Impersonation in ASP.NET

Discussion in 'ASP .Net Security' started by Bonj, Oct 20, 2004.

  1. Bonj

    Bonj Guest

    Hi
    I would like to know how to use impersonation, in order to write to a file
    on a network share.
    The user will be logging on to this web app, and will then click a button
    which will write to a file on the network share. Currently though, I am
    getting permissions errors. I don't want to set identity impersonate = "true"
    because I gather that exposes security weaknesses. Rather, I would like the
    user to have to actually enter their windows password. I would then call an
    impersonate method, and then try to do it. But it is not working at the
    moment, I suspect due to permissions.

    Here is the code used to impersonate:
    Public Function Impersonate(ByVal UserName As String, ByVal Domain As
    String, ByVal Password As String) As Boolean
    Dim tempWindowsIdentity As WindowsIdentity
    Dim token As IntPtr

    Dim tokenDuplicate As IntPtr
    If LogonUser(UserName, Domain, Password, LOGON32_LOGON_INTERACTIVE, _
    LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
    If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
    tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
    impersonationContext = tempWindowsIdentity.Impersonate()

    Return Not (impersonationContext Is Nothing)
    End If
    End If
    End Function

    (written in VB.NET, but equally in C#)

    Running the same code to write to the text file in a windows forms
    application works fine.
    This throws a permissions error in ASP.NET, even though the impersonation
    method appears to be successful.

    Any help much appreciated

    Thanks
     
    Bonj, Oct 20, 2004
    #1
    1. Advertising

  2. Bonj

    Raterus Guest

    Don't cross post..aspnet.security is the only appropriate group you needed to post to.

    One thing that should work is to make the page that performs this operation set up for "basic authentication", they will be authenticated on IIS first, then if this takes place, impersonate with code using the shorter method found here. http://support.microsoft.com/default.aspx?scid=kb;en-us;306158 I don't see why it wouldn't work, and you also won't have to worry about coding a potentially buggy interface to gather their username/password.


    "Bonj" <> wrote in message news:...
    > Hi
    > I would like to know how to use impersonation, in order to write to a file
    > on a network share.
    > The user will be logging on to this web app, and will then click a button
    > which will write to a file on the network share. Currently though, I am
    > getting permissions errors. I don't want to set identity impersonate = "true"
    > because I gather that exposes security weaknesses. Rather, I would like the
    > user to have to actually enter their windows password. I would then call an
    > impersonate method, and then try to do it. But it is not working at the
    > moment, I suspect due to permissions.
    >
    > Here is the code used to impersonate:
    > Public Function Impersonate(ByVal UserName As String, ByVal Domain As
    > String, ByVal Password As String) As Boolean
    > Dim tempWindowsIdentity As WindowsIdentity
    > Dim token As IntPtr
    >
    > Dim tokenDuplicate As IntPtr
    > If LogonUser(UserName, Domain, Password, LOGON32_LOGON_INTERACTIVE, _
    > LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
    > If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
    > tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
    > impersonationContext = tempWindowsIdentity.Impersonate()
    >
    > Return Not (impersonationContext Is Nothing)
    > End If
    > End If
    > End Function
    >
    > (written in VB.NET, but equally in C#)
    >
    > Running the same code to write to the text file in a windows forms
    > application works fine.
    > This throws a permissions error in ASP.NET, even though the impersonation
    > method appears to be successful.
    >
    > Any help much appreciated
    >
    > Thanks
     
    Raterus, Oct 20, 2004
    #2
    1. Advertising

  3. Bonj

    Bonj Guest

    I've done the 'impersonate with code' bit, but I can't figure out the "make
    the page set up for basic authentication" bit. Any ideas? I mean, what do I
    actually need to configure other than the code I've already written?

    The interface does collect their username and password, but it isn't buggy
    because it doesn't store it in session variables, the query string or any
    other form of memory other than the stack.

    "Raterus" <> wrote in message
    news:...
    Don't cross post..aspnet.security is the only appropriate group you needed
    to post to.

    One thing that should work is to make the page that performs this operation
    set up for "basic authentication", they will be authenticated on IIS first,
    then if this takes place, impersonate with code using the shorter method
    found here. http://support.microsoft.com/default.aspx?scid=kb;en-us;306158
    I don't see why it wouldn't work, and you also won't have to worry about
    coding a potentially buggy interface to gather their username/password.


    "Bonj" <> wrote in message
    news:...
    > Hi
    > I would like to know how to use impersonation, in order to write to a file
    > on a network share.
    > The user will be logging on to this web app, and will then click a button
    > which will write to a file on the network share. Currently though, I am
    > getting permissions errors. I don't want to set identity impersonate =
    > "true"
    > because I gather that exposes security weaknesses. Rather, I would like
    > the
    > user to have to actually enter their windows password. I would then call
    > an
    > impersonate method, and then try to do it. But it is not working at the
    > moment, I suspect due to permissions.
    >
    > Here is the code used to impersonate:
    > Public Function Impersonate(ByVal UserName As String, ByVal Domain As
    > String, ByVal Password As String) As Boolean
    > Dim tempWindowsIdentity As WindowsIdentity
    > Dim token As IntPtr
    >
    > Dim tokenDuplicate As IntPtr
    > If LogonUser(UserName, Domain, Password, LOGON32_LOGON_INTERACTIVE, _
    > LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
    > If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
    > tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
    > impersonationContext = tempWindowsIdentity.Impersonate()
    >
    > Return Not (impersonationContext Is Nothing)
    > End If
    > End If
    > End Function
    >
    > (written in VB.NET, but equally in C#)
    >
    > Running the same code to write to the text file in a windows forms
    > application works fine.
    > This throws a permissions error in ASP.NET, even though the impersonation
    > method appears to be successful.
    >
    > Any help much appreciated
    >
    > Thanks
     
    Bonj, Oct 20, 2004
    #3
  4. Bonj

    Raterus Guest

    You have to configure basic authentication in IIS, find the page you are referring to, right-click properties, directory security tab.

    "Bonj" <benjtaylor at hotpop d0t com> wrote in message news:...
    > I've done the 'impersonate with code' bit, but I can't figure out the "make
    > the page set up for basic authentication" bit. Any ideas? I mean, what do I
    > actually need to configure other than the code I've already written?
    >
    > The interface does collect their username and password, but it isn't buggy
    > because it doesn't store it in session variables, the query string or any
    > other form of memory other than the stack.
    >
    > "Raterus" <> wrote in message
    > news:...
    > Don't cross post..aspnet.security is the only appropriate group you needed
    > to post to.
    >
    > One thing that should work is to make the page that performs this operation
    > set up for "basic authentication", they will be authenticated on IIS first,
    > then if this takes place, impersonate with code using the shorter method
    > found here. http://support.microsoft.com/default.aspx?scid=kb;en-us;306158
    > I don't see why it wouldn't work, and you also won't have to worry about
    > coding a potentially buggy interface to gather their username/password.
    >
    >
    > "Bonj" <> wrote in message
    > news:...
    > > Hi
    > > I would like to know how to use impersonation, in order to write to a file
    > > on a network share.
    > > The user will be logging on to this web app, and will then click a button
    > > which will write to a file on the network share. Currently though, I am
    > > getting permissions errors. I don't want to set identity impersonate =
    > > "true"
    > > because I gather that exposes security weaknesses. Rather, I would like
    > > the
    > > user to have to actually enter their windows password. I would then call
    > > an
    > > impersonate method, and then try to do it. But it is not working at the
    > > moment, I suspect due to permissions.
    > >
    > > Here is the code used to impersonate:
    > > Public Function Impersonate(ByVal UserName As String, ByVal Domain As
    > > String, ByVal Password As String) As Boolean
    > > Dim tempWindowsIdentity As WindowsIdentity
    > > Dim token As IntPtr
    > >
    > > Dim tokenDuplicate As IntPtr
    > > If LogonUser(UserName, Domain, Password, LOGON32_LOGON_INTERACTIVE, _
    > > LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
    > > If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
    > > tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
    > > impersonationContext = tempWindowsIdentity.Impersonate()
    > >
    > > Return Not (impersonationContext Is Nothing)
    > > End If
    > > End If
    > > End Function
    > >
    > > (written in VB.NET, but equally in C#)
    > >
    > > Running the same code to write to the text file in a windows forms
    > > application works fine.
    > > This throws a permissions error in ASP.NET, even though the impersonation
    > > method appears to be successful.
    > >
    > > Any help much appreciated
    > >
    > > Thanks

    >
    >
     
    Raterus, Oct 20, 2004
    #4
  5. Bonj

    Bonj Guest

    I figured it. The problem was not permissions, but the fact that IIS
    obviously doesn't understand network drives. Putting the full UNC path in it
    (e.g. \\server\share$ rather than just L:\) and it works like a dream.
    Didn't help but the fact that the error message was quite generic in all
    cases - 'could not find a part of the path ... blah blah blah'. Which is the
    same error message you get if you don't call Impersonate.

    Thanks

    "Raterus" wrote:

    > You have to configure basic authentication in IIS, find the page you are referring to, right-click properties, directory security tab.
    >
    > "Bonj" <benjtaylor at hotpop d0t com> wrote in message news:...
    > > I've done the 'impersonate with code' bit, but I can't figure out the "make
    > > the page set up for basic authentication" bit. Any ideas? I mean, what do I
    > > actually need to configure other than the code I've already written?
    > >
    > > The interface does collect their username and password, but it isn't buggy
    > > because it doesn't store it in session variables, the query string or any
    > > other form of memory other than the stack.
    > >
    > > "Raterus" <> wrote in message
    > > news:...
    > > Don't cross post..aspnet.security is the only appropriate group you needed
    > > to post to.
    > >
    > > One thing that should work is to make the page that performs this operation
    > > set up for "basic authentication", they will be authenticated on IIS first,
    > > then if this takes place, impersonate with code using the shorter method
    > > found here. http://support.microsoft.com/default.aspx?scid=kb;en-us;306158
    > > I don't see why it wouldn't work, and you also won't have to worry about
    > > coding a potentially buggy interface to gather their username/password.
    > >
    > >
    > > "Bonj" <> wrote in message
    > > news:...
    > > > Hi
    > > > I would like to know how to use impersonation, in order to write to a file
    > > > on a network share.
    > > > The user will be logging on to this web app, and will then click a button
    > > > which will write to a file on the network share. Currently though, I am
    > > > getting permissions errors. I don't want to set identity impersonate =
    > > > "true"
    > > > because I gather that exposes security weaknesses. Rather, I would like
    > > > the
    > > > user to have to actually enter their windows password. I would then call
    > > > an
    > > > impersonate method, and then try to do it. But it is not working at the
    > > > moment, I suspect due to permissions.
    > > >
    > > > Here is the code used to impersonate:
    > > > Public Function Impersonate(ByVal UserName As String, ByVal Domain As
    > > > String, ByVal Password As String) As Boolean
    > > > Dim tempWindowsIdentity As WindowsIdentity
    > > > Dim token As IntPtr
    > > >
    > > > Dim tokenDuplicate As IntPtr
    > > > If LogonUser(UserName, Domain, Password, LOGON32_LOGON_INTERACTIVE, _
    > > > LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
    > > > If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
    > > > tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
    > > > impersonationContext = tempWindowsIdentity.Impersonate()
    > > >
    > > > Return Not (impersonationContext Is Nothing)
    > > > End If
    > > > End If
    > > > End Function
    > > >
    > > > (written in VB.NET, but equally in C#)
    > > >
    > > > Running the same code to write to the text file in a windows forms
    > > > application works fine.
    > > > This throws a permissions error in ASP.NET, even though the impersonation
    > > > method appears to be successful.
    > > >
    > > > Any help much appreciated
    > > >
    > > > Thanks

    > >
    > >

    >
     
    Bonj, Oct 21, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Raymond Basque

    Re: ASP.NET Fails after SP4 with Impersonation

    Raymond Basque, Jun 27, 2003, in forum: ASP .Net
    Replies:
    3
    Views:
    544
  2. Bassel Tabbara [MSFT]

    RE: ASP.NET Fails after SP4 with Impersonation

    Bassel Tabbara [MSFT], Jun 27, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    518
    Michael Kennedy [UB]
    Jun 28, 2003
  3. Hidulf
    Replies:
    1
    Views:
    469
    Michael Kennedy [UB]
    Jun 30, 2003
  4. Bjoern Wolfgardt

    Re: Impersonation in ASP.Net

    Bjoern Wolfgardt, Jul 21, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    362
    Sanjay Poojari
    Jul 21, 2003
  5. Bjoern Wolfgardt

    Re: Impersonation in ASP.Net

    Bjoern Wolfgardt, Jul 21, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    383
    Jerry
    Aug 8, 2003
Loading...

Share This Page