Impersonation and accessing Windows file share

Discussion in 'ASP .Net Security' started by Julie, Mar 29, 2006.

  1. Julie

    Julie Guest

    Hi all,

    I have an ASP .NET application and am experiencing an interesting issue.

    The application runs under Windows integrated authentication and anonymous
    access is turned off; I need the current logged in user's ID for some initial
    processing. Partway through the code, I impersonate a system account using
    WindowsIdentity objects with the objective of retrieving a file from another
    server.

    I have the username and password for the system account encrypted in my
    code. I can verify using Environment.Username that the impersonation is
    working - the username of my system account is returned. However, I'm unable
    to authenticate to the file server. It doesn't seem to me that this is a
    "double-hop" as I'm just hopping from my web server to this file server - I
    do not need to pass the logged-in user's credentials to the file server, just
    this system account's credentials that I configure from within my code. (And
    unfortunately I cannot make changes to the file system security.)

    Any feedback as to whether this is possible would be appreciated. If
    necessary, I can switch to moving the service account's credentials to the
    web.config file in the <impersonate> tag but I'm hoping there's a way to
    switch between the user accounts in the same application.

    Thanks!
    Julie, Mar 29, 2006
    #1
    1. Advertising

  2. Hello,

    First, you can use the following code to determine what user the thread is
    executing as:

    System.Security.Principal.WindowsIdentity.GetCurrent().Name

    Also, you if logon as the System account on the server, can you access the
    Windows file share like "\\Myserver\Myshare"?

    Regards,

    Luke Zhang
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Luke Zhang [MSFT], Mar 30, 2006
    #2
    1. Advertising

  3. Julie

    Julie Guest

    I use that code and I can confirm that impersonation is impersonating the
    correct user. And yes, I can access the file share as the system account -
    thanks for checking. :)


    "Luke Zhang [MSFT]" wrote:

    > Hello,
    >
    > First, you can use the following code to determine what user the thread is
    > executing as:
    >
    > System.Security.Principal.WindowsIdentity.GetCurrent().Name
    >
    > Also, you if logon as the System account on the server, can you access the
    > Windows file share like "\\Myserver\Myshare"?
    >
    > Regards,
    >
    > Luke Zhang
    > Microsoft Online Community Support
    >
    > ==================================================
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    > ==================================================
    >
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    Julie, Mar 30, 2006
    #3
  4. In IIS manager, find the application pool for your web application, and
    change the identiy to the system account you used to impersonated in the
    code, and then restart the IIS server. Will this help?

    Luke Zhang
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Luke Zhang [MSFT], Mar 31, 2006
    #4
  5. If you enable logon event auditing on the file server, what does the logon
    failure say on that end? That may give you some clues.

    Also, when you called LogonUser, what type of logon did you do? You need to
    make sure you use one that gives you network credentials.

    Joe K.

    "Julie" <> wrote in message
    news:...
    >I use that code and I can confirm that impersonation is impersonating the
    > correct user. And yes, I can access the file share as the system
    > account -
    > thanks for checking. :)
    >
    >
    > "Luke Zhang [MSFT]" wrote:
    >
    >> Hello,
    >>
    >> First, you can use the following code to determine what user the thread
    >> is
    >> executing as:
    >>
    >> System.Security.Principal.WindowsIdentity.GetCurrent().Name
    >>
    >> Also, you if logon as the System account on the server, can you access
    >> the
    >> Windows file share like "\\Myserver\Myshare"?
    >>
    >> Regards,
    >>
    >> Luke Zhang
    >> Microsoft Online Community Support
    >>
    >> ==================================================
    >> When responding to posts, please "Reply to Group" via your newsreader so
    >> that others may learn and benefit from your issue.
    >> ==================================================
    >>
    >> (This posting is provided "AS IS", with no warranties, and confers no
    >> rights.)
    >>
    >>
    Joe Kaplan \(MVP - ADSI\), Mar 31, 2006
    #5
  6. Julie

    Julie Guest

    I can see on the Event log on my web server that the service account is
    logging in successfully.
    However, on the file server, the event log shows that the user is connecting
    to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.

    My Logon code looks like this:
    Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
    lpszUsername As [String], _
    ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
    ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, _
    ByRef phToken As IntPtr) As Boolean


    Private Function Logon() As WindowsIdentity
    Dim handle As IntPtr = New IntPtr(0)
    handle = IntPtr.Zero

    Const LOGON32_LOGON_NETWORK As Integer = 3
    Const LOGON32_PROVIDER_DEFAULT As Integer = 0

    Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
    Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, handle)

    If Not logonSucceeded Then
    Dim errorCode As Integer = Marshal.GetLastWin32Error
    Throw New Exception("User logon failed. Error number: " &
    errorCode)
    Exit Function
    End If

    Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
    CloseHandle(handle)
    Return winIdentity
    End Function




    "Joe Kaplan (MVP - ADSI)" wrote:

    > If you enable logon event auditing on the file server, what does the logon
    > failure say on that end? That may give you some clues.
    >
    > Also, when you called LogonUser, what type of logon did you do? You need to
    > make sure you use one that gives you network credentials.
    >
    > Joe K.
    >
    > "Julie" <> wrote in message
    > news:...
    > >I use that code and I can confirm that impersonation is impersonating the
    > > correct user. And yes, I can access the file share as the system
    > > account -
    > > thanks for checking. :)
    > >
    > >
    > > "Luke Zhang [MSFT]" wrote:
    > >
    > >> Hello,
    > >>
    > >> First, you can use the following code to determine what user the thread
    > >> is
    > >> executing as:
    > >>
    > >> System.Security.Principal.WindowsIdentity.GetCurrent().Name
    > >>
    > >> Also, you if logon as the System account on the server, can you access
    > >> the
    > >> Windows file share like "\\Myserver\Myshare"?
    > >>
    > >> Regards,
    > >>
    > >> Luke Zhang
    > >> Microsoft Online Community Support
    > >>
    > >> ==================================================
    > >> When responding to posts, please "Reply to Group" via your newsreader so
    > >> that others may learn and benefit from your issue.
    > >> ==================================================
    > >>
    > >> (This posting is provided "AS IS", with no warranties, and confers no
    > >> rights.)
    > >>
    > >>

    >
    >
    >
    Julie, Mar 31, 2006
    #6
  7. I think I see your problem. You are using LOGON32_LOGON_NETWORK, but if you
    read the docs for LogonUser in MSDN carefully, you'll see that this type of
    logon doesn't have network credentials. You probably should switch to
    LOGON32_LOGON_NETWORK_CLEARTEXT.

    Joe K.

    "Julie" <> wrote in message
    news:...
    >I can see on the Event log on my web server that the service account is
    > logging in successfully.
    > However, on the file server, the event log shows that the user is
    > connecting
    > to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.
    >
    > My Logon code looks like this:
    > Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
    > lpszUsername As [String], _
    > ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
    > ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer,
    > _
    > ByRef phToken As IntPtr) As Boolean
    >
    >
    > Private Function Logon() As WindowsIdentity
    > Dim handle As IntPtr = New IntPtr(0)
    > handle = IntPtr.Zero
    >
    > Const LOGON32_LOGON_NETWORK As Integer = 3
    > Const LOGON32_PROVIDER_DEFAULT As Integer = 0
    >
    > Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
    > Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, handle)
    >
    > If Not logonSucceeded Then
    > Dim errorCode As Integer = Marshal.GetLastWin32Error
    > Throw New Exception("User logon failed. Error number: " &
    > errorCode)
    > Exit Function
    > End If
    >
    > Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
    > CloseHandle(handle)
    > Return winIdentity
    > End Function
    >
    >
    >
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> If you enable logon event auditing on the file server, what does the
    >> logon
    >> failure say on that end? That may give you some clues.
    >>
    >> Also, when you called LogonUser, what type of logon did you do? You need
    >> to
    >> make sure you use one that gives you network credentials.
    >>
    >> Joe K.
    >>
    >> "Julie" <> wrote in message
    >> news:...
    >> >I use that code and I can confirm that impersonation is impersonating
    >> >the
    >> > correct user. And yes, I can access the file share as the system
    >> > account -
    >> > thanks for checking. :)
    >> >
    >> >
    >> > "Luke Zhang [MSFT]" wrote:
    >> >
    >> >> Hello,
    >> >>
    >> >> First, you can use the following code to determine what user the
    >> >> thread
    >> >> is
    >> >> executing as:
    >> >>
    >> >> System.Security.Principal.WindowsIdentity.GetCurrent().Name
    >> >>
    >> >> Also, you if logon as the System account on the server, can you access
    >> >> the
    >> >> Windows file share like "\\Myserver\Myshare"?
    >> >>
    >> >> Regards,
    >> >>
    >> >> Luke Zhang
    >> >> Microsoft Online Community Support
    >> >>
    >> >> ==================================================
    >> >> When responding to posts, please "Reply to Group" via your newsreader
    >> >> so
    >> >> that others may learn and benefit from your issue.
    >> >> ==================================================
    >> >>
    >> >> (This posting is provided "AS IS", with no warranties, and confers no
    >> >> rights.)
    >> >>
    >> >>

    >>
    >>
    >>
    Joe Kaplan \(MVP - ADSI\), Mar 31, 2006
    #7
  8. correct me if i am wrong - but when delegation is configured, NETWORK logons
    do have network credentials ??!

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I think I see your problem. You are using LOGON32_LOGON_NETWORK, but
    > if you read the docs for LogonUser in MSDN carefully, you'll see that
    > this type of logon doesn't have network credentials. You probably
    > should switch to LOGON32_LOGON_NETWORK_CLEARTEXT.
    >
    > Joe K.
    >
    > "Julie" <> wrote in message
    > news:...
    >
    >> I can see on the Event log on my web server that the service account
    >> is
    >> logging in successfully.
    >> However, on the file server, the event log shows that the user is
    >> connecting
    >> to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.
    >> My Logon code looks like this:
    >> Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
    >> lpszUsername As [String], _
    >> ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
    >> ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer,
    >> _
    >> ByRef phToken As IntPtr) As Boolean
    >> Private Function Logon() As WindowsIdentity
    >> Dim handle As IntPtr = New IntPtr(0)
    >> handle = IntPtr.Zero
    >> Const LOGON32_LOGON_NETWORK As Integer = 3
    >> Const LOGON32_PROVIDER_DEFAULT As Integer = 0
    >> Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
    >> Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT,
    >> handle)
    >>
    >> If Not logonSucceeded Then
    >> Dim errorCode As Integer = Marshal.GetLastWin32Error
    >> Throw New Exception("User logon failed. Error number: " &
    >> errorCode)
    >> Exit Function
    >> End If
    >> Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
    >> CloseHandle(handle)
    >> Return winIdentity
    >> End Function
    >> "Joe Kaplan (MVP - ADSI)" wrote:
    >>
    >>> If you enable logon event auditing on the file server, what does the
    >>> logon
    >>> failure say on that end? That may give you some clues.
    >>> Also, when you called LogonUser, what type of logon did you do? You
    >>> need
    >>> to
    >>> make sure you use one that gives you network credentials.
    >>> Joe K.
    >>>
    >>> "Julie" <> wrote in message
    >>> news:...
    >>>> I use that code and I can confirm that impersonation is
    >>>> impersonating
    >>>> the
    >>>> correct user. And yes, I can access the file share as the system
    >>>> account -
    >>>> thanks for checking. :)
    >>>> "Luke Zhang [MSFT]" wrote:
    >>>>
    >>>>> Hello,
    >>>>>
    >>>>> First, you can use the following code to determine what user the
    >>>>> thread
    >>>>> is
    >>>>> executing as:
    >>>>> System.Security.Principal.WindowsIdentity.GetCurrent().Name
    >>>>>
    >>>>> Also, you if logon as the System account on the server, can you
    >>>>> access
    >>>>> the
    >>>>> Windows file share like "\\Myserver\Myshare"?
    >>>>> Regards,
    >>>>>
    >>>>> Luke Zhang
    >>>>> Microsoft Online Community Support
    >>>>> ==================================================
    >>>>> When responding to posts, please "Reply to Group" via your
    >>>>> newsreader
    >>>>> so
    >>>>> that others may learn and benefit from your issue.
    >>>>> ==================================================
    >>>>> (This posting is provided "AS IS", with no warranties, and confers
    >>>>> no rights.)
    >>>>>
    Dominick Baier [DevelopMentor], Mar 31, 2006
    #8
  9. Julie

    Julie Guest

    That worked!!!!!!!!!!!! I changed the Const LOGON32_LOGON_NETWORK = 3 to
    LOGON32_LOGON_NETWORK_CLEARTEXT = 8.
    Thank you thank you thank you! :)

    "Joe Kaplan (MVP - ADSI)" wrote:

    > I think I see your problem. You are using LOGON32_LOGON_NETWORK, but if you
    > read the docs for LogonUser in MSDN carefully, you'll see that this type of
    > logon doesn't have network credentials. You probably should switch to
    > LOGON32_LOGON_NETWORK_CLEARTEXT.
    >
    > Joe K.
    >
    > "Julie" <> wrote in message
    > news:...
    > >I can see on the Event log on my web server that the service account is
    > > logging in successfully.
    > > However, on the file server, the event log shows that the user is
    > > connecting
    > > to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.
    > >
    > > My Logon code looks like this:
    > > Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
    > > lpszUsername As [String], _
    > > ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
    > > ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer,
    > > _
    > > ByRef phToken As IntPtr) As Boolean
    > >
    > >
    > > Private Function Logon() As WindowsIdentity
    > > Dim handle As IntPtr = New IntPtr(0)
    > > handle = IntPtr.Zero
    > >
    > > Const LOGON32_LOGON_NETWORK As Integer = 3
    > > Const LOGON32_PROVIDER_DEFAULT As Integer = 0
    > >
    > > Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
    > > Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, handle)
    > >
    > > If Not logonSucceeded Then
    > > Dim errorCode As Integer = Marshal.GetLastWin32Error
    > > Throw New Exception("User logon failed. Error number: " &
    > > errorCode)
    > > Exit Function
    > > End If
    > >
    > > Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
    > > CloseHandle(handle)
    > > Return winIdentity
    > > End Function
    > >
    > >
    > >
    > >
    > > "Joe Kaplan (MVP - ADSI)" wrote:
    > >
    > >> If you enable logon event auditing on the file server, what does the
    > >> logon
    > >> failure say on that end? That may give you some clues.
    > >>
    > >> Also, when you called LogonUser, what type of logon did you do? You need
    > >> to
    > >> make sure you use one that gives you network credentials.
    > >>
    > >> Joe K.
    > >>
    > >> "Julie" <> wrote in message
    > >> news:...
    > >> >I use that code and I can confirm that impersonation is impersonating
    > >> >the
    > >> > correct user. And yes, I can access the file share as the system
    > >> > account -
    > >> > thanks for checking. :)
    > >> >
    > >> >
    > >> > "Luke Zhang [MSFT]" wrote:
    > >> >
    > >> >> Hello,
    > >> >>
    > >> >> First, you can use the following code to determine what user the
    > >> >> thread
    > >> >> is
    > >> >> executing as:
    > >> >>
    > >> >> System.Security.Principal.WindowsIdentity.GetCurrent().Name
    > >> >>
    > >> >> Also, you if logon as the System account on the server, can you access
    > >> >> the
    > >> >> Windows file share like "\\Myserver\Myshare"?
    > >> >>
    > >> >> Regards,
    > >> >>
    > >> >> Luke Zhang
    > >> >> Microsoft Online Community Support
    > >> >>
    > >> >> ==================================================
    > >> >> When responding to posts, please "Reply to Group" via your newsreader
    > >> >> so
    > >> >> that others may learn and benefit from your issue.
    > >> >> ==================================================
    > >> >>
    > >> >> (This posting is provided "AS IS", with no warranties, and confers no
    > >> >> rights.)
    > >> >>
    > >> >>
    > >>
    > >>
    > >>

    >
    >
    >
    Julie, Mar 31, 2006
    #9
  10. My understanding is that this is correct. However, in this case she was
    calling LogonUser explicitly to use a service account to access the file
    share. From what I can tell by the docs, you can't use LOGON_NETWORK for
    that type of logon as it doesn't cache credentials.

    I'm not actually sure what happens when you do Kerberos auth with IWA,
    except that I assume that IIS calls AcceptSecurityContext instead of
    LogonUser and something different happens under the hood. I really don't
    know what the mechanics of those differences are.

    In any event, it seems to have worked... :)

    Joe K.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > correct me if i am wrong - but when delegation is configured, NETWORK
    > logons do have network credentials ??!
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> I think I see your problem. You are using LOGON32_LOGON_NETWORK, but
    >> if you read the docs for LogonUser in MSDN carefully, you'll see that
    >> this type of logon doesn't have network credentials. You probably
    >> should switch to LOGON32_LOGON_NETWORK_CLEARTEXT.
    >>
    >> Joe K.
    >>
    Joe Kaplan \(MVP - ADSI\), Mar 31, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chuck Haeberle
    Replies:
    0
    Views:
    357
    Chuck Haeberle
    Jul 10, 2003
  2. Jason MacKenzie

    Impersonation and Network Share

    Jason MacKenzie, Jun 3, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    2,591
    Scott Allen
    Jun 3, 2005
  3. Replies:
    3
    Views:
    172
    Joe Kaplan \(MVP - ADSI\)
    Mar 10, 2006
  4. Steve
    Replies:
    0
    Views:
    252
    Steve
    Jun 8, 2007
  5. Saraswati lakki
    Replies:
    0
    Views:
    1,322
    Saraswati lakki
    Jan 6, 2012
Loading...

Share This Page