ASP 2.0, C#, LDAP Login, and Forms impersonation?

Discussion in 'ASP .Net Security' started by Karl, Sep 18, 2006.

  1. Karl

    Karl Guest

    Will a forms authentication allow me to impersonate a user?

    I am working on an application that will run on a kiosk, and allow a user to
    login and view their homedirectory.

    I have a form with the new login control which works great.

    I get logged in, and find the user's homedirectory.

    I then write Click here to access your home directory, and include a file
    URL pointing to the homedirectory

    All of this works, until the user clicks the link. At this point, a user
    cannot access their user drive without logging in again.

    So, now I am trying to map a drive using WNetAddConnection2A, and it fails
    with an error 5 on my development PC (Access Denied)

    I get a formsauthentication ticket via
    FormsIdentity fi = (FormsIdentity)User.Identity;
    FormsAuthenticationTicket fat = fi.Ticket;

    fat.name populates correctly

    Then, i call WNetAddConnection2A using the structure of:
    dwType= RESOURCETYPE_DISK
    lpLocalName = "m:"
    lpRemoteName = "\\\\usawvfs04\\userskl\\karlm"
    lpProvider= null

    My lpPassword is null, my lpUsername I set to fat.name.tostring()
    I do not set any dwFlags.

    If I hard code my own null terminated username and password, I get an error
    1312 (ERROR_NO_SUCH_LOGON_SESSION)

    Here is the relevent code:
    FormsIdentity fi = (FormsIdentity)User.Identity;
    FormsAuthenticationTicket fat = fi.Ticket;
    IIdentity WinId= HttpContext.Current.User.Identity;

    try
    {
    char[] splitter = { '\\' };
    string SearchString ="";

    // Access resources using the identity of the authenticated user
    DirectoryEntry obEntry = new
    DirectoryEntry("LDAP:servername/DC=/DC=/DC=");
    SearchString = "anr=" + fi.Ticket.Name.ToString();

    DirectorySearcher search = new DirectorySearcher(obEntry,
    SearchString);
    SearchResult res = search.FindOne();
    strUserDrive = (string)res.Properties["homedirectory"][0];

    Response.Write("Hello, " +
    (string)res.Properties["givenname"][0]+".");
    Response.Write("<br/><br/>Your User Drive is now
    available.<br/>");

    NETRESOURCEA[] n = new NETRESOURCEA[1];
    n[0] = new NETRESOURCEA();
    n[0].dwType = 1;
    int dwFlags = 1;
    n[0].lpLocalName = @"m:";
    n[0].lpRemoteName = (string)res.Properties["homedirectory"][0];
    n[0].lpProvider = null;

    FAILS HERE:
    int result = CMyMprTest.WNetAddConnection2A(n, null, fi.Name,
    dwFlags);

    Response.Write("<br/>Click here to access your <a
    href=file://m:> user drive</a>");
    Response.Write("<br/><br/>Remember to click Logout when you are
    done with your user drive.");
    Karl, Sep 18, 2006
    #1
    1. Advertising

  2. Karl

    Joe Kaplan Guest

    No, forms auth does not support impersonation like Windows auth does. You
    would need to code your own thing to do that. Since you are gathering the
    user's credentials, that should be possible, but you'll need to store them
    somewhere (like session or something), as you won't have them after the
    forms login is processed.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Karl" <> wrote in message
    news:ITAPg.925$...
    > Will a forms authentication allow me to impersonate a user?
    >
    > I am working on an application that will run on a kiosk, and allow a user
    > to
    > login and view their homedirectory.
    >
    > I have a form with the new login control which works great.
    >
    > I get logged in, and find the user's homedirectory.
    >
    > I then write Click here to access your home directory, and include a file
    > URL pointing to the homedirectory
    >
    > All of this works, until the user clicks the link. At this point, a user
    > cannot access their user drive without logging in again.
    >
    > So, now I am trying to map a drive using WNetAddConnection2A, and it fails
    > with an error 5 on my development PC (Access Denied)
    >
    > I get a formsauthentication ticket via
    > FormsIdentity fi = (FormsIdentity)User.Identity;
    > FormsAuthenticationTicket fat = fi.Ticket;
    >
    > fat.name populates correctly
    >
    > Then, i call WNetAddConnection2A using the structure of:
    > dwType= RESOURCETYPE_DISK
    > lpLocalName = "m:"
    > lpRemoteName = "\\\\usawvfs04\\userskl\\karlm"
    > lpProvider= null
    >
    > My lpPassword is null, my lpUsername I set to fat.name.tostring()
    > I do not set any dwFlags.
    >
    > If I hard code my own null terminated username and password, I get an
    > error 1312 (ERROR_NO_SUCH_LOGON_SESSION)
    >
    > Here is the relevent code:
    > FormsIdentity fi = (FormsIdentity)User.Identity;
    > FormsAuthenticationTicket fat = fi.Ticket;
    > IIdentity WinId= HttpContext.Current.User.Identity;
    >
    > try
    > {
    > char[] splitter = { '\\' };
    > string SearchString ="";
    >
    > // Access resources using the identity of the authenticated
    > user
    > DirectoryEntry obEntry = new
    > DirectoryEntry("LDAP:servername/DC=/DC=/DC=");
    > SearchString = "anr=" + fi.Ticket.Name.ToString();
    >
    > DirectorySearcher search = new DirectorySearcher(obEntry,
    > SearchString);
    > SearchResult res = search.FindOne();
    > strUserDrive = (string)res.Properties["homedirectory"][0];
    >
    > Response.Write("Hello, " +
    > (string)res.Properties["givenname"][0]+".");
    > Response.Write("<br/><br/>Your User Drive is now
    > available.<br/>");
    >
    > NETRESOURCEA[] n = new NETRESOURCEA[1];
    > n[0] = new NETRESOURCEA();
    > n[0].dwType = 1;
    > int dwFlags = 1;
    > n[0].lpLocalName = @"m:";
    > n[0].lpRemoteName = (string)res.Properties["homedirectory"][0];
    > n[0].lpProvider = null;
    >
    > FAILS HERE:
    > int result = CMyMprTest.WNetAddConnection2A(n, null, fi.Name,
    > dwFlags);
    >
    > Response.Write("<br/>Click here to access your <a
    > href=file://m:> user drive</a>");
    > Response.Write("<br/><br/>Remember to click Logout when you are
    > done with your user drive.");
    >
    Joe Kaplan, Sep 18, 2006
    #2
    1. Advertising

  3. Karl

    Karl Guest

    Or, I could just start over with a windows authentication login, and after
    getting authenticated, open default.aspx wtth the

    Click Here to access your User Drive and a logout button, I suppose?

    I am new (obviously) to asp, and thought "Why not use this nifty login
    control"

    Seems like a fairly useless control - i will go back to asp.net 1.x and
    windows authentication.

    Thanks

    karl

    "Joe Kaplan" <> wrote in message
    news:...
    > No, forms auth does not support impersonation like Windows auth does. You
    > would need to code your own thing to do that. Since you are gathering the
    > user's credentials, that should be possible, but you'll need to store them
    > somewhere (like session or something), as you won't have them after the
    > forms login is processed.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "Karl" <> wrote in message
    > news:ITAPg.925$...
    >> Will a forms authentication allow me to impersonate a user?
    >>
    >> I am working on an application that will run on a kiosk, and allow a user
    >> to
    >> login and view their homedirectory.
    >>
    >> I have a form with the new login control which works great.
    >>
    >> I get logged in, and find the user's homedirectory.
    >>
    >> I then write Click here to access your home directory, and include a file
    >> URL pointing to the homedirectory
    >>
    >> All of this works, until the user clicks the link. At this point, a user
    >> cannot access their user drive without logging in again.
    >>
    >> So, now I am trying to map a drive using WNetAddConnection2A, and it
    >> fails with an error 5 on my development PC (Access Denied)
    >>
    >> I get a formsauthentication ticket via
    >> FormsIdentity fi = (FormsIdentity)User.Identity;
    >> FormsAuthenticationTicket fat = fi.Ticket;
    >>
    >> fat.name populates correctly
    >>
    >> Then, i call WNetAddConnection2A using the structure of:
    >> dwType= RESOURCETYPE_DISK
    >> lpLocalName = "m:"
    >> lpRemoteName = "\\\\usawvfs04\\userskl\\karlm"
    >> lpProvider= null
    >>
    >> My lpPassword is null, my lpUsername I set to fat.name.tostring()
    >> I do not set any dwFlags.
    >>
    >> If I hard code my own null terminated username and password, I get an
    >> error 1312 (ERROR_NO_SUCH_LOGON_SESSION)
    >>
    >> Here is the relevent code:
    >> FormsIdentity fi = (FormsIdentity)User.Identity;
    >> FormsAuthenticationTicket fat = fi.Ticket;
    >> IIdentity WinId= HttpContext.Current.User.Identity;
    >>
    >> try
    >> {
    >> char[] splitter = { '\\' };
    >> string SearchString ="";
    >>
    >> // Access resources using the identity of the authenticated
    >> user
    >> DirectoryEntry obEntry = new
    >> DirectoryEntry("LDAP:servername/DC=/DC=/DC=");
    >> SearchString = "anr=" + fi.Ticket.Name.ToString();
    >>
    >> DirectorySearcher search = new DirectorySearcher(obEntry,
    >> SearchString);
    >> SearchResult res = search.FindOne();
    >> strUserDrive = (string)res.Properties["homedirectory"][0];
    >>
    >> Response.Write("Hello, " +
    >> (string)res.Properties["givenname"][0]+".");
    >> Response.Write("<br/><br/>Your User Drive is now
    >> available.<br/>");
    >>
    >> NETRESOURCEA[] n = new NETRESOURCEA[1];
    >> n[0] = new NETRESOURCEA();
    >> n[0].dwType = 1;
    >> int dwFlags = 1;
    >> n[0].lpLocalName = @"m:";
    >> n[0].lpRemoteName =
    >> (string)res.Properties["homedirectory"][0];
    >> n[0].lpProvider = null;
    >>
    >> FAILS HERE:
    >> int result = CMyMprTest.WNetAddConnection2A(n, null, fi.Name,
    >> dwFlags);
    >>
    >> Response.Write("<br/>Click here to access your <a
    >> href=file://m:> user drive</a>");
    >> Response.Write("<br/><br/>Remember to click Logout when you
    >> are done with your user drive.");
    >>

    >
    >
    Karl, Sep 18, 2006
    #3
  4. Karl

    Joe Kaplan Guest

    Well, the control isn't useless. It is just that you don't need forms auth
    here, so it doesn't really do anything for you. You need Windows auth, so
    you might as well just use it. I wouldn't go back to .NET 1.1, though.
    There's more to love in 2.0 than just the login control. :)

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Karl" <> wrote in message
    news:WuDPg.944$...
    > Or, I could just start over with a windows authentication login, and after
    > getting authenticated, open default.aspx wtth the
    >
    > Click Here to access your User Drive and a logout button, I suppose?
    >
    > I am new (obviously) to asp, and thought "Why not use this nifty login
    > control"
    >
    > Seems like a fairly useless control - i will go back to asp.net 1.x and
    > windows authentication.
    >
    > Thanks
    >
    > karl
    >
    > "Joe Kaplan" <> wrote in message
    > news:...
    >> No, forms auth does not support impersonation like Windows auth does.
    >> You would need to code your own thing to do that. Since you are
    >> gathering the user's credentials, that should be possible, but you'll
    >> need to store them somewhere (like session or something), as you won't
    >> have them after the forms login is processed.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Karl" <> wrote in message
    >> news:ITAPg.925$...
    >>> Will a forms authentication allow me to impersonate a user?
    >>>
    >>> I am working on an application that will run on a kiosk, and allow a
    >>> user to
    >>> login and view their homedirectory.
    >>>
    >>> I have a form with the new login control which works great.
    >>>
    >>> I get logged in, and find the user's homedirectory.
    >>>
    >>> I then write Click here to access your home directory, and include a
    >>> file
    >>> URL pointing to the homedirectory
    >>>
    >>> All of this works, until the user clicks the link. At this point, a user
    >>> cannot access their user drive without logging in again.
    >>>
    >>> So, now I am trying to map a drive using WNetAddConnection2A, and it
    >>> fails with an error 5 on my development PC (Access Denied)
    >>>
    >>> I get a formsauthentication ticket via
    >>> FormsIdentity fi = (FormsIdentity)User.Identity;
    >>> FormsAuthenticationTicket fat = fi.Ticket;
    >>>
    >>> fat.name populates correctly
    >>>
    >>> Then, i call WNetAddConnection2A using the structure of:
    >>> dwType= RESOURCETYPE_DISK
    >>> lpLocalName = "m:"
    >>> lpRemoteName = "\\\\usawvfs04\\userskl\\karlm"
    >>> lpProvider= null
    >>>
    >>> My lpPassword is null, my lpUsername I set to fat.name.tostring()
    >>> I do not set any dwFlags.
    >>>
    >>> If I hard code my own null terminated username and password, I get an
    >>> error 1312 (ERROR_NO_SUCH_LOGON_SESSION)
    >>>
    >>> Here is the relevent code:
    >>> FormsIdentity fi = (FormsIdentity)User.Identity;
    >>> FormsAuthenticationTicket fat = fi.Ticket;
    >>> IIdentity WinId= HttpContext.Current.User.Identity;
    >>>
    >>> try
    >>> {
    >>> char[] splitter = { '\\' };
    >>> string SearchString ="";
    >>>
    >>> // Access resources using the identity of the authenticated
    >>> user
    >>> DirectoryEntry obEntry = new
    >>> DirectoryEntry("LDAP:servername/DC=/DC=/DC=");
    >>> SearchString = "anr=" + fi.Ticket.Name.ToString();
    >>>
    >>> DirectorySearcher search = new DirectorySearcher(obEntry,
    >>> SearchString);
    >>> SearchResult res = search.FindOne();
    >>> strUserDrive = (string)res.Properties["homedirectory"][0];
    >>>
    >>> Response.Write("Hello, " +
    >>> (string)res.Properties["givenname"][0]+".");
    >>> Response.Write("<br/><br/>Your User Drive is now
    >>> available.<br/>");
    >>>
    >>> NETRESOURCEA[] n = new NETRESOURCEA[1];
    >>> n[0] = new NETRESOURCEA();
    >>> n[0].dwType = 1;
    >>> int dwFlags = 1;
    >>> n[0].lpLocalName = @"m:";
    >>> n[0].lpRemoteName =
    >>> (string)res.Properties["homedirectory"][0];
    >>> n[0].lpProvider = null;
    >>>
    >>> FAILS HERE:
    >>> int result = CMyMprTest.WNetAddConnection2A(n, null, fi.Name,
    >>> dwFlags);
    >>>
    >>> Response.Write("<br/>Click here to access your <a
    >>> href=file://m:> user drive</a>");
    >>> Response.Write("<br/><br/>Remember to click Logout when you
    >>> are done with your user drive.");
    >>>

    >>
    >>

    >
    >
    Joe Kaplan, Sep 19, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Hermit Dave

    Forms Login Page Not Login Out

    Hermit Dave, Jan 12, 2004, in forum: ASP .Net
    Replies:
    5
    Views:
    454
    Hermit Dave
    Jan 13, 2004
  2. Pascal Blanchard
    Replies:
    0
    Views:
    236
    Pascal Blanchard
    Aug 17, 2004
  3. Pascal Blanchard
    Replies:
    1
    Views:
    272
    Pascal Blanchard
    Aug 18, 2004
  4. bob
    Replies:
    9
    Views:
    322
    Joe Kaplan
    Nov 14, 2006
  5. inoculator
    Replies:
    0
    Views:
    167
    inoculator
    Oct 19, 2005
Loading...

Share This Page