Impersonation on Windows Server 2003

Discussion in 'ASP .Net Security' started by Halcyon Woodward, Jul 16, 2003.

  1. I have an ASP.NET application that I'm developing on Windows 2003 and IIS 6.
    I have included the < identity impersonate="true" /> in the web.config file
    to force the application code to run under the currently logged in user, and
    the site disalows Anonymous access.

    The problem I'm running into is this: At key points in the application
    code, I need to write to the disk and perform other 'administrative' tasks
    that will [in most cases] require code to run under an administrative or
    utility account.

    I have tried to impersonate the administrative account two different ways:
    via an interop call to ImpersonateLoggedOnUser(securityToken) and via
    calling the Impersonate() method against a WindowsIdentity object.

    Both of these work, however the context I then run under is _severly_
    limited. (The second method works better by the way, as you cannot
    accidently drop down to the service account.)

    For example, when under this impersonation context, I cannot access the
    ConfigurationSettings.AppSettings object (which is what I really need), or
    even the WindowsIdentity.GetCurrent() method. This is the result even if
    the account I impersonate is in the Administrators group on the server.

    I know that impersonation works differently on Windows 2000 as opposed to
    Windows XP - so I'm assuming that the same is true in Windows 2003; but I
    can't seem to find the methodology for doing what I need to in either 2000
    or 2003.

    Can anyone offer some insight?

    Thanks,

    hb.
    Halcyon Woodward, Jul 16, 2003
    #1
    1. Advertising

  2. Hello Halcyon,

    Impersonating a windowsidentity did not help the process using the new windows credential. The process would still use the
    credentials of aspnet_wp.exe, typically ASPNET.

    So for disk writing issue, it is better for you to add ACL to that folder to allow aspnet account to write to it. Besides, we could
    use CreateProcessAsUser to spawn a new process under new credential.

    Here is one sample for you:

    The user credential being used for spawning the process must have Replace A Process Level Token and Adjust Memory
    Quotas privs for this to work.


    Imports System.Data

    Imports System.Data.SqlClient

    Imports System.Globalization

    Imports System.Diagnostics

    Imports System.Runtime.InteropServices

    Imports System.Security.Principal

    Imports System.Security.Permissions





    Public Class WebForm1

    Inherits System.Web.UI.Page



    <StructLayout(LayoutKind.Sequential)> Public Structure STARTUPINFO

    Public cb As Int32

    Public lpReserved As String

    Public lpDesktop As String

    Public lpTitle As String

    Public dwX As UInt32

    Public dwY As UInt32

    Public dwXSize As UInt32

    Public dwYSize As UInt32

    Public dwXCountChars As UInt32

    Public dwYCountChars As UInt32

    Public dwFillAttribute As UInt32

    Public dwFlags As UInt32

    Public wShowWindow As Int16

    Public cbReserved2 As Int16

    Public lpReserved2 As IntPtr

    Public hStdInput As IntPtr

    Public hStdOutput As IntPtr

    Public hStdError As IntPtr

    End Structure



    <StructLayout(LayoutKind.Sequential)> Public Structure PROCESS_INFORMATION

    Public hProcess As IntPtr

    Public hThread As IntPtr

    Public dwProcessId As UInt32

    Public dwThreadId As UInt32

    End Structure



    <StructLayout(LayoutKind.Sequential)> Public Structure SECURITY_ATTRIBUTES

    Public Length As Int32

    Public lpSecurityDescriptor As IntPtr

    Public bInheritHandle As Boolean

    End Structure



    <DllImport("kernel32.dll", EntryPoint:="CloseHandle", SetLastError:=True, CharSet:=CharSet.Auto, CallingConvention:
    =CallingConvention.StdCall)> _

    Public Shared Function CloseHandle(ByVal handle As IntPtr) As Boolean

    End Function



    <DllImport("advapi32.dll", EntryPoint:="CreateProcessAsUser", SetLastError:=True, CharSet:=CharSet.Ansi,
    CallingConvention:=CallingConvention.StdCall)> _

    Public Shared Function CreateProcessAsUser(ByVal hToken As IntPtr, ByVal lpApplicationName As String, ByVal
    lpCommandLine As String, ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, _

    ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandle As Boolean, ByVal dwCreationFlags As
    Int32, ByVal lpEnvironment As IntPtr, _

    ByVal lpCurrentDirectory As String, ByRef lpStartupInfo As STARTUPINFO, ByRef lpProcessInformation As
    PROCESS_INFORMATION) As Boolean

    End Function



    <DllImport("advapi32.dll", EntryPoint:="DuplicateTokenEx")> _

    Public Shared Function DuplicateTokenEx(ByVal ExistingTokenHandle As IntPtr, ByVal dwDesiredAccess As Int32, _

    ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal TokenType As Int32, _

    ByVal ImpersonationLevel As Int32, ByRef DuplicateTokenHandle As IntPtr) As Boolean

    End Function



    <DllImport("advapi32.dll")> _

    Public Shared Function LogonUser(ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As
    String, _

    ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, ByRef phToken As Integer) As Boolean

    End Function



    Private Sub RunProcessAsUser(ByVal strUid As String, ByVal strPwd As String, ByVal strDomain As String, ByVal
    strProcessPath As String)

    ''The Windows NT user token.

    'Dim token1 As Integer



    ''Get the user token for the specified user, machine, and password using the unmanaged LogonUser method.



    ''The parameters for LogonUser are the user name, computer name, password,

    ''Logon type (LOGON32_LOGON_NETWORK_CLEARTEXT), Logon provider (LOGON32_PROVIDER_DEFAULT),

    ''and user token.

    'Dim loggedOn As Boolean = LogonUser(strUid, strDomain, strPwd, 3, 0, token1)

    'Dim token2 As IntPtr = New IntPtr(token1)



    'Dim mWI2 As WindowsIdentity = New WindowsIdentity(token2)



    ''Impersonate the user.

    'Dim mWIC As WindowsImpersonationContext = mWI2.Impersonate()



    Dim Token As IntPtr = New IntPtr(0)

    Token = WindowsIdentity.GetCurrent().Token ¡®will either use ASPNET, or the impersonated windows credential if
    above section is uncommented



    Dim ret As Boolean



    Dim sa As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES()

    sa.bInheritHandle = False

    sa.Length = Marshal.SizeOf(sa)

    sa.lpSecurityDescriptor = IntPtr.op_Explicit(0)



    Const GENERIC_ALL As Int32 = &H10000000



    Const SecurityImpersonation As Int32 = 2

    Const TokenType As Int32 = 1

    Dim DupedToken As IntPtr = New IntPtr(0)



    ret = DuplicateTokenEx(Token, GENERIC_ALL, sa, SecurityImpersonation, TokenType, DupedToken)





    Dim si As STARTUPINFO = New STARTUPINFO()

    si.cb = Marshal.SizeOf(si)

    si.lpDesktop = ""



    Dim pi As PROCESS_INFORMATION = New PROCESS_INFORMATION()



    ret = CreateProcessAsUser(DupedToken, strProcessPath, "", sa, sa, False, 0, IntPtr.op_Explicit(0), "c:\\", si, pi)

    'ret = CreateProcessAsUser(DupedToken, strProcessPath, "", IntPtr.Zero, IntPtr.Zero, True, 0, IntPtr.Zero, "C:\\", si, pi)



    'Revert to previous identity.

    'mWIC.Undo()



    'ret = CloseHandle(token2)

    ret = CloseHandle(DupedToken)



    End Sub





    End Class



    Best regards,
    Yanhong Huang
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    !From: "Halcyon Woodward" <>
    !Subject: Impersonation on Windows Server 2003
    !Date: Wed, 16 Jul 2003 15:29:50 -0700
    !Lines: 35
    !X-Priority: 3
    !X-MSMail-Priority: Normal
    !X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    !X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    !Message-ID: <OBefGn#>
    !Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    !NNTP-Posting-Host: nausers.mccann.com 199.4.18.2
    !Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
    !Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet.security:5921
    !X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    !
    !I have an ASP.NET application that I'm developing on Windows 2003 and IIS 6.
    !I have included the < identity impersonate="true" /> in the web.config file
    !to force the application code to run under the currently logged in user, and
    !the site disalows Anonymous access.
    !
    !The problem I'm running into is this: At key points in the application
    !code, I need to write to the disk and perform other 'administrative' tasks
    !that will [in most cases] require code to run under an administrative or
    !utility account.
    !
    !I have tried to impersonate the administrative account two different ways:
    !via an interop call to ImpersonateLoggedOnUser(securityToken) and via
    !calling the Impersonate() method against a WindowsIdentity object.
    !
    !Both of these work, however the context I then run under is _severly_
    !limited. (The second method works better by the way, as you cannot
    !accidently drop down to the service account.)
    !
    !For example, when under this impersonation context, I cannot access the
    !ConfigurationSettings.AppSettings object (which is what I really need), or
    !even the WindowsIdentity.GetCurrent() method. This is the result even if
    !the account I impersonate is in the Administrators group on the server.
    !
    !I know that impersonation works differently on Windows 2000 as opposed to
    !Windows XP - so I'm assuming that the same is true in Windows 2003; but I
    !can't seem to find the methodology for doing what I need to in either 2000
    !or 2003.
    !
    !Can anyone offer some insight?
    !
    !Thanks,
    !
    !hb.
    !
    !
    !
    Yan-Hong Huang[MSFT], Jul 18, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kieran Kelly
    Replies:
    3
    Views:
    828
    Shaji
    Sep 29, 2003
  2. =?Utf-8?B?Y2pr?=
    Replies:
    4
    Views:
    6,306
    nosperantos
    Nov 1, 2006
  3. Craig Neuwirt

    Impersonation on Windows 2003 Server

    Craig Neuwirt, Oct 21, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    2,581
    Craig Neuwirt
    Oct 22, 2004
  4. =?Utf-8?B?Sm9oYW5uIEdyYW5hZG9z?=

    ASP.NET Impersonation in a Windows 2003 non domain member server

    =?Utf-8?B?Sm9oYW5uIEdyYW5hZG9z?=, Apr 20, 2007, in forum: ASP .Net
    Replies:
    1
    Views:
    589
    Cowboy \(Gregory A. Beamer\)
    Apr 21, 2007
  5. Johann Granados
    Replies:
    12
    Views:
    275
    Joe Kaplan
    Apr 21, 2007
Loading...

Share This Page