LogonUser access denied

Discussion in 'ASP .Net Security' started by Lee, Aug 16, 2006.

  1. Lee

    Lee Guest

    I am having problems trying to impersonate as a user in asp.net.

    I get an access denied error on the LogonUser method of the following code;

    /// <summary>
    /// Summary description for CustomWindowsIdentity.
    /// </summary>
    public class CustomWindowsIdentity : WindowsIdentity
    {
    [DllImport("advapi32.dll", SetLastError=true)]
    private static extern int LogonUser(String lpszUsername, String
    lpszDomain, String lpszPassword,
    int dwLogonType, int dwLogonProvider, out int phToken);

    [DllImport("kernel32.dll")]
    private static extern int GetLastError();

    public CustomWindowsIdentity( string domain, string username, string
    password ) :
    base( CustomWindowsIdentity.LogonUser(domain,username,password) )
    {
    }

    //--------------------------------------------------------------------------
    // Impersonates as the supplied user.
    // Domain must be in standard NT format: e.g. "DOMAIN"
    //--------------------------------------------------------------------------
    public static WindowsImpersonationContext Impersonate( string domain,
    string username, string password )
    {
    IntPtr token = LogonUser( domain, username, password );

    return WindowsIdentity.Impersonate( token );
    }

    private static IntPtr LogonUser( string domain, string username, string
    password )
    {
    int token = 0;

    int loggedOn = LogonUser( username, domain, password,
    0x8, 0x0,
    //WindowsLogonType.NetworkClearText,
    //WindowsLogonProvider.Default,
    out token );

    if (loggedOn==0 || token==0)
    {
    int ret = GetLastError();
    //int ret = Marshal.GetLastWin32Error(); //GetLastError();

    if (ret!=0)
    {
    WindowsIdentity currentUser = WindowsIdentity.GetCurrent();

    throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());
    }
    }

    IntPtr tokenOut = new IntPtr( token );

    return tokenOut;
    }
    }

    Its worth noting we are using a different user account for IIS anonymous
    authentication so the user that is trying to impersonate is
    'DOMAIN\MY_READER'.
    This same code block works on the production environment so my thinking is
    that its a permission or setting missing for the specific user on the staging
    server? Ive even tried having IIS use an administrator account for anonymous
    access but get the same error?
    Any help, clues or pointers would be great.

    many thanks
     
    Lee, Aug 16, 2006
    #1
    1. Advertising

  2. This would probably be the appropriate forum for this question, yes.

    Can you show the exact exception and stack trace?

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Lee" <> wrote in message
    news:D...
    > Is this the right forum for this question?
    >
    > "Lee" wrote:
    >
    >> I am having problems trying to impersonate as a user in asp.net.
    >>
    >> I get an access denied error on the LogonUser method of the following
    >> code;
    >>
    >> /// <summary>
    >> /// Summary description for CustomWindowsIdentity.
    >> /// </summary>
    >> public class CustomWindowsIdentity : WindowsIdentity
    >> {
    >> [DllImport("advapi32.dll", SetLastError=true)]
    >> private static extern int LogonUser(String lpszUsername, String
    >> lpszDomain, String lpszPassword,
    >> int dwLogonType, int dwLogonProvider, out int phToken);
    >>
    >> [DllImport("kernel32.dll")]
    >> private static extern int GetLastError();
    >>
    >> public CustomWindowsIdentity( string domain, string username, string
    >> password ) :
    >> base( CustomWindowsIdentity.LogonUser(domain,username,password) )
    >> {
    >> }
    >>
    >> //--------------------------------------------------------------------------
    >> // Impersonates as the supplied user.
    >> // Domain must be in standard NT format: e.g. "DOMAIN"
    >> //--------------------------------------------------------------------------
    >> public static WindowsImpersonationContext Impersonate( string domain,
    >> string username, string password )
    >> {
    >> IntPtr token = LogonUser( domain, username, password );
    >>
    >> return WindowsIdentity.Impersonate( token );
    >> }
    >>
    >> private static IntPtr LogonUser( string domain, string username, string
    >> password )
    >> {
    >> int token = 0;
    >>
    >> int loggedOn = LogonUser( username, domain, password,
    >> 0x8, 0x0,
    >> //WindowsLogonType.NetworkClearText,
    >> //WindowsLogonProvider.Default,
    >> out token );
    >>
    >> if (loggedOn==0 || token==0)
    >> {
    >> int ret = GetLastError();
    >> //int ret = Marshal.GetLastWin32Error(); //GetLastError();
    >>
    >> if (ret!=0)
    >> {
    >> WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
    >>
    >> throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());
    >> }
    >> }
    >>
    >> IntPtr tokenOut = new IntPtr( token );
    >>
    >> return tokenOut;
    >> }
    >> }
    >>
    >> Its worth noting we are using a different user account for IIS anonymous
    >> authentication so the user that is trying to impersonate is
    >> 'DOMAIN\MY_READER'.
    >> This same code block works on the production environment so my thinking
    >> is
    >> that its a permission or setting missing for the specific user on the
    >> staging
    >> server? Ive even tried having IIS use an administrator account for
    >> anonymous
    >> access but get the same error?
    >> Any help, clues or pointers would be great.
    >>
    >> many thanks
     
    Joe Kaplan \(MVP - ADSI\), Aug 18, 2006
    #2
    1. Advertising

  3. Hi,

    which OS are you using? On W2K you need SYSTEM privileges to call LogonUser...

    dominick
    www.leastprivilege.com

    > I am having problems trying to impersonate as a user in asp.net.
    >
    > I get an access denied error on the LogonUser method of the following
    > code;
    >
    > /// <summary>
    > /// Summary description for CustomWindowsIdentity.
    > /// </summary>
    > public class CustomWindowsIdentity : WindowsIdentity
    > {
    > [DllImport("advapi32.dll", SetLastError=true)]
    > private static extern int LogonUser(String lpszUsername, String
    > lpszDomain, String lpszPassword,
    > int dwLogonType, int dwLogonProvider, out int phToken);
    > [DllImport("kernel32.dll")]
    > private static extern int GetLastError();
    > public CustomWindowsIdentity( string domain, string username, string
    > password ) :
    > base( CustomWindowsIdentity.LogonUser(domain,username,password) )
    > {
    > }
    >
    > //--------------------------------------------------------------------
    > ------
    > // Impersonates as the supplied user.
    > // Domain must be in standard NT format: e.g. "DOMAIN"
    >
    > //--------------------------------------------------------------------
    > ------
    > public static WindowsImpersonationContext Impersonate( string
    > domain,
    > string username, string password )
    > {
    > IntPtr token = LogonUser( domain, username, password );
    > return WindowsIdentity.Impersonate( token );
    > }
    > private static IntPtr LogonUser( string domain, string username,
    > string
    > password )
    > {
    > int token = 0;
    > int loggedOn = LogonUser( username, domain, password,
    > 0x8, 0x0,
    > //WindowsLogonType.NetworkClearText,
    > //WindowsLogonProvider.Default,
    > out token );
    > if (loggedOn==0 || token==0)
    > {
    > int ret = GetLastError();
    > //int ret = Marshal.GetLastWin32Error(); //GetLastError();
    > if (ret!=0)
    > {
    > WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
    > throw new Win32Exception(ret,"DEBUG: " +
    > currentUser.Name.ToString());
    > }
    > }
    > IntPtr tokenOut = new IntPtr( token );
    >
    > return tokenOut;
    > }
    > }
    > Its worth noting we are using a different user account for IIS
    > anonymous
    > authentication so the user that is trying to impersonate is
    > 'DOMAIN\MY_READER'.
    > This same code block works on the production environment so my
    > thinking is
    > that its a permission or setting missing for the specific user on the
    > staging
    > server? Ive even tried having IIS use an administrator account for
    > anonymous
    > access but get the same error?
    > Any help, clues or pointers would be great.
    > many thanks
    >
     
    Dominick Baier, Aug 19, 2006
    #3
  4. Lee

    Lee Guest

    Thanks Joe, the expception and stack trace is as follows.

    Exception Details: System.ComponentModel.Win32Exception: Access is denied

    Stack Trace:

    [Win32Exception (0x80004005): Access is denied]
    UW.DirectoryServices.CustomWindowsIdentity.LogonUser(String domain,
    String username, String password)
    UW.DirectoryServices.CustomWindowsIdentity.Impersonate(String domain,
    String username, String password)
    UW.DirectoryServices.ADSAdmin.Load()
    UW.DirectoryServices.ADSAdmin.LoadDirectory(String domain, String
    organizationalunit, String loginUsername, String loginPassword)
    UW.DirectoryServices.ADSAdmin..ctor(String domain, String
    organizationalunit, String loginUsername, String loginPassword)
    Project.Web.Common.Template.ValidateUsers.GetADSAdmin()
    Project.Web.Common.Template.ValidateUsers.GetADUsers()
    Project.Web.Common.Template.ValidateUsers.GetDBUsersNotMatched()
    Project.Web.Common.Template.ValidateUsers.ShowDBUsersNotMatched()
    Project.Web.Common.Template.ValidateUsers.Page_Load(Object sender,
    EventArgs e)
    System.Web.UI.Control.OnLoad(EventArgs e) +67
    System.Web.UI.Control.LoadRecursive() +35
    System.Web.UI.Control.LoadRecursive() +98
    System.Web.UI.Control.LoadRecursive() +98
    System.Web.UI.Control.LoadRecursive() +98
    System.Web.UI.Page.ProcessRequestMain() +739

    "Joe Kaplan (MVP - ADSI)" wrote:

    > This would probably be the appropriate forum for this question, yes.
    >
    > Can you show the exact exception and stack trace?
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Lee" <> wrote in message
    > news:D...
    > > Is this the right forum for this question?
    > >
    > > "Lee" wrote:
    > >
    > >> I am having problems trying to impersonate as a user in asp.net.
    > >>
    > >> I get an access denied error on the LogonUser method of the following
    > >> code;
    > >>
    > >> /// <summary>
    > >> /// Summary description for CustomWindowsIdentity.
    > >> /// </summary>
    > >> public class CustomWindowsIdentity : WindowsIdentity
    > >> {
    > >> [DllImport("advapi32.dll", SetLastError=true)]
    > >> private static extern int LogonUser(String lpszUsername, String
    > >> lpszDomain, String lpszPassword,
    > >> int dwLogonType, int dwLogonProvider, out int phToken);
    > >>
    > >> [DllImport("kernel32.dll")]
    > >> private static extern int GetLastError();
    > >>
    > >> public CustomWindowsIdentity( string domain, string username, string
    > >> password ) :
    > >> base( CustomWindowsIdentity.LogonUser(domain,username,password) )
    > >> {
    > >> }
    > >>
    > >> //--------------------------------------------------------------------------
    > >> // Impersonates as the supplied user.
    > >> // Domain must be in standard NT format: e.g. "DOMAIN"
    > >> //--------------------------------------------------------------------------
    > >> public static WindowsImpersonationContext Impersonate( string domain,
    > >> string username, string password )
    > >> {
    > >> IntPtr token = LogonUser( domain, username, password );
    > >>
    > >> return WindowsIdentity.Impersonate( token );
    > >> }
    > >>
    > >> private static IntPtr LogonUser( string domain, string username, string
    > >> password )
    > >> {
    > >> int token = 0;
    > >>
    > >> int loggedOn = LogonUser( username, domain, password,
    > >> 0x8, 0x0,
    > >> //WindowsLogonType.NetworkClearText,
    > >> //WindowsLogonProvider.Default,
    > >> out token );
    > >>
    > >> if (loggedOn==0 || token==0)
    > >> {
    > >> int ret = GetLastError();
    > >> //int ret = Marshal.GetLastWin32Error(); //GetLastError();
    > >>
    > >> if (ret!=0)
    > >> {
    > >> WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
    > >>
    > >> throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());
    > >> }
    > >> }
    > >>
    > >> IntPtr tokenOut = new IntPtr( token );
    > >>
    > >> return tokenOut;
    > >> }
    > >> }
    > >>
    > >> Its worth noting we are using a different user account for IIS anonymous
    > >> authentication so the user that is trying to impersonate is
    > >> 'DOMAIN\MY_READER'.
    > >> This same code block works on the production environment so my thinking
    > >> is
    > >> that its a permission or setting missing for the specific user on the
    > >> staging
    > >> server? Ive even tried having IIS use an administrator account for
    > >> anonymous
    > >> access but get the same error?
    > >> Any help, clues or pointers would be great.
    > >>
    > >> many thanks

    >
    >
    >
     
    Lee, Aug 22, 2006
    #4
  5. Lee

    Joe Kaplan Guest

    I agree with Dominick's reply, but the thing is that you usually get an
    error indicating that a required privilege was not held by the client, not
    the straight access denied. I've not actually seen that particular problem.

    I'm not sure what the deal is here.

    Is the OS Win2K?

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Lee" <> wrote in message
    news:...
    > Thanks Joe, the expception and stack trace is as follows.
    >
    > Exception Details: System.ComponentModel.Win32Exception: Access is denied
    >
    > Stack Trace:
    >
    > [Win32Exception (0x80004005): Access is denied]
    > UW.DirectoryServices.CustomWindowsIdentity.LogonUser(String domain,
    > String username, String password)
    > UW.DirectoryServices.CustomWindowsIdentity.Impersonate(String domain,
    > String username, String password)
    > UW.DirectoryServices.ADSAdmin.Load()
    > UW.DirectoryServices.ADSAdmin.LoadDirectory(String domain, String
    > organizationalunit, String loginUsername, String loginPassword)
    > UW.DirectoryServices.ADSAdmin..ctor(String domain, String
    > organizationalunit, String loginUsername, String loginPassword)
    > Project.Web.Common.Template.ValidateUsers.GetADSAdmin()
    > Project.Web.Common.Template.ValidateUsers.GetADUsers()
    > Project.Web.Common.Template.ValidateUsers.GetDBUsersNotMatched()
    > Project.Web.Common.Template.ValidateUsers.ShowDBUsersNotMatched()
    > Project.Web.Common.Template.ValidateUsers.Page_Load(Object sender,
    > EventArgs e)
    > System.Web.UI.Control.OnLoad(EventArgs e) +67
    > System.Web.UI.Control.LoadRecursive() +35
    > System.Web.UI.Control.LoadRecursive() +98
    > System.Web.UI.Control.LoadRecursive() +98
    > System.Web.UI.Control.LoadRecursive() +98
    > System.Web.UI.Page.ProcessRequestMain() +739
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> This would probably be the appropriate forum for this question, yes.
    >>
    >> Can you show the exact exception and stack trace?
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Lee" <> wrote in message
    >> news:D...
    >> > Is this the right forum for this question?
    >> >
    >> > "Lee" wrote:
    >> >
    >> >> I am having problems trying to impersonate as a user in asp.net.
    >> >>
    >> >> I get an access denied error on the LogonUser method of the following
    >> >> code;
    >> >>
    >> >> /// <summary>
    >> >> /// Summary description for CustomWindowsIdentity.
    >> >> /// </summary>
    >> >> public class CustomWindowsIdentity : WindowsIdentity
    >> >> {
    >> >> [DllImport("advapi32.dll", SetLastError=true)]
    >> >> private static extern int LogonUser(String lpszUsername, String
    >> >> lpszDomain, String lpszPassword,
    >> >> int dwLogonType, int dwLogonProvider, out int phToken);
    >> >>
    >> >> [DllImport("kernel32.dll")]
    >> >> private static extern int GetLastError();
    >> >>
    >> >> public CustomWindowsIdentity( string domain, string username, string
    >> >> password ) :
    >> >> base( CustomWindowsIdentity.LogonUser(domain,username,password) )
    >> >> {
    >> >> }
    >> >>
    >> >> //--------------------------------------------------------------------------
    >> >> // Impersonates as the supplied user.
    >> >> // Domain must be in standard NT format: e.g. "DOMAIN"
    >> >> //--------------------------------------------------------------------------
    >> >> public static WindowsImpersonationContext Impersonate( string domain,
    >> >> string username, string password )
    >> >> {
    >> >> IntPtr token = LogonUser( domain, username, password );
    >> >>
    >> >> return WindowsIdentity.Impersonate( token );
    >> >> }
    >> >>
    >> >> private static IntPtr LogonUser( string domain, string username,
    >> >> string
    >> >> password )
    >> >> {
    >> >> int token = 0;
    >> >>
    >> >> int loggedOn = LogonUser( username, domain, password,
    >> >> 0x8, 0x0,
    >> >> //WindowsLogonType.NetworkClearText,
    >> >> //WindowsLogonProvider.Default,
    >> >> out token );
    >> >>
    >> >> if (loggedOn==0 || token==0)
    >> >> {
    >> >> int ret = GetLastError();
    >> >> //int ret = Marshal.GetLastWin32Error(); //GetLastError();
    >> >>
    >> >> if (ret!=0)
    >> >> {
    >> >> WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
    >> >>
    >> >> throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());
    >> >> }
    >> >> }
    >> >>
    >> >> IntPtr tokenOut = new IntPtr( token );
    >> >>
    >> >> return tokenOut;
    >> >> }
    >> >> }
    >> >>
    >> >> Its worth noting we are using a different user account for IIS
    >> >> anonymous
    >> >> authentication so the user that is trying to impersonate is
    >> >> 'DOMAIN\MY_READER'.
    >> >> This same code block works on the production environment so my
    >> >> thinking
    >> >> is
    >> >> that its a permission or setting missing for the specific user on the
    >> >> staging
    >> >> server? Ive even tried having IIS use an administrator account for
    >> >> anonymous
    >> >> access but get the same error?
    >> >> Any help, clues or pointers would be great.
    >> >>
    >> >> many thanks

    >>
    >>
    >>
     
    Joe Kaplan, Aug 23, 2006
    #5
  6. Lee

    Lee Guest

    Thanks for your time guys, yes to confirm the OS is w2k

    "Dominick Baier" wrote:

    > Hi,
    >
    > which OS are you using? On W2K you need SYSTEM privileges to call LogonUser...
    >
    > dominick
    > www.leastprivilege.com
    >
    > > I am having problems trying to impersonate as a user in asp.net.
    > >
    > > I get an access denied error on the LogonUser method of the following
    > > code;
    > >
    > > /// <summary>
    > > /// Summary description for CustomWindowsIdentity.
    > > /// </summary>
    > > public class CustomWindowsIdentity : WindowsIdentity
    > > {
    > > [DllImport("advapi32.dll", SetLastError=true)]
    > > private static extern int LogonUser(String lpszUsername, String
    > > lpszDomain, String lpszPassword,
    > > int dwLogonType, int dwLogonProvider, out int phToken);
    > > [DllImport("kernel32.dll")]
    > > private static extern int GetLastError();
    > > public CustomWindowsIdentity( string domain, string username, string
    > > password ) :
    > > base( CustomWindowsIdentity.LogonUser(domain,username,password) )
    > > {
    > > }
    > >
    > > //--------------------------------------------------------------------
    > > ------
    > > // Impersonates as the supplied user.
    > > // Domain must be in standard NT format: e.g. "DOMAIN"
    > >
    > > //--------------------------------------------------------------------
    > > ------
    > > public static WindowsImpersonationContext Impersonate( string
    > > domain,
    > > string username, string password )
    > > {
    > > IntPtr token = LogonUser( domain, username, password );
    > > return WindowsIdentity.Impersonate( token );
    > > }
    > > private static IntPtr LogonUser( string domain, string username,
    > > string
    > > password )
    > > {
    > > int token = 0;
    > > int loggedOn = LogonUser( username, domain, password,
    > > 0x8, 0x0,
    > > //WindowsLogonType.NetworkClearText,
    > > //WindowsLogonProvider.Default,
    > > out token );
    > > if (loggedOn==0 || token==0)
    > > {
    > > int ret = GetLastError();
    > > //int ret = Marshal.GetLastWin32Error(); //GetLastError();
    > > if (ret!=0)
    > > {
    > > WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
    > > throw new Win32Exception(ret,"DEBUG: " +
    > > currentUser.Name.ToString());
    > > }
    > > }
    > > IntPtr tokenOut = new IntPtr( token );
    > >
    > > return tokenOut;
    > > }
    > > }
    > > Its worth noting we are using a different user account for IIS
    > > anonymous
    > > authentication so the user that is trying to impersonate is
    > > 'DOMAIN\MY_READER'.
    > > This same code block works on the production environment so my
    > > thinking is
    > > that its a permission or setting missing for the specific user on the
    > > staging
    > > server? Ive even tried having IIS use an administrator account for
    > > anonymous
    > > access but get the same error?
    > > Any help, clues or pointers would be great.
    > > many thanks
    > >

    >
    >
    >
     
    Lee, Aug 23, 2006
    #6
  7. Lee

    Joe Kaplan Guest

    I'd expect to see a different error returned than what you are getting
    (maybe there is some little coding difference), but the bottom line is that
    you must either be running as SYSTEM or have the process account have the
    "act as part of the operating system" OS privilege to call LogonUser on
    Win2K.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Lee" <> wrote in message
    news:...
    > Thanks for your time guys, yes to confirm the OS is w2k
    >
    > "Dominick Baier" wrote:
    >
    >> Hi,
    >>
    >> which OS are you using? On W2K you need SYSTEM privileges to call
    >> LogonUser...
    >>
    >> dominick
    >> www.leastprivilege.com
    >>
    >> > I am having problems trying to impersonate as a user in asp.net.
    >> >
    >> > I get an access denied error on the LogonUser method of the following
    >> > code;
    >> >
    >> > /// <summary>
    >> > /// Summary description for CustomWindowsIdentity.
    >> > /// </summary>
    >> > public class CustomWindowsIdentity : WindowsIdentity
    >> > {
    >> > [DllImport("advapi32.dll", SetLastError=true)]
    >> > private static extern int LogonUser(String lpszUsername, String
    >> > lpszDomain, String lpszPassword,
    >> > int dwLogonType, int dwLogonProvider, out int phToken);
    >> > [DllImport("kernel32.dll")]
    >> > private static extern int GetLastError();
    >> > public CustomWindowsIdentity( string domain, string username, string
    >> > password ) :
    >> > base( CustomWindowsIdentity.LogonUser(domain,username,password) )
    >> > {
    >> > }
    >> >
    >> > //--------------------------------------------------------------------
    >> > ------
    >> > // Impersonates as the supplied user.
    >> > // Domain must be in standard NT format: e.g. "DOMAIN"
    >> >
    >> > //--------------------------------------------------------------------
    >> > ------
    >> > public static WindowsImpersonationContext Impersonate( string
    >> > domain,
    >> > string username, string password )
    >> > {
    >> > IntPtr token = LogonUser( domain, username, password );
    >> > return WindowsIdentity.Impersonate( token );
    >> > }
    >> > private static IntPtr LogonUser( string domain, string username,
    >> > string
    >> > password )
    >> > {
    >> > int token = 0;
    >> > int loggedOn = LogonUser( username, domain, password,
    >> > 0x8, 0x0,
    >> > //WindowsLogonType.NetworkClearText,
    >> > //WindowsLogonProvider.Default,
    >> > out token );
    >> > if (loggedOn==0 || token==0)
    >> > {
    >> > int ret = GetLastError();
    >> > //int ret = Marshal.GetLastWin32Error(); //GetLastError();
    >> > if (ret!=0)
    >> > {
    >> > WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
    >> > throw new Win32Exception(ret,"DEBUG: " +
    >> > currentUser.Name.ToString());
    >> > }
    >> > }
    >> > IntPtr tokenOut = new IntPtr( token );
    >> >
    >> > return tokenOut;
    >> > }
    >> > }
    >> > Its worth noting we are using a different user account for IIS
    >> > anonymous
    >> > authentication so the user that is trying to impersonate is
    >> > 'DOMAIN\MY_READER'.
    >> > This same code block works on the production environment so my
    >> > thinking is
    >> > that its a permission or setting missing for the specific user on the
    >> > staging
    >> > server? Ive even tried having IIS use an administrator account for
    >> > anonymous
    >> > access but get the same error?
    >> > Any help, clues or pointers would be great.
    >> > many thanks
    >> >

    >>
    >>
    >>
     
    Joe Kaplan, Aug 23, 2006
    #7
  8. Lee

    Lee Guest

    Hi Joe,
    just checking the code i posted and noticed a slight difference. I modified
    the code so it would output the user name in the error message

    throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());

    Ive looked at the Local security policy and the account has "act as part of
    the operating system" privellege? So when this didnt work i thought id
    temporarily set 'Everyone' to have this privellege but still got the access
    denied error. Any suggestions on how to troubleshoot this?

    "Joe Kaplan" wrote:

    > I'd expect to see a different error returned than what you are getting
    > (maybe there is some little coding difference), but the bottom line is that
    > you must either be running as SYSTEM or have the process account have the
    > "act as part of the operating system" OS privilege to call LogonUser on
    > Win2K.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Lee" <> wrote in message
    > news:...
    > > Thanks for your time guys, yes to confirm the OS is w2k
    > >
    > > "Dominick Baier" wrote:
    > >
    > >> Hi,
    > >>
    > >> which OS are you using? On W2K you need SYSTEM privileges to call
    > >> LogonUser...
    > >>
    > >> dominick
    > >> www.leastprivilege.com
    > >>
    > >> > I am having problems trying to impersonate as a user in asp.net.
    > >> >
    > >> > I get an access denied error on the LogonUser method of the following
    > >> > code;
    > >> >
    > >> > /// <summary>
    > >> > /// Summary description for CustomWindowsIdentity.
    > >> > /// </summary>
    > >> > public class CustomWindowsIdentity : WindowsIdentity
    > >> > {
    > >> > [DllImport("advapi32.dll", SetLastError=true)]
    > >> > private static extern int LogonUser(String lpszUsername, String
    > >> > lpszDomain, String lpszPassword,
    > >> > int dwLogonType, int dwLogonProvider, out int phToken);
    > >> > [DllImport("kernel32.dll")]
    > >> > private static extern int GetLastError();
    > >> > public CustomWindowsIdentity( string domain, string username, string
    > >> > password ) :
    > >> > base( CustomWindowsIdentity.LogonUser(domain,username,password) )
    > >> > {
    > >> > }
    > >> >
    > >> > //--------------------------------------------------------------------
    > >> > ------
    > >> > // Impersonates as the supplied user.
    > >> > // Domain must be in standard NT format: e.g. "DOMAIN"
    > >> >
    > >> > //--------------------------------------------------------------------
    > >> > ------
    > >> > public static WindowsImpersonationContext Impersonate( string
    > >> > domain,
    > >> > string username, string password )
    > >> > {
    > >> > IntPtr token = LogonUser( domain, username, password );
    > >> > return WindowsIdentity.Impersonate( token );
    > >> > }
    > >> > private static IntPtr LogonUser( string domain, string username,
    > >> > string
    > >> > password )
    > >> > {
    > >> > int token = 0;
    > >> > int loggedOn = LogonUser( username, domain, password,
    > >> > 0x8, 0x0,
    > >> > //WindowsLogonType.NetworkClearText,
    > >> > //WindowsLogonProvider.Default,
    > >> > out token );
    > >> > if (loggedOn==0 || token==0)
    > >> > {
    > >> > int ret = GetLastError();
    > >> > //int ret = Marshal.GetLastWin32Error(); //GetLastError();
    > >> > if (ret!=0)
    > >> > {
    > >> > WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
    > >> > throw new Win32Exception(ret,"DEBUG: " +
    > >> > currentUser.Name.ToString());
    > >> > }
    > >> > }
    > >> > IntPtr tokenOut = new IntPtr( token );
    > >> >
    > >> > return tokenOut;
    > >> > }
    > >> > }
    > >> > Its worth noting we are using a different user account for IIS
    > >> > anonymous
    > >> > authentication so the user that is trying to impersonate is
    > >> > 'DOMAIN\MY_READER'.
    > >> > This same code block works on the production environment so my
    > >> > thinking is
    > >> > that its a permission or setting missing for the specific user on the
    > >> > staging
    > >> > server? Ive even tried having IIS use an administrator account for
    > >> > anonymous
    > >> > access but get the same error?
    > >> > Any help, clues or pointers would be great.
    > >> > many thanks
    > >> >
    > >>
    > >>
    > >>

    >
    >
    >
     
    Lee, Aug 28, 2006
    #8
  9. Lee

    Joe Kaplan Guest

    It sounds like that isn't the problem. That makes some sense, as normally
    when that is the problem, GetLastError returns something like "a required
    privilege is not held by the client".

    I just checked the docs and it says that under Win2K, the ID must have the
    SE_CHANGE_NOTIFY_NAME (bypass traverse checking) privilege as well, or you
    will get the Access Denied, so I'd try that next.

    DO NOT leave act as part of the operating system set to everyone. It is a
    very dangerous privilege! There is a reason that not even administrators
    have it by default.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Lee" <> wrote in message
    news:...
    > Hi Joe,
    > just checking the code i posted and noticed a slight difference. I
    > modified
    > the code so it would output the user name in the error message
    >
    > throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());
    >
    > Ive looked at the Local security policy and the account has "act as part
    > of
    > the operating system" privellege? So when this didnt work i thought id
    > temporarily set 'Everyone' to have this privellege but still got the
    > access
    > denied error. Any suggestions on how to troubleshoot this?
    >
    > "Joe Kaplan" wrote:
    >
    >> I'd expect to see a different error returned than what you are getting
    >> (maybe there is some little coding difference), but the bottom line is
    >> that
    >> you must either be running as SYSTEM or have the process account have the
    >> "act as part of the operating system" OS privilege to call LogonUser on
    >> Win2K.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Lee" <> wrote in message
    >> news:...
    >> > Thanks for your time guys, yes to confirm the OS is w2k
    >> >
    >> > "Dominick Baier" wrote:
    >> >
    >> >> Hi,
    >> >>
    >> >> which OS are you using? On W2K you need SYSTEM privileges to call
    >> >> LogonUser...
    >> >>
    >> >> dominick
    >> >> www.leastprivilege.com
    >> >>
    >> >> > I am having problems trying to impersonate as a user in asp.net.
    >> >> >
    >> >> > I get an access denied error on the LogonUser method of the
    >> >> > following
    >> >> > code;
    >> >> >
    >> >> > /// <summary>
    >> >> > /// Summary description for CustomWindowsIdentity.
    >> >> > /// </summary>
    >> >> > public class CustomWindowsIdentity : WindowsIdentity
    >> >> > {
    >> >> > [DllImport("advapi32.dll", SetLastError=true)]
    >> >> > private static extern int LogonUser(String lpszUsername, String
    >> >> > lpszDomain, String lpszPassword,
    >> >> > int dwLogonType, int dwLogonProvider, out int phToken);
    >> >> > [DllImport("kernel32.dll")]
    >> >> > private static extern int GetLastError();
    >> >> > public CustomWindowsIdentity( string domain, string username, string
    >> >> > password ) :
    >> >> > base( CustomWindowsIdentity.LogonUser(domain,username,password) )
    >> >> > {
    >> >> > }
    >> >> >
    >> >> > //--------------------------------------------------------------------
    >> >> > ------
    >> >> > // Impersonates as the supplied user.
    >> >> > // Domain must be in standard NT format: e.g. "DOMAIN"
    >> >> >
    >> >> > //--------------------------------------------------------------------
    >> >> > ------
    >> >> > public static WindowsImpersonationContext Impersonate( string
    >> >> > domain,
    >> >> > string username, string password )
    >> >> > {
    >> >> > IntPtr token = LogonUser( domain, username, password );
    >> >> > return WindowsIdentity.Impersonate( token );
    >> >> > }
    >> >> > private static IntPtr LogonUser( string domain, string username,
    >> >> > string
    >> >> > password )
    >> >> > {
    >> >> > int token = 0;
    >> >> > int loggedOn = LogonUser( username, domain, password,
    >> >> > 0x8, 0x0,
    >> >> > //WindowsLogonType.NetworkClearText,
    >> >> > //WindowsLogonProvider.Default,
    >> >> > out token );
    >> >> > if (loggedOn==0 || token==0)
    >> >> > {
    >> >> > int ret = GetLastError();
    >> >> > //int ret = Marshal.GetLastWin32Error(); //GetLastError();
    >> >> > if (ret!=0)
    >> >> > {
    >> >> > WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
    >> >> > throw new Win32Exception(ret,"DEBUG: " +
    >> >> > currentUser.Name.ToString());
    >> >> > }
    >> >> > }
    >> >> > IntPtr tokenOut = new IntPtr( token );
    >> >> >
    >> >> > return tokenOut;
    >> >> > }
    >> >> > }
    >> >> > Its worth noting we are using a different user account for IIS
    >> >> > anonymous
    >> >> > authentication so the user that is trying to impersonate is
    >> >> > 'DOMAIN\MY_READER'.
    >> >> > This same code block works on the production environment so my
    >> >> > thinking is
    >> >> > that its a permission or setting missing for the specific user on
    >> >> > the
    >> >> > staging
    >> >> > server? Ive even tried having IIS use an administrator account for
    >> >> > anonymous
    >> >> > access but get the same error?
    >> >> > Any help, clues or pointers would be great.
    >> >> > many thanks
    >> >> >
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>
     
    Joe Kaplan, Aug 28, 2006
    #9
  10. Lee

    Lee Guest

    Joe - really appreciate your efforts on this one, i will try the privilege
    mentioned next and let you know how it goes. I was investigating the problem
    today and managed to get it to work by setting impersonate in the web.config
    to false. Although this seemed to get around the problem im apprehensive
    about saying the problem is resolved as the web.config on my other server has
    impersonate set to true?!

    Oh and no worries i changed the the Everyone setting straight back!

    Thanks once again,
    Lee

    "Joe Kaplan" wrote:

    > It sounds like that isn't the problem. That makes some sense, as normally
    > when that is the problem, GetLastError returns something like "a required
    > privilege is not held by the client".
    >
    > I just checked the docs and it says that under Win2K, the ID must have the
    > SE_CHANGE_NOTIFY_NAME (bypass traverse checking) privilege as well, or you
    > will get the Access Denied, so I'd try that next.
    >
    > DO NOT leave act as part of the operating system set to everyone. It is a
    > very dangerous privilege! There is a reason that not even administrators
    > have it by default.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Lee" <> wrote in message
    > news:...
    > > Hi Joe,
    > > just checking the code i posted and noticed a slight difference. I
    > > modified
    > > the code so it would output the user name in the error message
    > >
    > > throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());
    > >
    > > Ive looked at the Local security policy and the account has "act as part
    > > of
    > > the operating system" privellege? So when this didnt work i thought id
    > > temporarily set 'Everyone' to have this privellege but still got the
    > > access
    > > denied error. Any suggestions on how to troubleshoot this?
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> I'd expect to see a different error returned than what you are getting
    > >> (maybe there is some little coding difference), but the bottom line is
    > >> that
    > >> you must either be running as SYSTEM or have the process account have the
    > >> "act as part of the operating system" OS privilege to call LogonUser on
    > >> Win2K.
    > >>
    > >> Joe K.
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> --
    > >> "Lee" <> wrote in message
    > >> news:...
    > >> > Thanks for your time guys, yes to confirm the OS is w2k
    > >> >
    > >> > "Dominick Baier" wrote:
    > >> >
    > >> >> Hi,
    > >> >>
    > >> >> which OS are you using? On W2K you need SYSTEM privileges to call
    > >> >> LogonUser...
    > >> >>
    > >> >> dominick
    > >> >> www.leastprivilege.com
    > >> >>
    > >> >> > I am having problems trying to impersonate as a user in asp.net.
    > >> >> >
    > >> >> > I get an access denied error on the LogonUser method of the
    > >> >> > following
    > >> >> > code;
    > >> >> >
    > >> >> > /// <summary>
    > >> >> > /// Summary description for CustomWindowsIdentity.
    > >> >> > /// </summary>
    > >> >> > public class CustomWindowsIdentity : WindowsIdentity
    > >> >> > {
    > >> >> > [DllImport("advapi32.dll", SetLastError=true)]
    > >> >> > private static extern int LogonUser(String lpszUsername, String
    > >> >> > lpszDomain, String lpszPassword,
    > >> >> > int dwLogonType, int dwLogonProvider, out int phToken);
    > >> >> > [DllImport("kernel32.dll")]
    > >> >> > private static extern int GetLastError();
    > >> >> > public CustomWindowsIdentity( string domain, string username, string
    > >> >> > password ) :
    > >> >> > base( CustomWindowsIdentity.LogonUser(domain,username,password) )
    > >> >> > {
    > >> >> > }
    > >> >> >
    > >> >> > //--------------------------------------------------------------------
    > >> >> > ------
    > >> >> > // Impersonates as the supplied user.
    > >> >> > // Domain must be in standard NT format: e.g. "DOMAIN"
    > >> >> >
    > >> >> > //--------------------------------------------------------------------
    > >> >> > ------
    > >> >> > public static WindowsImpersonationContext Impersonate( string
    > >> >> > domain,
    > >> >> > string username, string password )
    > >> >> > {
    > >> >> > IntPtr token = LogonUser( domain, username, password );
    > >> >> > return WindowsIdentity.Impersonate( token );
    > >> >> > }
    > >> >> > private static IntPtr LogonUser( string domain, string username,
    > >> >> > string
    > >> >> > password )
    > >> >> > {
    > >> >> > int token = 0;
    > >> >> > int loggedOn = LogonUser( username, domain, password,
    > >> >> > 0x8, 0x0,
    > >> >> > //WindowsLogonType.NetworkClearText,
    > >> >> > //WindowsLogonProvider.Default,
    > >> >> > out token );
    > >> >> > if (loggedOn==0 || token==0)
    > >> >> > {
    > >> >> > int ret = GetLastError();
    > >> >> > //int ret = Marshal.GetLastWin32Error(); //GetLastError();
    > >> >> > if (ret!=0)
    > >> >> > {
    > >> >> > WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
    > >> >> > throw new Win32Exception(ret,"DEBUG: " +
    > >> >> > currentUser.Name.ToString());
    > >> >> > }
    > >> >> > }
    > >> >> > IntPtr tokenOut = new IntPtr( token );
    > >> >> >
    > >> >> > return tokenOut;
    > >> >> > }
    > >> >> > }
    > >> >> > Its worth noting we are using a different user account for IIS
    > >> >> > anonymous
    > >> >> > authentication so the user that is trying to impersonate is
    > >> >> > 'DOMAIN\MY_READER'.
    > >> >> > This same code block works on the production environment so my
    > >> >> > thinking is
    > >> >> > that its a permission or setting missing for the specific user on
    > >> >> > the
    > >> >> > staging
    > >> >> > server? Ive even tried having IIS use an administrator account for
    > >> >> > anonymous
    > >> >> > access but get the same error?
    > >> >> > Any help, clues or pointers would be great.
    > >> >> > many thanks
    > >> >> >
    > >> >>
    > >> >>
    > >> >>
    > >>
    > >>
    > >>

    >
    >
    >
     
    Lee, Aug 28, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mary Chipman

    Re: Impersonation in ASPNET and LogonUser

    Mary Chipman, Sep 3, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    461
    Mary Chipman
    Sep 3, 2003
  2. Jason

    impersonating and LogonUser

    Jason, Dec 30, 2003, in forum: ASP .Net
    Replies:
    7
    Views:
    450
    Jim Cheshire [MSFT]
    Jan 5, 2004
  3. Nimi

    LogonUser failed error

    Nimi, Oct 14, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    2,412
    Martin Dechev
    Oct 14, 2004
  4. Johannes Hammersen
    Replies:
    1
    Views:
    190
    Dave F.
    Jun 12, 2005
  5. Dominick Baier

    LogonUser Access Denied

    Dominick Baier, Oct 10, 2006, in forum: ASP .Net Security
    Replies:
    2
    Views:
    222
    Bill Alexander
    Oct 10, 2006
Loading...

Share This Page