Impersonate at runtime

Discussion in 'ASP .Net Security' started by Anand, Jul 18, 2003.

  1. Anand

    Anand Guest

    Hi,

    I want to move my files from web servers to a shared
    folder on the database server. For this I impersonate the
    aspnet user to common domainuser and gave write
    permissions for that user on the folder on the database
    server.

    During run time it impersonates to the domainuser but it
    throws an error
    "System.UnauthorizedAccessException: Access to the
    path "\\DBServer\Files\Test3.xls" is denied"

    The code i wrote is
    File.Move("C:\\Inetpub\\wwwroot\\CoradPhase2
    \\Files\\Test3.xls","\\\\DBServer\\Files\\Test3.xls");

    It works fine if write the identity tag on the web config.
    Any help is good and Thanks

    Thanks
    Anand
    Anand, Jul 18, 2003
    #1
    1. Advertising

  2. Anand

    Geof Nieboer Guest

    I'm having some similar issues, and perhaps can help a
    bit...

    Impersonation is used to impersonate a client on -that-
    machine, in ASP.NET the web server.
    I.E. If User is logged on Computer A, and accessing a web
    site and other resources on B using his credentials, that
    is impersonation.

    However, if logged on to A, accessing B, and -then- you
    want to have B send those same credentials on to a
    resource on computer C (your shared drive), then that is
    called "Delegation". From your description, it sounds
    like that is your scenario.

    There are a number of requirements for Delegation,
    primarily the use of Windows Authentication, and marking
    the accounts/computers (depending on setup) as 'Trusted
    for Delegation' within Active Directory. You also have to
    use Kerberos authenication, which is only compatible with
    certain browsers/OS's.

    My problem is that I can't get Kerberos to work.

    In this case, I appear to have 2 options. 1 is to use
    Basic Authentication. This sends the password in clear
    text, and (I'm oversimplifying, so I apologies to the
    experts) effectively just reusing the same username and
    password. So as I've recently learned, that's not true
    delegation, but the end result is the same, but with less
    security in the logon method.

    Another option is to create a domain account that's a
    member of IIS_WPG (on W2003 at least), and have IIS run
    under that account. Then when you need to access those
    resources, you can call "RevertToUser" using an API (less
    difficult than it may sound) and use those credentials
    (which don't have to be delegated since that account is
    actually logged on to Computer B) to save the file, and
    then start impersonating again.

    Hopefully though, you'll have more luck than I getting
    Kerberos to work. That certainly is the preferred
    solution. Do a search on setting up Delegation with
    Kerberos and I think you'll find some helpful resources.




    >-----Original Message-----
    >Hi,
    >
    >I want to move my files from web servers to a shared
    >folder on the database server. For this I impersonate the
    >aspnet user to common domainuser and gave write
    >permissions for that user on the folder on the database
    >server.
    >
    >During run time it impersonates to the domainuser but it
    >throws an error
    >"System.UnauthorizedAccessException: Access to the
    >path "\\DBServer\Files\Test3.xls" is denied"
    >
    >The code i wrote is
    >File.Move("C:\\Inetpub\\wwwroot\\CoradPhase2
    >\\Files\\Test3.xls","\\\\DBServer\\Files\\Test3.xls");
    >
    >It works fine if write the identity tag on the web config.
    >Any help is good and Thanks
    >
    >Thanks
    >Anand
    >
    >.
    >
    Geof Nieboer, Jul 19, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Christian Binder

    <identity impersonate> and NETWORK ACCESS DB-HELP

    Christian Binder, Jul 25, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    450
    Christian Binder
    Jul 25, 2003
  2. William F. Robertson, Jr.

    identity impersonate for web applications

    William F. Robertson, Jr., Aug 29, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    414
    William F. Robertson, Jr.
    Aug 29, 2003
  3. Peter O'Reilly
    Replies:
    2
    Views:
    10,861
    Peter O'Reilly
    Nov 3, 2003
  4. Hal Vaughan
    Replies:
    11
    Views:
    1,090
    Gordon Beaton
    May 22, 2006
  5. Bill Belliveau

    DirectoryEntry Impersonate or WindowsIdentity Impersonate?

    Bill Belliveau, Jan 28, 2004, in forum: ASP .Net Security
    Replies:
    3
    Views:
    328
    Joe Kaplan \(MVP - ADSI\)
    Jan 31, 2004
Loading...

Share This Page