Impersonate

Discussion in 'ASP .Net Security' started by zino, Feb 8, 2008.

  1. zino

    zino Guest

    on Windows Xp and in ASP net 2.0 application,
    I followed the example under the following link:
    http://msdn2.microsoft.com/en-us/li...cipal.windowsidentity.impersonate(VS.71).aspx

    to save an Excel file, but I keep getting Access denied error.
    (I have administartor privilege and I impersonate a domain account
    (otherUser) that have administrator permissions too where the Excel file is
    being saved)

    note: without impersonation the code works fine under my account.

    the web config file is set to :
    <authentication mode="Windows"/>
    <identity impersonate="true">

    and "Integrated Windows Authentication" is the only thing checked in IIS

    the web page :
    sub Page_Load()
    dim xl As myExcel = New myExcel()
    xl.SaveExcel("c\test.xls")
    end sub

    class myExcel
    function SaveExcel(filePath As String) As Boolean
    dim xl As Excel.Application
    dim wb As Excel.Workbook
    .... .. . . ' code omitted

    dim myImpersonate As New cls_impersonate
    if myImpersonate.StartImpersonation(otherUser, otherPwd) Then
    wb.SaveAs(filePath, FileFormat:=Excel.XlFileFormat.xlExcel7) '
    generate Access is denied error
    else
    ' ... .. .. .
    end if
    myImpersonate.UndoImpersonation()
    end function

    end class


    class cls_impersonate
    Private _impersonatedUser As WindowsImpersonationContext
    Private _tokenHandle As New IntPtr(0)

    function StartImpersonation(otherUser as string, otherPwd as string) as
    boolean
    '.. same as in the MSDN example and impersonation succeed without any error.
    ' but the following:
    ' WindowsIdentity.GetCurrent().Name --> return --> domain\otherUser
    ' while
    ' httpcontext.Current.User.Identity.Name --> return --> domain\myName
    ' which I don't understand
    end function

    sub UndoImpersonation
    Me._impersonatedUser.Undo()
    If Not System.IntPtr.op_Equality(Me._tokenHandle, IntPtr.Zero) Then
    CloseHandle(Me._tokenHandle)
    end sub
    end class


    thanks for help
     
    zino, Feb 8, 2008
    #1
    1. Advertising

  2. Hi Zino,

    From your description, you're encountering Access Denied error when try
    saving a Excel document in ASP.NET webapplication, correcct?

    Regarding on the problem you mentioned, I think the account is the first
    thing we should check, I suggest try the following things first:

    ** use filemon tool to verify the Access Denied error and the problem
    account

    ** run the same code with the same account (as in your asp.net application)
    in a winform or console application to see whether it works.

    ** Also, instead of excel file, you can try a normal txt file to see
    whether the problem is specfic to the office automation code.

    BTW, I saw that you've enabled "impersonate" in web.config file as below:

    <authentication mode="Windows"/>
    <identity impersonate="true">


    then, why did you also use code to programmatically do the impersonation?
    You should either impersonate through the web.config setting or use code.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    ==================================================

    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.



    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    >From: =?Utf-8?B?emlubw==?= <>
    >Subject: Impersonate
    >Date: Fri, 8 Feb 2008 13:41:00 -0800


    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >on Windows Xp and in ASP net 2.0 application,
    >I followed the example under the following link:

    http://msdn2.microsoft.com/en-us/library/system.security.principal.windowsid
    entity.impersonate(VS.71).aspx
    >
    >to save an Excel file, but I keep getting Access denied error.
    >(I have administartor privilege and I impersonate a domain account
    >(otherUser) that have administrator permissions too where the Excel file

    is
    >being saved)
    >
    >note: without impersonation the code works fine under my account.
    >
    >the web config file is set to :
    ><authentication mode="Windows"/>
    > <identity impersonate="true">
    >
    >and "Integrated Windows Authentication" is the only thing checked in IIS
    >
    >the web page :
    >sub Page_Load()
    > dim xl As myExcel = New myExcel()
    > xl.SaveExcel("c\test.xls")
    >end sub
    >
    >class myExcel
    >function SaveExcel(filePath As String) As Boolean
    > dim xl As Excel.Application
    > dim wb As Excel.Workbook
    > .... .. . . ' code omitted
    >
    > dim myImpersonate As New cls_impersonate
    > if myImpersonate.StartImpersonation(otherUser, otherPwd) Then
    > wb.SaveAs(filePath, FileFormat:=Excel.XlFileFormat.xlExcel7) '
    >generate Access is denied error
    > else
    > ' ... .. .. .
    > end if
    > myImpersonate.UndoImpersonation()
    >end function
    >
    >end class
    >
    >
    >class cls_impersonate
    > Private _impersonatedUser As WindowsImpersonationContext
    > Private _tokenHandle As New IntPtr(0)
    >
    > function StartImpersonation(otherUser as string, otherPwd as string) as
    >boolean
    > '.. same as in the MSDN example and impersonation succeed without any

    error.
    > ' but the following:
    > ' WindowsIdentity.GetCurrent().Name --> return --> domain\otherUser
    > ' while
    > ' httpcontext.Current.User.Identity.Name --> return --> domain\myName
    > ' which I don't understand
    > end function
    >
    >sub UndoImpersonation
    > Me._impersonatedUser.Undo()
    > If Not System.IntPtr.op_Equality(Me._tokenHandle, IntPtr.Zero)

    Then
    >CloseHandle(Me._tokenHandle)
    >end sub
    >end class
    >
    >
    >thanks for help
    >
     
    Steven Cheng[MSFT], Feb 11, 2008
    #2
    1. Advertising

  3. zino

    zino Guest

    Hi Steven,

    I solved it by placing the "if myImpersonate.StartImpersonation" statement
    at the begining of the function, instead of waiting until the
    "workbook.SaveAs"
    as:
    function SaveExcel(filePath As String) As Boolean
    if myImpersonate.StartImpersonation then
    dim xl As Excel.Application
    dim wb As Excel.Workbook
    .... .. .. .
    workbook.saveAs(.. . ..


    The application need to capture the logged user NT domain account to
    compare it against a one saved in a back end SQL database.
    The user must have an NT domain account + must be registered within the
    application in order to use it.
    There is a common function (accessible to any user) that extract a value
    from a sql table, and stream it as Excel file to the user.
    I don't know how to stream the Excel file without saving it first on the
    hard drive, therfore I created an account that have write permissions to save
    the Excel file.
    instead of assigning this WRITE permissions to every user.
    and that's why you see Windows Authentication and impersonate=true are
    enabled. In fact the authentication type is kind of Form Authentication.

    How can I stream excel without saving it first on the hard drive ?
     
    zino, Feb 11, 2008
    #3
  4. Thanks for your reply Zino,

    As you mentioned:

    ===================
    There is a common function (accessible to any user) that extract a value
    from a sql table, and stream it as Excel file to the user.
    ===================

    so the excel files are stored as binary content in the database? If so, is
    it doable here that you directory transfer the binary content to the target
    user. Also, what's y our current code that stream out the excel file? For
    ASP.NET page, I know that you can directly write out binary content into
    page's response stream instead of through a physical file on disk. For
    example:

    ==========
    Response.Clear();
    Response.ContentType = "application/pdf";
    Response.BinaryWrite( byte array here...)
    Response.End()
    ==========

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    >From: =?Utf-8?B?emlubw==?= <>
    >References: <>

    <es#>
    >Subject: RE: Impersonate
    >Date: Mon, 11 Feb 2008 14:29:18 -0800


    >Hi Steven,
    >
    >I solved it by placing the "if myImpersonate.StartImpersonation" statement
    >at the begining of the function, instead of waiting until the
    >"workbook.SaveAs"
    >as:
    >function SaveExcel(filePath As String) As Boolean
    >if myImpersonate.StartImpersonation then
    > dim xl As Excel.Application
    > dim wb As Excel.Workbook
    >... .. .. .
    >workbook.saveAs(.. . ..
    >
    >
    >The application need to capture the logged user NT domain account to
    >compare it against a one saved in a back end SQL database.
    >The user must have an NT domain account + must be registered within the
    >application in order to use it.
    >There is a common function (accessible to any user) that extract a value
    >from a sql table, and stream it as Excel file to the user.
    >I don't know how to stream the Excel file without saving it first on the
    >hard drive, therfore I created an account that have write permissions to

    save
    >the Excel file.
    >instead of assigning this WRITE permissions to every user.
    >and that's why you see Windows Authentication and impersonate=true are
    >enabled. In fact the authentication type is kind of Form Authentication.
    >
    >How can I stream excel without saving it first on the hard drive ?
    >
    >
    >
    >
    >
     
    Steven Cheng[MSFT], Feb 12, 2008
    #4
  5. zino

    zino Guest

    the value to be displayed in the Excel file is saved in the sql table as
    varchar(4000).
    What I need is something like :

    sub Page_Load
    dim xl As Excel.Application =New Excel.Application
    dim wbs As Excel.Workbooks=xl.Workbooks
    dim wb As Excel.Workbook
    wb = wbs.Add()

    response.Clear()
    response.ContentType = "application/vnd.ms-excel"
    response.BinaryWrite((New UnicodeEncoding).GetBytes(wb )) ' it is incorrect
    this way, but that's how and what I need... .. (be able to pass the workbook
    directly)

    response.End()
     
    zino, Feb 12, 2008
    #5
  6. Hi Zino,

    I've performed some further research, I'm afraid so far the Office
    Automation interface only provide file based save approach which restrict
    the code in your application have to save the excel object to file
    first(Unless you directly save excel object in database).

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    >From: =?Utf-8?B?emlubw==?= <>
    >Subject: RE: Impersonate
    >Date: Tue, 12 Feb 2008 06:22:04 -0800


    >
    >the value to be displayed in the Excel file is saved in the sql table as
    >varchar(4000).
    >What I need is something like :
    >
    >sub Page_Load
    > dim xl As Excel.Application =New Excel.Application
    > dim wbs As Excel.Workbooks=xl.Workbooks
    > dim wb As Excel.Workbook
    > wb = wbs.Add()
    >
    > response.Clear()
    > response.ContentType = "application/vnd.ms-excel"
    > response.BinaryWrite((New UnicodeEncoding).GetBytes(wb )) ' it is

    incorrect
    >this way, but that's how and what I need... .. (be able to pass the

    workbook
    >directly)
    >
    > response.End()
    >
     
    Steven Cheng[MSFT], Feb 13, 2008
    #6
  7. zino

    zino Guest

    Thank you for your feedback.
     
    zino, Feb 13, 2008
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Christian Binder

    <identity impersonate> and NETWORK ACCESS DB-HELP

    Christian Binder, Jul 25, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    462
    Christian Binder
    Jul 25, 2003
  2. William F. Robertson, Jr.

    identity impersonate for web applications

    William F. Robertson, Jr., Aug 29, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    426
    William F. Robertson, Jr.
    Aug 29, 2003
  3. Peter O'Reilly
    Replies:
    2
    Views:
    10,919
    Peter O'Reilly
    Nov 3, 2003
  4. Kathy Burke
    Replies:
    3
    Views:
    2,686
    Kathy Burke
    Dec 22, 2003
  5. Bill Belliveau

    DirectoryEntry Impersonate or WindowsIdentity Impersonate?

    Bill Belliveau, Jan 28, 2004, in forum: ASP .Net Security
    Replies:
    3
    Views:
    363
    Joe Kaplan \(MVP - ADSI\)
    Jan 31, 2004
Loading...

Share This Page