Access denied. delegation scenario accessing to a shared resource in cluster

J

jose.cortijo

Hi,
I have an asp.net app and in one aspx I need to read and write in a
shared direcotry in a cluster.
My code is the following:

log.Debug("I am...." +
System.Security.Principal.WindowsIdentity.GetCurrent().Name);
DirectoryInfo raiz = new DirectoryInfo(ruta_Excel);
FileInfo[] archivos = raiz.GetFiles();

I set the delegation to the users, servers, modify the web.conf but
what can I do access to the cluster shared directory.

After read tons of documentation:

How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/kb/810572/
Authentication delegation through Kerberos does not work in
load-balanced architectures
http://support.microsoft.com/kb/325608/
Kerberos authentication and troubleshooting delegation issues
http://support.microsoft.com/kb/907272/en-us
.....

Is it imposible to do it? I read the workaround of accesing to the
fully qualified domain name (FQDN) but in my system adm doesnt allo me
to do it.

I tried to impersonate by code with new credentials using the following
code:

[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,int dwLogonType, int dwLogonProvider,
ref IntPtr phToken);

[DllImport("kernel32.dll", CharSet =
System.Runtime.InteropServices.CharSet.Auto)]
private unsafe static extern int FormatMessage(int dwFlags, ref IntPtr
lpSource,
int dwMessageId, int dwLanguageId, ref String lpBuffer, int nSize,
IntPtr* Arguments);

[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public extern static bool CloseHandle(IntPtr handle);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError =
true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);

private static WindowsImpersonationContext impersonatedUser;
private static IntPtr tokenHandle;

private static int iDesImpersonar()
{
// Stop impersonating the user.
impersonatedUser.Undo();


// Free the tokens.
if (tokenHandle != IntPtr.Zero)
CloseHandle(tokenHandle);
return 1;
}

private static int iImpersonar(string psUsuario,string psPassword)
{
IntPtr dupeTokenHandle = new IntPtr(0);
try
{
string userName, domainName;
domainName = psUsuario.Split("\\".ToCharArray())[0];
userName = psUsuario.Split("\\".ToCharArray())[1];


const int LOGON32_PROVIDER_DEFAULT = 0;
//This parameter causes LogonUser to create a primary token.
const int LOGON32_LOGON_INTERACTIVE = 2;

tokenHandle = IntPtr.Zero;

// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domainName, psPassword,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);


if (false == returnValue)
{
int ret = Marshal.GetLastWin32Error();
Console.WriteLine("LogonUser failed with error code : {0}", ret);
throw new System.ComponentModel.Win32Exception(ret);
}


// Use the token handle returned by LogonUser.
WindowsIdentity newId = new WindowsIdentity(tokenHandle);
impersonatedUser = newId.Impersonate();


return 1;

}
catch(Exception ex)
{
Console.WriteLine("Exception occurred. " + ex.Message);
return 0;
}

}
but now when I execute

iImpersonar(@"DOMAIN\user1","jdf0tj07"));
I get an access error executing
log.Debug("I am...." +
System.Security.Principal.WindowsIdentity.GetCurrent().Name);
It shows like I don't have enough rights to execute WindowsIdentity...

what Can I do to set some credentials to access to the shared resource
in cluster and afterwards continue with my impersonate/delegation
webapp??

Thanks in advance.
Jose
 
J

Joe Kaplan \(MVP - ADSI\)

You should be able to delegate to the remote resource, but it requires that
your web server can do a Kerberos authentication to the remote resource
(file system in this case). Depending on how your web server is configured
for delegation (whether you can use protocol transition in this case), you
may also need to ensure that you can authenticate the clients to the web
application via Kerberos too.

Do you know if you AD is 2003 or not? Can you do protocol transition (S4U)
and constrained delegation? That changes your options a little bit from the
web server perspective. Also, how is the web server process account
configured for delegation (Kerberos-only or "any protocol")?

The best debugging technique is to enable logon event auditing on both the
web server and the cluster server and find out what kind of authentication
is being performed. You'll see NTLM or Kerberos and other details. It is
especially important that you can authenticate to the backend via Kerberos
if you want to delegate.

Unfortunately, troubleshooting Kerberos authentication and delegation
scenarios can be pretty painful, but it can be done and it does with with
the file system (as well as other services like LDAP, SQL and HTTP).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Hi,
I have an asp.net app and in one aspx I need to read and write in a
shared direcotry in a cluster.
My code is the following:

log.Debug("I am...." +
System.Security.Principal.WindowsIdentity.GetCurrent().Name);
DirectoryInfo raiz = new DirectoryInfo(ruta_Excel);
FileInfo[] archivos = raiz.GetFiles();

I set the delegation to the users, servers, modify the web.conf but
what can I do access to the cluster shared directory.

After read tons of documentation:

How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/kb/810572/
Authentication delegation through Kerberos does not work in
load-balanced architectures
http://support.microsoft.com/kb/325608/
Kerberos authentication and troubleshooting delegation issues
http://support.microsoft.com/kb/907272/en-us
....

Is it imposible to do it? I read the workaround of accesing to the
fully qualified domain name (FQDN) but in my system adm doesnt allo me
to do it.

I tried to impersonate by code with new credentials using the following
code:

[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,int dwLogonType, int dwLogonProvider,
ref IntPtr phToken);

[DllImport("kernel32.dll", CharSet =
System.Runtime.InteropServices.CharSet.Auto)]
private unsafe static extern int FormatMessage(int dwFlags, ref IntPtr
lpSource,
int dwMessageId, int dwLanguageId, ref String lpBuffer, int nSize,
IntPtr* Arguments);

[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public extern static bool CloseHandle(IntPtr handle);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError =
true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);

private static WindowsImpersonationContext impersonatedUser;
private static IntPtr tokenHandle;

private static int iDesImpersonar()
{
// Stop impersonating the user.
impersonatedUser.Undo();


// Free the tokens.
if (tokenHandle != IntPtr.Zero)
CloseHandle(tokenHandle);
return 1;
}

private static int iImpersonar(string psUsuario,string psPassword)
{
IntPtr dupeTokenHandle = new IntPtr(0);
try
{
string userName, domainName;
domainName = psUsuario.Split("\\".ToCharArray())[0];
userName = psUsuario.Split("\\".ToCharArray())[1];


const int LOGON32_PROVIDER_DEFAULT = 0;
//This parameter causes LogonUser to create a primary token.
const int LOGON32_LOGON_INTERACTIVE = 2;

tokenHandle = IntPtr.Zero;

// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domainName, psPassword,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);


if (false == returnValue)
{
int ret = Marshal.GetLastWin32Error();
Console.WriteLine("LogonUser failed with error code : {0}", ret);
throw new System.ComponentModel.Win32Exception(ret);
}


// Use the token handle returned by LogonUser.
WindowsIdentity newId = new WindowsIdentity(tokenHandle);
impersonatedUser = newId.Impersonate();


return 1;

}
catch(Exception ex)
{
Console.WriteLine("Exception occurred. " + ex.Message);
return 0;
}

}
but now when I execute

iImpersonar(@"DOMAIN\user1","jdf0tj07"));
I get an access error executing
log.Debug("I am...." +
System.Security.Principal.WindowsIdentity.GetCurrent().Name);
It shows like I don't have enough rights to execute WindowsIdentity...

what Can I do to set some credentials to access to the shared resource
in cluster and afterwards continue with my impersonate/delegation
webapp??

Thanks in advance.
Jose
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

LogonUser access denied 9
Access File Share from ASP.NET using Unmanaged Code 13
Facing problem while accessing virtual server count in Sharpeoint using SPGlobalAdmin 0
Impersonation fails on all other pages 0
Crypto API problem while using forms authentication 0
S4U Kerberos for calling WCF services 4
OpenSCManage returns Access_Denied in ASP.NET application 0
ADSI - Able to authenticate but unable to get memberOf information 7

Members online

No members online now.
Total: 18 (members: 1, guests: 17)
Robots: 208

Forum statistics

Threads
473,756
Messages
2,569,540
Members
45,025
Latest member
KetoRushACVFitness

Latest Threads

Top