Impersonate on specific directory

Discussion in 'ASP .Net Security' started by Nick, May 19, 2008.

  1. Nick

    Nick Guest

    Hi there,

    I need to enable Impersonation in order to access a network share from
    an ASP.NET application. Unfortunately when I do this it enables it for the
    entire application which causes other issues, how would I do this for a
    particular folder?

    Thanks in advance for your time.

    Nick.
     
    Nick, May 19, 2008
    #1
    1. Advertising

  2. Hi Nick,

    From your description, you want to access some shared folder in the ASP.NET
    application, however, due to the security protection, you need to do
    impersonate, and currently encounter some problems with the impersonate,
    correct?

    Regarding on this issue, I'd like to confirm the following things:

    ** Are you in a domain environment, for both the ASP.NET server machine and
    the remote share folder's machine

    ** How did you do the impersonate currrently. Are you impersonate the
    ASP.NET client user account( through windows authentication) or use a fixed
    account in web.config to do the impersonate?

    Based on my experince, if the ASP.NET application need to access another
    remote machine's protected resource(such as file share), impersontating
    client user(who access the ASP.NET application) will not work due to double
    hop limitation. You need to do impersonate with a clear text
    username/password so as to establish a security token that can forward
    across from ASP.NET server to remote share folder machine.

    For the question that you want to only impersonate the context when
    accessing a particular file share, I think you can consider do impersonate
    programmatically. You can make impersonate call only in method where you
    want to access remote share and undo it after finished.

    #How To: Use Impersonation and Delegation in ASP.NET 2.0
    http://msdn.microsoft.com/en-us/library/ms998351.aspx

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.



    --------------------
    >From: "Nick" <>
    >Subject: Impersonate on specific directory
    >Date: Mon, 19 May 2008 15:09:42 +0100


    >Hi there,
    >
    > I need to enable Impersonation in order to access a network share from
    >an ASP.NET application. Unfortunately when I do this it enables it for

    the
    >entire application which causes other issues, how would I do this for a
    >particular folder?
    >
    > Thanks in advance for your time.
    >
    >Nick.
    >
    >
    >
     
    Steven Cheng [MSFT], May 20, 2008
    #2
    1. Advertising

  3. Hi Nick,

    Does the suggestion in my last reply help you some? If you have anything
    unclear or need any other help, welcome to post here.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------t
    >From: (Steven Cheng [MSFT])
    >Organization: Microsoft
    >Date: Tue, 20 May 2008 03:59:45 GMT
    >Subject: RE: Impersonate on specific directory


    >
    >Hi Nick,
    >
    >From your description, you want to access some shared folder in the

    ASP.NET
    >application, however, due to the security protection, you need to do
    >impersonate, and currently encounter some problems with the impersonate,
    >correct?
    >
    >Regarding on this issue, I'd like to confirm the following things:
    >
    >** Are you in a domain environment, for both the ASP.NET server machine

    and
    >the remote share folder's machine
    >
    >** How did you do the impersonate currrently. Are you impersonate the
    >ASP.NET client user account( through windows authentication) or use a

    fixed
    >account in web.config to do the impersonate?
    >
    >Based on my experince, if the ASP.NET application need to access another
    >remote machine's protected resource(such as file share), impersontating
    >client user(who access the ASP.NET application) will not work due to

    double
    >hop limitation. You need to do impersonate with a clear text
    >username/password so as to establish a security token that can forward
    >across from ASP.NET server to remote share folder machine.
    >
    >For the question that you want to only impersonate the context when
    >accessing a particular file share, I think you can consider do impersonate
    >programmatically. You can make impersonate call only in method where you
    >want to access remote share and undo it after finished.
    >
    >#How To: Use Impersonation and Delegation in ASP.NET 2.0
    >http://msdn.microsoft.com/en-us/library/ms998351.aspx
    >
    >Sincerely,
    >
    >Steven Cheng
    >
    >Microsoft MSDN Online Support Lead
    >
    >
    >Delighting our customers is our #1 priority. We welcome your comments and
    >suggestions about how we can improve the support we provide to you. Please
    >feel free to let my manager know what you think of the level of service
    >provided. You can send feedback directly to my manager at:
    >.
    >
    >==================================================
    >Get notification to my posts through email? Please refer to
    >http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#noti

    f
    >ications.
    >
    >Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    >where an initial response from the community or a Microsoft Support
    >Engineer within 1 business day is acceptable. Please note that each follow
    >up response may take approximately 2 business days as the support
    >professional working with you may need further investigation to reach the
    >most efficient resolution. The offering is not appropriate for situations
    >that require urgent, real-time or phone-based interactions or complex
    >project analysis and dump analysis issues. Issues of this nature are best
    >handled working with a dedicated Microsoft Support Engineer by contacting
    >Microsoft Customer Support Services (CSS) at
    >http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >==================================================
    >This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    >
    >--------------------
    >>From: "Nick" <>
    >>Subject: Impersonate on specific directory
    >>Date: Mon, 19 May 2008 15:09:42 +0100

    >
    >>Hi there,
    >>
    >> I need to enable Impersonation in order to access a network share

    from
    >>an ASP.NET application. Unfortunately when I do this it enables it for

    >the
    >>entire application which causes other issues, how would I do this for a
    >>particular folder?
    >>
    >> Thanks in advance for your time.
    >>
    >>Nick.
    >>
    >>
    >>

    >
    >
     
    Steven Cheng [MSFT], May 22, 2008
    #3
  4. Nick

    Nick Guest

    Hi Steven

    Thankyou for your help, I fixed this by creating a class that calls the
    Win32 LogonUser function on demand, this stops having to enable
    impersonation for the entire application. Anyone else doing this should
    consider cashing the indentity as repeat calling of the API can cause
    resources to expire pretty quick in a live application.

    Thanks for your time and help.

    Nick.

    "Steven Cheng [MSFT]" <> wrote in message
    news:TBj7FR%...
    > Hi Nick,
    >
    > Does the suggestion in my last reply help you some? If you have anything
    > unclear or need any other help, welcome to post here.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    > ==================================================
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    > --------------------t
    >>From: (Steven Cheng [MSFT])
    >>Organization: Microsoft
    >>Date: Tue, 20 May 2008 03:59:45 GMT
    >>Subject: RE: Impersonate on specific directory

    >
    >>
    >>Hi Nick,
    >>
    >>From your description, you want to access some shared folder in the

    > ASP.NET
    >>application, however, due to the security protection, you need to do
    >>impersonate, and currently encounter some problems with the impersonate,
    >>correct?
    >>
    >>Regarding on this issue, I'd like to confirm the following things:
    >>
    >>** Are you in a domain environment, for both the ASP.NET server machine

    > and
    >>the remote share folder's machine
    >>
    >>** How did you do the impersonate currrently. Are you impersonate the
    >>ASP.NET client user account( through windows authentication) or use a

    > fixed
    >>account in web.config to do the impersonate?
    >>
    >>Based on my experince, if the ASP.NET application need to access another
    >>remote machine's protected resource(such as file share), impersontating
    >>client user(who access the ASP.NET application) will not work due to

    > double
    >>hop limitation. You need to do impersonate with a clear text
    >>username/password so as to establish a security token that can forward
    >>across from ASP.NET server to remote share folder machine.
    >>
    >>For the question that you want to only impersonate the context when
    >>accessing a particular file share, I think you can consider do impersonate
    >>programmatically. You can make impersonate call only in method where you
    >>want to access remote share and undo it after finished.
    >>
    >>#How To: Use Impersonation and Delegation in ASP.NET 2.0
    >>http://msdn.microsoft.com/en-us/library/ms998351.aspx
    >>
    >>Sincerely,
    >>
    >>Steven Cheng
    >>
    >>Microsoft MSDN Online Support Lead
    >>
    >>
    >>Delighting our customers is our #1 priority. We welcome your comments and
    >>suggestions about how we can improve the support we provide to you. Please
    >>feel free to let my manager know what you think of the level of service
    >>provided. You can send feedback directly to my manager at:
    >>.
    >>
    >>==================================================
    >>Get notification to my posts through email? Please refer to
    >>http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#noti

    > f
    >>ications.
    >>
    >>Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    >>where an initial response from the community or a Microsoft Support
    >>Engineer within 1 business day is acceptable. Please note that each follow
    >>up response may take approximately 2 business days as the support
    >>professional working with you may need further investigation to reach the
    >>most efficient resolution. The offering is not appropriate for situations
    >>that require urgent, real-time or phone-based interactions or complex
    >>project analysis and dump analysis issues. Issues of this nature are best
    >>handled working with a dedicated Microsoft Support Engineer by contacting
    >>Microsoft Customer Support Services (CSS) at
    >>http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >>==================================================
    >>This posting is provided "AS IS" with no warranties, and confers no
    >>rights.
    >>
    >>
    >>
    >>--------------------
    >>>From: "Nick" <>
    >>>Subject: Impersonate on specific directory
    >>>Date: Mon, 19 May 2008 15:09:42 +0100

    >>
    >>>Hi there,
    >>>
    >>> I need to enable Impersonation in order to access a network share

    > from
    >>>an ASP.NET application. Unfortunately when I do this it enables it for

    >>the
    >>>entire application which causes other issues, how would I do this for a
    >>>particular folder?
    >>>
    >>> Thanks in advance for your time.
    >>>
    >>>Nick.
    >>>
    >>>
    >>>

    >>
    >>

    >
     
    Nick, May 30, 2008
    #4
  5. Thanks for your reply Nick,

    I'm glad that you've got it resolved.

    Have a nice day!

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    >From: "Nick" <>
    >References: <#RmU$>

    <>
    <TBj7FR#>
    >Subject: Re: Impersonate on specific directory
    >Date: Fri, 30 May 2008 12:16:06 +0100


    >Hi Steven
    >
    > Thankyou for your help, I fixed this by creating a class that calls

    the
    >Win32 LogonUser function on demand, this stops having to enable
    >impersonation for the entire application. Anyone else doing this should
    >consider cashing the indentity as repeat calling of the API can cause
    >resources to expire pretty quick in a live application.
    >
    > Thanks for your time and help.
    >
    >Nick.
    >
    >"Steven Cheng [MSFT]" <> wrote in message
    >news:TBj7FR%...
    >> Hi Nick,
    >>
    >> Does the suggestion in my last reply help you some? If you have anything
    >> unclear or need any other help, welcome to post here.
    >>
    >> Sincerely,
    >>
    >> Steven Cheng
    >>
    >> Microsoft MSDN Online Support Lead
    >>
    >>
    >> Delighting our customers is our #1 priority. We welcome your comments and
    >> suggestions about how we can improve the support we provide to you.

    Please
    >> feel free to let my manager know what you think of the level of service
    >> provided. You can send feedback directly to my manager at:
    >> .
    >>
    >>>>>
    >>>>Hi there,
    >>>>
    >>>> I need to enable Impersonation in order to access a network share

    >> from
    >>>>an ASP.NET application. Unfortunately when I do this it enables it for
    >>>the
    >>>>entire application which causes other issues, how would I do this for a
    >>>>particular folder?
    >>>>
    >>>> Thanks in advance for your time.
    >>>>
    >>>>Nick.
    >>>>
    >>>>
    >>>>
    >>>
    >>>

    >>

    >
    >
    >
     
    Steven Cheng [MSFT], Jun 2, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. archana
    Replies:
    3
    Views:
    339
    archana
    Oct 29, 2007
  2. AvaDev
    Replies:
    3
    Views:
    879
    AvaDev
    Jul 10, 2008
  3. Bill Belliveau

    DirectoryEntry Impersonate or WindowsIdentity Impersonate?

    Bill Belliveau, Jan 28, 2004, in forum: ASP .Net Security
    Replies:
    3
    Views:
    420
    Joe Kaplan \(MVP - ADSI\)
    Jan 31, 2004
  4. John Lau
    Replies:
    0
    Views:
    196
    John Lau
    Sep 13, 2004
  5. Johannes Hammersen
    Replies:
    1
    Views:
    201
    Dave F.
    Jun 12, 2005
Loading...

Share This Page