Impersonate on specific directory

N

Nick

Hi there,

I need to enable Impersonation in order to access a network share from
an ASP.NET application. Unfortunately when I do this it enables it for the
entire application which causes other issues, how would I do this for a
particular folder?

Thanks in advance for your time.

Nick.
 
S

Steven Cheng [MSFT]

Hi Nick,

From your description, you want to access some shared folder in the ASP.NET
application, however, due to the security protection, you need to do
impersonate, and currently encounter some problems with the impersonate,
correct?

Regarding on this issue, I'd like to confirm the following things:

** Are you in a domain environment, for both the ASP.NET server machine and
the remote share folder's machine

** How did you do the impersonate currrently. Are you impersonate the
ASP.NET client user account( through windows authentication) or use a fixed
account in web.config to do the impersonate?

Based on my experince, if the ASP.NET application need to access another
remote machine's protected resource(such as file share), impersontating
client user(who access the ASP.NET application) will not work due to double
hop limitation. You need to do impersonate with a clear text
username/password so as to establish a security token that can forward
across from ASP.NET server to remote share folder machine.

For the question that you want to only impersonate the context when
accessing a particular file share, I think you can consider do impersonate
programmatically. You can make impersonate call only in method where you
want to access remote share and undo it after finished.

#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ms998351.aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
 
S

Steven Cheng [MSFT]

Hi Nick,

Does the suggestion in my last reply help you some? If you have anything
unclear or need any other help, welcome to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------t
From: (e-mail address removed) (Steven Cheng [MSFT])
Organization: Microsoft
Date: Tue, 20 May 2008 03:59:45 GMT
Subject: RE: Impersonate on specific directory
 
N

Nick

Hi Steven

Thankyou for your help, I fixed this by creating a class that calls the
Win32 LogonUser function on demand, this stops having to enable
impersonation for the entire application. Anyone else doing this should
consider cashing the indentity as repeat calling of the API can cause
resources to expire pretty quick in a live application.

Thanks for your time and help.

Nick.

Steven Cheng said:
Hi Nick,

Does the suggestion in my last reply help you some? If you have anything
unclear or need any other help, welcome to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------t
From: (e-mail address removed) (Steven Cheng [MSFT])
Organization: Microsoft
Date: Tue, 20 May 2008 03:59:45 GMT
Subject: RE: Impersonate on specific directory
Hi Nick,

From your description, you want to access some shared folder in the ASP.NET
application, however, due to the security protection, you need to do
impersonate, and currently encounter some problems with the impersonate,
correct?

Regarding on this issue, I'd like to confirm the following things:

** Are you in a domain environment, for both the ASP.NET server machine and
the remote share folder's machine

** How did you do the impersonate currrently. Are you impersonate the
ASP.NET client user account( through windows authentication) or use a fixed
account in web.config to do the impersonate?

Based on my experince, if the ASP.NET application need to access another
remote machine's protected resource(such as file share), impersontating
client user(who access the ASP.NET application) will not work due to double
hop limitation. You need to do impersonate with a clear text
username/password so as to establish a security token that can forward
across from ASP.NET server to remote share folder machine.

For the question that you want to only impersonate the context when
accessing a particular file share, I think you can consider do impersonate
programmatically. You can make impersonate call only in method where you
want to access remote share and undo it after finished.

#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ms998351.aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#noti f
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
 
S

Steven Cheng [MSFT]

Thanks for your reply Nick,

I'm glad that you've got it resolved.

Have a nice day!

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Subject: Re: Impersonate on specific directory
Date: Fri, 30 May 2008 12:16:06 +0100
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,904
Latest member
HealthyVisionsCBDPrice

Latest Threads

Top