or higher
    > > > > };
    > > > >
    > > > > public enum LogonProvider : int
    > > > > {
    > > > > LOGON32_PROVIDER_DEFAULT = 0,
    > > > > LOGON32_PROVIDER_WINNT35 = 1,
    > > > > LOGON32_PROVIDER_WINNT40 = 2,
    > > > > LOGON32_PROVIDER_WINNT50 = 3
    > > > > };
    > > > >
    > > > > class SecuUtil32
    > > > > {
    > > > > [DllImport("advapi32.dll", SetLastError=true)]
    > > > > public static extern bool LogonUser(String lpszUsername, String
    > > > lpszDomain, String lpszPassword,
    > > > > int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);
    > > > >
    > > > > [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
    > > > > public extern static bool CloseHandle(IntPtr handle);
    > > > >
    > > > > [DllImport("advapi32.dll", CharSet=CharSet.Auto,

    > SetLastError=true)]
    > > > > public extern static bool DuplicateToken(IntPtr

    > ExistingTokenHandle,
    > > > > int SECURITY_IMPERSONATION_LEVEL, ref IntPtr

    > DuplicateTokenHandle);
    > > > > }
    > > > >
    > > > > /// <summary>
    > > > > /// Summary description for NetworkSecurity.
    > > > > /// </summary>
    > > > > public class NetworkSecurity
    > > > > {
    > > > > private NetworkSecurity() {}
    > > > >
    > > > > public static WindowsImpersonationContext ImpersonateUser(string
    > > > domain, string login, string password,
    > > > > LogonType logonType, LogonProvider logonProvider)
    > > > > {
    > > > > IntPtr tokenHandle = new IntPtr(0);
    > > > > IntPtr dupeTokenHandle = new IntPtr(0);
    > > > > try
    > > > > {
    > > > > const int SecurityImpersonation = 2;
    > > > >
    > > > > tokenHandle = IntPtr.Zero;
    > > > > dupeTokenHandle = IntPtr.Zero;
    > > > >
    > > > > //
    > > > > // Call LogonUser to obtain a handle to an access token.
    > > > > //
    > > > > bool returnValue = SecuUtil32.LogonUser(login, domain,

    > password,
    > > > (int)logonType,
    > > > > (int)logonProvider, ref tokenHandle);
    > > > >
    > > > > if (false == returnValue)
    > > > > {
    > > > > int ret = Marshal.GetLastWin32Error();
    > > > > string strErr = String.Format("LogonUser failed with error

    > code
    > > > : {0}", ret);
    > > > > throw new ApplicationException(strErr, null);
    > > > > }
    > > > >
    > > > > bool retVal = SecuUtil32.DuplicateToken(tokenHandle,
    > > > SecurityImpersonation, ref dupeTokenHandle);
    > > > >
    > > > > if (false == retVal)
    > > > > {
    > > > > SecuUtil32.CloseHandle(tokenHandle);
    > > > > throw new ApplicationException("Failed to duplicate token",
    > > > null);
    > > > > }
    > > > >
    > > > > //
    > > > > // The token that is passed to the following constructor must
    > > > > // be a primary token in order to use it for impersonation.
    > > > > //
    > > > > WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
    > > > > WindowsImpersonationContext impersonatedUser =
    > > > newId.Impersonate();
    > > > >
    > > > > return impersonatedUser;
    > > > > }
    > > > > catch (Exception ex)
    > > > > {
    > > > > throw new ApplicationException(ex.Message, ex);
    > > > > }
    > > > >
    > > > > return null;
    > > > > }
    > > > > }
    > > > > }
    > > > >
    > > > > The problem we are having is that while network resources are not
    > > > restricted entirely because the batch files are able to run sql scripts
    > > > against the Oracle database, FTP etc. but the user cannot access a

    > network
    > > > share either by unc path or trying to map a drive as part of the script.
    > > > This problem only occurs when trying to run the script in this fashion

    > as it
    > > > works when run manually through a command prompt whic is expected, an

    > also
    > > > on a scheduled basis by the Windows Scheduler.
    > > > >
    > > > > Is their a permission I need to request/grant on the assembly and if

    > so
    > > > which assembly (the library/web or both). I have tried granting full

    > trust
    > > > to the assemblies without success.
    > > > >
    > > > > Alternatively is their a way to run a defined task from the scheduler.

    > I
    > > > read the documentation (all 2 lines of it) for the scheduler and did not

    > get
    > > > the impression that it is possible.
    > > > >
    > > > > Regards,
    > > > > Mark.
    > > > >
    > > > > P.S. I cannot give you an exception or error messages that occur when

    > I
    > > > try to run the task from the web application, because as soon as I try

    > to
    > > > access a network resource using the page I have created it simply
    > > > hangs/timesout but works perfectly when dealing with only local file
    > > > resources. FYI all command files are on the local machine but need to
    > > > access network shares to ctp then delete files.
    > > > >
    > > > > Platform: Windows 2000 Server w/ 1.0 Framework
    > > >
    > > >
    > > >

    >
    >
    >
     
    Mark Duregon, Jul 15, 2004
    #8
  9. Mark Duregon

    Mark Duregon Guest

    Sorry Joe:

    I read your response and looked at the documentation for CreateProcessWithTokenW which stated that Win2003 was required. I then saw the response from [MSFT] with a link to Support Article that indicated that the feature was introduced in Win2000. Since then I have been using the code in the article and trying to convert it to C#. I gave up on that because I could get it to compile but not run successfully (my result kept coming back as 0). I have now tried to create a VB.NET library using the code from that article. I think the code in that article was VB6 (I am not entirely sure my VB is far too rusty), but I have managed to get that to compile but I now get a runtime exception of a variable not being set to an instance.

    To answer your question, I am using the Process class.

    Again my apologies to you Joe, I must have read the wrong piece of documentation.

    Does anyone happen to now of an example of this in C#?

    Regards Mark.

    "Joe Kaplan (MVP - ADSI)" wrote:

    > Yes, but my question was how are you launching the vbscript processes? I
    > understand the Win2K/1.0 part.
    >
    > Joe K.
    >
    > "Mark Duregon" <> wrote in message
    > news:...
    > > Thanks, but I did mention that I am using Windows 2000 and 1.0 of the

    > framework.
    > >
    > > "Joe Kaplan (MVP - ADSI)" wrote:
    > >
    > > > How are you calling the script files in this app? Are you using the

    > Process
    > > > class? In that case, you need to be aware that it will start the new
    > > > process with the current process' token, not the impersonation token.

    > Since
    > > > it would appear that you have a primary token, you could get around this

    > by
    > > > calling CreateProcessWithTokenW instead.
    > > >
    > > > If that isn't how you are calling the scripts, then how are you doing

    > it?
    > > >
    > > > Joe K.
    > > >
    > > > "Mark Duregon" <> wrote in message
    > > > news:...
    > > > > Hi,
    > > > >
    > > > > We have an application that requires appropriate users to run command
    > > > files on an adhoc basis. We have implmented a library that uses the
    > > > following code:
    > > > >
    > > > > using System;
    > > > > using System.Runtime.InteropServices;
    > > > > using System.Security.Principal;
    > > > > using System.Security.Permissions;
    > > > >
    > > > > namespace SAMIS.Porteco.Utilities
    > > > > {
    > > > > public enum LogonType : int
    > > > > {
    > > > > LOGON32_LOGON_INTERACTIVE = 2,
    > > > > LOGON32_LOGON_NETWORK = 3,
    > > > > LOGON32_LOGON_BATCH = 4,
    > > > > LOGON32_LOGON_SERVICE = 5,
    > > > > LOGON32_LOGON_UNLOCK = 7,
    > > > > LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or higher
    > > > > LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or higher
    > > > > };
    > > > >
    > > > > public enum LogonProvider : int
    > > > > {
    > > > > LOGON32_PROVIDER_DEFAULT = 0,
    > > > > LOGON32_PROVIDER_WINNT35 = 1,
    > > > > LOGON32_PROVIDER_WINNT40 = 2,
    > > > > LOGON32_PROVIDER_WINNT50 = 3
    > > > > };
    > > > >
    > > > > class SecuUtil32
    > > > > {
    > > > > [DllImport("advapi32.dll", SetLastError=true)]
    > > > > public static extern bool LogonUser(String lpszUsername, String
    > > > lpszDomain, String lpszPassword,
    > > > > int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);
    > > > >
    > > > > [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
    > > > > public extern static bool CloseHandle(IntPtr handle);
    > > > >
    > > > > [DllImport("advapi32.dll", CharSet=CharSet.Auto,

    > SetLastError=true)]
    > > > > public extern static bool DuplicateToken(IntPtr

    > ExistingTokenHandle,
    > > > > int SECURITY_IMPERSONATION_LEVEL, ref IntPtr

    > DuplicateTokenHandle);
    > > > > }
    > > > >
    > > > > /// <summary>
    > > > > /// Summary description for NetworkSecurity.
    > > > > /// </summary>
    > > > > public class NetworkSecurity
    > > > > {
    > > > > private NetworkSecurity() {}
    > > > >
    > > > > public static WindowsImpersonationContext ImpersonateUser(string
    > > > domain, string login, string password,
    > > > > LogonType logonType, LogonProvider logonProvider)
    > > > > {
    > > > > IntPtr tokenHandle = new IntPtr(0);
    > > > > IntPtr dupeTokenHandle = new IntPtr(0);
    > > > > try
    > > > > {
    > > > > const int SecurityImpersonation = 2;
    > > > >
    > > > > tokenHandle = IntPtr.Zero;
    > > > > dupeTokenHandle = IntPtr.Zero;
    > > > >
    > > > > //
    > > > > // Call LogonUser to obtain a handle to an access token.
    > > > > //
    > > > > bool returnValue = SecuUtil32.LogonUser(login, domain,

    > password,
    > > > (int)logonType,
    > > > > (int)logonProvider, ref tokenHandle);
    > > > >
    > > > > if (false == returnValue)
    > > > > {
    > > > > int ret = Marshal.GetLastWin32Error();
    > > > > string strErr = String.Format("LogonUser failed with error

    > code
    > > > : {0}", ret);
    > > > > throw new ApplicationException(strErr, null);
    > > > > }
    > > > >
    > > > > bool retVal = SecuUtil32.DuplicateToken(tokenHandle,
    > > > SecurityImpersonation, ref dupeTokenHandle);
    > > > >
    > > > > if (false == retVal)
    > > > > {
    > > > > SecuUtil32.CloseHandle(tokenHandle);
    > > > > throw new ApplicationException("Failed to duplicate token",
    > > > null);
    > > > > }
    > > > >
    > > > > //
    > > > > // The token that is passed to the following constructor must
    > > > > // be a primary token in order to use it for impersonation.
    > > > > //
    > > > > WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
    > > > > WindowsImpersonationContext impersonatedUser =
    > > > newId.Impersonate();
    > > > >
    > > > > return impersonatedUser;
    > > > > }
    > > > > catch (Exception ex)
    > > > > {
    > > > > throw new ApplicationException(ex.Message, ex);
    > > > > }
    > > > >
    > > > > return null;
    > > > > }
    > > > > }
    > > > > }
    > > > >
    > > > > The problem we are having is that while network resources are not
    > > > restricted entirely because the batch files are able to run sql scripts
    > > > against the Oracle database, FTP etc. but the user cannot access a

    > network
    > > > share either by unc path or trying to map a drive as part of the script.
    > > > This problem only occurs when trying to run the script in this fashion

    > as it
    > > > works when run manually through a command prompt whic is expected, an

    > also
    > > > on a scheduled basis by the Windows Scheduler.
    > > > >
    > > > > Is their a permission I need to request/grant on the assembly and if

    > so
    > > > which assembly (the library/web or both). I have tried granting full

    > trust
    > > > to the assemblies without success.
    > > > >
    > > > > Alternatively is their a way to run a defined task from the scheduler.

    > I
    > > > read the documentation (all 2 lines of it) for the scheduler and did not

    > get
    > > > the impression that it is possible.
    > > > >
    > > > > Regards,
    > > > > Mark.
    > > > >
    > > > > P.S. I cannot give you an exception or error messages that occur when

    > I
    > > > try to run the task from the web application, because as soon as I try

    > to
    > > > access a network resource using the page I have created it simply
    > > > hangs/timesout but works perfectly when dealing with only local file
    > > > resources. FYI all command files are on the local machine but need to
    > > > access network shares to ctp then delete files.
    > > > >
    > > > > Platform: Windows 2000 Server w/ 1.0 Framework
    > > >
    > > >
    > > >

    >
    >
    >
     
    Mark Duregon, Jul 15, 2004
    #9
  10. Mark Duregon

    Mark Duregon Guest

    Sorry Joe:

    I read your response and looked at the documentation for CreateProcessWithTokenW which stated that Win2003 was required. I then saw the response from [MSFT] with a link to Support Article that indicated that the feature was introduced in Win2000. Since then I have been using the code in the article and trying to convert it to C#. I gave up on that because I could get it to compile but not run successfully (my result kept coming back as 0). I have now tried to create a VB.NET library using the code from that article. I think the code in that article was VB6 (I am not entirely sure my VB is far too rusty), but I have managed to get that to compile but I now get a runtime exception of a variable not being set to an instance.

    To answer your question, I am using the Process class.

    Again my apologies to you Joe, I must have read the wrong piece of documentation.

    Does anyone happen to now of an example of this in C#?

    Regards,
    Mark.

    "Joe Kaplan (MVP - ADSI)" wrote:

    > Yes, but my question was how are you launching the vbscript processes? I
    > understand the Win2K/1.0 part.
    >
    > Joe K.
    >
    > "Mark Duregon" <> wrote in message
    > news:...
    > > Thanks, but I did mention that I am using Windows 2000 and 1.0 of the

    > framework.
    > >
    > > "Joe Kaplan (MVP - ADSI)" wrote:
    > >
    > > > How are you calling the script files in this app? Are you using the

    > Process
    > > > class? In that case, you need to be aware that it will start the new
    > > > process with the current process' token, not the impersonation token.

    > Since
    > > > it would appear that you have a primary token, you could get around this

    > by
    > > > calling CreateProcessWithTokenW instead.
    > > >
    > > > If that isn't how you are calling the scripts, then how are you doing

    > it?
    > > >
    > > > Joe K.
    > > >
    > > > "Mark Duregon" <> wrote in message
    > > > news:...
    > > > > Hi,
    > > > >
    > > > > We have an application that requires appropriate users to run command
    > > > files on an adhoc basis. We have implmented a library that uses the
    > > > following code:
    > > > >
    > > > > using System;
    > > > > using System.Runtime.InteropServices;
    > > > > using System.Security.Principal;
    > > > > using System.Security.Permissions;
    > > > >
    > > > > namespace SAMIS.Porteco.Utilities
    > > > > {
    > > > > public enum LogonType : int
    > > > > {
    > > > > LOGON32_LOGON_INTERACTIVE = 2,
    > > > > LOGON32_LOGON_NETWORK = 3,
    > > > > LOGON32_LOGON_BATCH = 4,
    > > > > LOGON32_LOGON_SERVICE = 5,
    > > > > LOGON32_LOGON_UNLOCK = 7,
    > > > > LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or higher
    > > > > LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or higher
    > > > > };
    > > > >
    > > > > public enum LogonProvider : int
    > > > > {
    > > > > LOGON32_PROVIDER_DEFAULT = 0,
    > > > > LOGON32_PROVIDER_WINNT35 = 1,
    > > > > LOGON32_PROVIDER_WINNT40 = 2,
    > > > > LOGON32_PROVIDER_WINNT50 = 3
    > > > > };
    > > > >
    > > > > class SecuUtil32
    > > > > {
    > > > > [DllImport("advapi32.dll", SetLastError=true)]
    > > > > public static extern bool LogonUser(String lpszUsername, String
    > > > lpszDomain, String lpszPassword,
    > > > > int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);
    > > > >
    > > > > [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
    > > > > public extern static bool CloseHandle(IntPtr handle);
    > > > >
    > > > > [DllImport("advapi32.dll", CharSet=CharSet.Auto,

    > SetLastError=true)]
    > > > > public extern static bool DuplicateToken(IntPtr

    > ExistingTokenHandle,
    > > > > int SECURITY_IMPERSONATION_LEVEL, ref IntPtr

    > DuplicateTokenHandle);
    > > > > }
    > > > >
    > > > > /// <summary>
    > > > > /// Summary description for NetworkSecurity.
    > > > > /// </summary>
    > > > > public class NetworkSecurity
    > > > > {
    > > > > private NetworkSecurity() {}
    > > > >
    > > > > public static WindowsImpersonationContext ImpersonateUser(string
    > > > domain, string login, string password,
    > > > > LogonType logonType, LogonProvider logonProvider)
    > > > > {
    > > > > IntPtr tokenHandle = new IntPtr(0);
    > > > > IntPtr dupeTokenHandle = new IntPtr(0);
    > > > > try
    > > > > {
    > > > > const int SecurityImpersonation = 2;
    > > > >
    > > > > tokenHandle = IntPtr.Zero;
    > > > > dupeTokenHandle = IntPtr.Zero;
    > > > >
    > > > > //
    > > > > // Call LogonUser to obtain a handle to an access token.
    > > > > //
    > > > > bool returnValue = SecuUtil32.LogonUser(login, domain,

    > password,
    > > > (int)logonType,
    > > > > (int)logonProvider, ref tokenHandle);
    > > > >
    > > > > if (false == returnValue)
    > > > > {
    > > > > int ret = Marshal.GetLastWin32Error();
    > > > > string strErr = String.Format("LogonUser failed with error

    > code
    > > > : {0}", ret);
    > > > > throw new ApplicationException(strErr, null);
    > > > > }
    > > > >
    > > > > bool retVal = SecuUtil32.DuplicateToken(tokenHandle,
    > > > SecurityImpersonation, ref dupeTokenHandle);
    > > > >
    > > > > if (false == retVal)
    > > > > {
    > > > > SecuUtil32.CloseHandle(tokenHandle);
    > > > > throw new ApplicationException("Failed to duplicate token",
    > > > null);
    > > > > }
    > > > >
    > > > > //
    > > > > // The token that is passed to the following constructor must
    > > > > // be a primary token in order to use it for impersonation.
    > > > > //
    > > > > WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
    > > > > WindowsImpersonationContext impersonatedUser =
    > > > newId.Impersonate();
    > > > >
    > > > > return impersonatedUser;
    > > > > }
    > > > > catch (Exception ex)
    > > > > {
    > > > > throw new ApplicationException(ex.Message, ex);
    > > > > }
    > > > >
    > > > > return null;
    > > > > }
    > > > > }
    > > > > }
    > > > >
    > > > > The problem we are having is that while network resources are not
    > > > restricted entirely because the batch files are able to run sql scripts
    > > > against the Oracle database, FTP etc. but the user cannot access a

    > network
    > > > share either by unc path or trying to map a drive as part of the script.
    > > > This problem only occurs when trying to run the script in this fashion

    > as it
    > > > works when run manually through a command prompt whic is expected, an

    > also
    > > > on a scheduled basis by the Windows Scheduler.
    > > > >
    > > > > Is their a permission I need to request/grant on the assembly and if

    > so
    > > > which assembly (the library/web or both). I have tried granting full

    > trust
    > > > to the assemblies without success.
    > > > >
    > > > > Alternatively is their a way to run a defined task from the scheduler.

    > I
    > > > read the documentation (all 2 lines of it) for the scheduler and did not

    > get
    > > > the impression that it is possible.
    > > > >
    > > > > Regards,
    > > > > Mark.
    > > > >
    > > > > P.S. I cannot give you an exception or error messages that occur when

    > I
    > > > try to run the task from the web application, because as soon as I try

    > to
    > > > access a network resource using the page I have created it simply
    > > > hangs/timesout but works perfectly when dealing with only local file
    > > > resources. FYI all command files are on the local machine but need to
    > > > access network shares to ctp then delete files.
    > > > >
    > > > > Platform: Windows 2000 Server w/ 1.0 Framework
    > > >
    > > >
    > > >

    >
    >
    >
     
    Mark Duregon, Jul 15, 2004
    #10
  11. Mark Duregon

    [MSFT] Guest

    [MSFT], Jul 15, 2004
    #11
  12. Joe Kaplan \(MVP - ADSI\), Jul 15, 2004
    #12
  13. So, the issue with using the Process class is that it won't create the
    process using the token that is being impersonated on the thread, but will
    use the process token instead. I believe that explains why it wasn't
    working the way you were expecting.

    I'm not sure what's wrong with your code without checking it out, but you
    might consider jumping over to the interop group to get some help with that
    (or perhaps try a Google groups search to see if it is already asked and
    answered).

    The good news is that your code to create the token that you were using for
    impersonation will be useful to pass into this, so once you get this
    working, you should be all set.

    I hope it works out.

    Joe K.

    "Mark Duregon" <> wrote in message
    news:...
    > Sorry Joe:
    >
    > I read your response and looked at the documentation for

    CreateProcessWithTokenW which stated that Win2003 was required. I then saw
    the response from [MSFT] with a link to Support Article that indicated that
    the feature was introduced in Win2000. Since then I have been using the
    code in the article and trying to convert it to C#. I gave up on that
    because I could get it to compile but not run successfully (my result kept
    coming back as 0). I have now tried to create a VB.NET library using the
    code from that article. I think the code in that article was VB6 (I am not
    entirely sure my VB is far too rusty), but I have managed to get that to
    compile but I now get a runtime exception of a variable not being set to an
    instance.
    >
    > To answer your question, I am using the Process class.
    >
    > Again my apologies to you Joe, I must have read the wrong piece of

    documentation.
    >
    > Does anyone happen to now of an example of this in C#?
    >
    > Regards Mark.
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    > > Yes, but my question was how are you launching the vbscript processes?

    I
    > > understand the Win2K/1.0 part.
    > >
    > > Joe K.
    > >
    > > "Mark Duregon" <> wrote in message
    > > news:...
    > > > Thanks, but I did mention that I am using Windows 2000 and 1.0 of the

    > > framework.
    > > >
    > > > "Joe Kaplan (MVP - ADSI)" wrote:
    > > >
    > > > > How are you calling the script files in this app? Are you using the

    > > Process
    > > > > class? In that case, you need to be aware that it will start the

    new
    > > > > process with the current process' token, not the impersonation

    token.
    > > Since
    > > > > it would appear that you have a primary token, you could get around

    this
    > > by
    > > > > calling CreateProcessWithTokenW instead.
    > > > >
    > > > > If that isn't how you are calling the scripts, then how are you

    doing
    > > it?
    > > > >
    > > > > Joe K.
    > > > >
    > > > > "Mark Duregon" <> wrote in message
    > > > > news:...
    > > > > > Hi,
    > > > > >
    > > > > > We have an application that requires appropriate users to run

    command
    > > > > files on an adhoc basis. We have implmented a library that uses the
    > > > > following code:
    > > > > >
    > > > > > using System;
    > > > > > using System.Runtime.InteropServices;
    > > > > > using System.Security.Principal;
    > > > > > using System.Security.Permissions;
    > > > > >
    > > > > > namespace SAMIS.Porteco.Utilities
    > > > > > {
    > > > > > public enum LogonType : int
    > > > > > {
    > > > > > LOGON32_LOGON_INTERACTIVE = 2,
    > > > > > LOGON32_LOGON_NETWORK = 3,
    > > > > > LOGON32_LOGON_BATCH = 4,
    > > > > > LOGON32_LOGON_SERVICE = 5,
    > > > > > LOGON32_LOGON_UNLOCK = 7,
    > > > > > LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or

    higher
    > > > > > LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or

    higher
    > > > > > };
    > > > > >
    > > > > > public enum LogonProvider : int
    > > > > > {
    > > > > > LOGON32_PROVIDER_DEFAULT = 0,
    > > > > > LOGON32_PROVIDER_WINNT35 = 1,
    > > > > > LOGON32_PROVIDER_WINNT40 = 2,
    > > > > > LOGON32_PROVIDER_WINNT50 = 3
    > > > > > };
    > > > > >
    > > > > > class SecuUtil32
    > > > > > {
    > > > > > [DllImport("advapi32.dll", SetLastError=true)]
    > > > > > public static extern bool LogonUser(String lpszUsername,

    String
    > > > > lpszDomain, String lpszPassword,
    > > > > > int dwLogonType, int dwLogonProvider, ref IntPtr

    TokenHandle);
    > > > > >
    > > > > > [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
    > > > > > public extern static bool CloseHandle(IntPtr handle);
    > > > > >
    > > > > > [DllImport("advapi32.dll", CharSet=CharSet.Auto,

    > > SetLastError=true)]
    > > > > > public extern static bool DuplicateToken(IntPtr

    > > ExistingTokenHandle,
    > > > > > int SECURITY_IMPERSONATION_LEVEL, ref IntPtr

    > > DuplicateTokenHandle);
    > > > > > }
    > > > > >
    > > > > > /// <summary>
    > > > > > /// Summary description for NetworkSecurity.
    > > > > > /// </summary>
    > > > > > public class NetworkSecurity
    > > > > > {
    > > > > > private NetworkSecurity() {}
    > > > > >
    > > > > > public static WindowsImpersonationContext

    ImpersonateUser(string
    > > > > domain, string login, string password,
    > > > > > LogonType logonType, LogonProvider logonProvider)
    > > > > > {
    > > > > > IntPtr tokenHandle = new IntPtr(0);
    > > > > > IntPtr dupeTokenHandle = new IntPtr(0);
    > > > > > try
    > > > > > {
    > > > > > const int SecurityImpersonation = 2;
    > > > > >
    > > > > > tokenHandle = IntPtr.Zero;
    > > > > > dupeTokenHandle = IntPtr.Zero;
    > > > > >
    > > > > > //
    > > > > > // Call LogonUser to obtain a handle to an access token.
    > > > > > //
    > > > > > bool returnValue = SecuUtil32.LogonUser(login, domain,

    > > password,
    > > > > (int)logonType,
    > > > > > (int)logonProvider, ref tokenHandle);
    > > > > >
    > > > > > if (false == returnValue)
    > > > > > {
    > > > > > int ret = Marshal.GetLastWin32Error();
    > > > > > string strErr = String.Format("LogonUser failed with

    error
    > > code
    > > > > : {0}", ret);
    > > > > > throw new ApplicationException(strErr, null);
    > > > > > }
    > > > > >
    > > > > > bool retVal = SecuUtil32.DuplicateToken(tokenHandle,
    > > > > SecurityImpersonation, ref dupeTokenHandle);
    > > > > >
    > > > > > if (false == retVal)
    > > > > > {
    > > > > > SecuUtil32.CloseHandle(tokenHandle);
    > > > > > throw new ApplicationException("Failed to duplicate

    token",
    > > > > null);
    > > > > > }
    > > > > >
    > > > > > //
    > > > > > // The token that is passed to the following constructor

    must
    > > > > > // be a primary token in order to use it for

    impersonation.
    > > > > > //
    > > > > > WindowsIdentity newId = new

    WindowsIdentity(dupeTokenHandle);
    > > > > > WindowsImpersonationContext impersonatedUser =
    > > > > newId.Impersonate();
    > > > > >
    > > > > > return impersonatedUser;
    > > > > > }
    > > > > > catch (Exception ex)
    > > > > > {
    > > > > > throw new ApplicationException(ex.Message, ex);
    > > > > > }
    > > > > >
    > > > > > return null;
    > > > > > }
    > > > > > }
    > > > > > }
    > > > > >
    > > > > > The problem we are having is that while network resources are not
    > > > > restricted entirely because the batch files are able to run sql

    scripts
    > > > > against the Oracle database, FTP etc. but the user cannot access a

    > > network
    > > > > share either by unc path or trying to map a drive as part of the

    script.
    > > > > This problem only occurs when trying to run the script in this

    fashion
    > > as it
    > > > > works when run manually through a command prompt whic is expected,

    an
    > > also
    > > > > on a scheduled basis by the Windows Scheduler.
    > > > > >
    > > > > > Is their a permission I need to request/grant on the assembly and

    if
    > > so
    > > > > which assembly (the library/web or both). I have tried granting

    full
    > > trust
    > > > > to the assemblies without success.
    > > > > >
    > > > > > Alternatively is their a way to run a defined task from the

    scheduler.
    > > I
    > > > > read the documentation (all 2 lines of it) for the scheduler and did

    not
    > > get
    > > > > the impression that it is possible.
    > > > > >
    > > > > > Regards,
    > > > > > Mark.
    > > > > >
    > > > > > P.S. I cannot give you an exception or error messages that occur

    when
    > > I
    > > > > try to run the task from the web application, because as soon as I

    try
    > > to
    > > > > access a network resource using the page I have created it simply
    > > > > hangs/timesout but works perfectly when dealing with only local file
    > > > > resources. FYI all command files are on the local machine but need

    to
    > > > > access network shares to ctp then delete files.
    > > > > >
    > > > > > Platform: Windows 2000 Server w/ 1.0 Framework
    > > > >
    > > > >
    > > > >

    > >
    > >
    > >
     
    Joe Kaplan \(MVP - ADSI\), Jul 15, 2004
    #13
  14. Hello Mark,

    I was reviewing the issue thread. Do you have completed the code
    successfully? Luke and Joe has provided much userful resource on it. If you
    have any more concerns, please feel free to post here and we will follow up.

    Thanks very much.

    Best regards,
    Yanhong Huang
    Microsoft Community Support

    Get Secure! ┬ĘC www.microsoft.com/security
    Register to Access MSDN Managed Newsgroups!
    -http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.as
    p&SD=msdn

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Yan-Hong Huang[MSFT], Jul 19, 2004
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sacha Korell
    Replies:
    0
    Views:
    695
    Sacha Korell
    Jul 25, 2003
  2. Luiz Miranda

    Problems using a unmanaged DLL from ASP.NET

    Luiz Miranda, Jul 30, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    588
    Luiz Miranda
    Jul 30, 2003
  3. =?Utf-8?B?c2h5YW0=?=
    Replies:
    2
    Views:
    706
    =?Utf-8?B?c2h5YW0=?=
    May 22, 2006
  4. Ted

    ASP.NET App with Unmanaged Code - HELP!

    Ted, Dec 10, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    150
    Kaustav
    Dec 15, 2004
  5. Saraswati lakki
    Replies:
    0
    Views:
    1,356
    Saraswati lakki
    Jan 6, 2012
Loading...

Share This Page