Accessing network files from an external process

Discussion in 'ASP .Net Security' started by Raterus, May 7, 2004.

  1. Raterus

    Raterus Guest

    Here is a good problem I'm hoping someone can help me with. Let me start out with my configuration.

    I have an asp.net application, integrated windows authentication. Delegation is set up on my webserver to allow access to remote resources, it works great from within asp.net.

    I'm trying to work in an external command-line program, which will access files on the network. For this I'm using System.Diagnostics.Process. I'm positive I've set this up correctly to run the command, but the error I'm receiving from the program is that it can't open files that I'm setting in command line parameters. If I run the exact same command w/parameters by hand, it works great, and I know the files I'm specifying do infact exist.

    Sounds like a security problem to me, I have identity impersonate="true" set, also my Authentication mode is set to "Windows" in web.config.

    How can I allow this external process to execute under the same context as my authenticated user, so this process can access any network files my asp.net application can?

    Thanks for any help!
    --Michael
    Raterus, May 7, 2004
    #1
    1. Advertising

  2. Raterus

    avnrao Guest

    when you impersonate the logged in user and access some external process,
    external process does not run under impersonated user. rather it runs under
    the configured identity (ASPNet account).

    you need to explicitly impersonate by calling LogonUser.
    check the code here :
    http://www.informit.com/articles/article.asp?p=169580&seqNum=2

    Av.

    "Raterus" <> wrote in message
    news:...
    Here is a good problem I'm hoping someone can help me with. Let me start
    out with my configuration.

    I have an asp.net application, integrated windows authentication.
    Delegation is set up on my webserver to allow access to remote resources, it
    works great from within asp.net.

    I'm trying to work in an external command-line program, which will access
    files on the network. For this I'm using System.Diagnostics.Process. I'm
    positive I've set this up correctly to run the command, but the error I'm
    receiving from the program is that it can't open files that I'm setting in
    command line parameters. If I run the exact same command w/parameters by
    hand, it works great, and I know the files I'm specifying do infact exist.

    Sounds like a security problem to me, I have identity impersonate="true"
    set, also my Authentication mode is set to "Windows" in web.config.

    How can I allow this external process to execute under the same context as
    my authenticated user, so this process can access any network files my
    asp.net application can?

    Thanks for any help!
    --Michael
    avnrao, May 10, 2004
    #2
    1. Advertising

  3. Raterus

    Raterus Guest

    I ended up working around my problem by this, it will only work in certain situations though. The external process I was trying to run only needed access to certain "secure" files, I copied these files from the secure resources to a temporary folder on the webserver, then ran the external process using these copied files. After I was done I deleted them. Worked great, and I avoided the mess of using all these LogonUser/SecurityDelegation/DuplicateTokenEx stuff!


    "Chung" <> wrote in message news:...
    > I am having exact the same problem as Raterus had. The problem occurs when network file is being accessed by the external program, invoked from within the Asp.net code. I had no problem as a test to read the file by directly coding it in C#. Clearly, the external program when spawned using System.Diagnostics.Process namespace does not run against the impersonated client credential.
    > From the information that I have been gathering so far, we have to use the function CreateProcessAsUser and pass to it a primary token, which can be achieved by calling DuplicateTokenEx to convert the impersonating token into a primary one. However, one of the parameters used in DuplicateTokenEx might have to be set a SecurityDelegation to allow the process to access network-based resource. Unfortunately, I do not have much luck using this method so far. I could never pass the call to duplicate the token.
    >
    > With respect the LogonUser, in my opinion, we cannot use this function if we do not have the user password and we do not want to pass this password around. This is the prime reason why impersonation is used.
    >
    > Again, I am still stuck with my problem similar to this and also happy to hear other people's comments.
    >
    > Chung
    Raterus, May 25, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Christopher Beltran
    Replies:
    1
    Views:
    347
    Lucas Tam
    Aug 20, 2003
  2. Joel Barsotti

    Accessing Files on a Network Share

    Joel Barsotti, Oct 1, 2007, in forum: ASP .Net
    Replies:
    2
    Views:
    697
    Michael Nemtsev
    Oct 1, 2007
  3. David C

    Accessing network files

    David C, Jan 14, 2008, in forum: ASP .Net
    Replies:
    2
    Views:
    322
    David C
    Jan 15, 2008
  4. Thomas
    Replies:
    36
    Views:
    1,313
    Thomas
    Mar 22, 2005
  5. Mellow Crow
    Replies:
    6
    Views:
    417
    Richard Cornford
    Nov 4, 2005
Loading...

Share This Page