When impersonation doesn't seem to work

[Garrett]

Hi all,

I am trying to access folders on an Active Directory network share in
my ASP code.

In my config file I have the following:

<identity impersonate="true" userName="OURDOMAIN\myusername"
password="mypass"/>

I am able to access the share through other means so I know my user
account has access, but I still get the following error when I try
through my code:

"ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if
the application is not impersonating. If the application is
impersonating via <identity impersonate="true"/>, the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user. "

Any help?

 

[Ben Strackany]

Yeah, that can be tricky. Maybe set <authentication mode="Windows" /> and
turn off anonymous access. You may also need to grant "Act as part of the
operating system" privilege to the ASPNET account.

If the above doesn't work, try instead creating a COM object that accesses
the share, put that COM object into a COM+ Server Application, & run that
application under your username. Or if you're on Windows 2003, you can
create a new Application Pool, run it under your account, then set your
virtual directory to use that pool instead of the default pool.

I tried to jot down a few other ideas on a web page for my own reference...

http://www.developmentnow.com/blog/2004/12/impersonation-in-aspnet.html

 

[Scott Allen]

Before elevating privileges, turn on some auditing and see what
identity is actually reaching the folder.

http://www.pluralsight.com/keith/book/html/howto_auditfileaccess.html

Also, what's the exact line of code throwing the exception? Are there
any COM components involved?

 

[bruce barker]

your asp.net thread should be ok, but if you use an sta com object you are
in trouble, because the com object will not use the same thread. you can set
aspcat if its a web page, or create an sta thread (which will need to do its
own impersonation) to call the com component.

-- bruce (sqlwork.com)


| Hi all,
|
| I am trying to access folders on an Active Directory network share in
| my ASP code.
|
| In my config file I have the following:
|
| <identity impersonate="true" userName="OURDOMAIN\myusername"
| password="mypass"/>
|
| I am able to access the share through other means so I know my user
| account has access, but I still get the following error when I try
| through my code:
|
| "ASP.NET is not authorized to access the requested resource. Consider
| granting access rights to the resource to the ASP.NET request
| identity. ASP.NET has a base process identity (typically
| {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if
| the application is not impersonating. If the application is
| impersonating via <identity impersonate="true"/>, the identity will be
| the anonymous user (typically IUSR_MACHINENAME) or the authenticated
| request user. "
|
| Any help?

 

[Garrett]

I got it figured out, thanks for the help guys