J
jose.cortijo
Hi,
I have an asp.net app and in one aspx I need to read and write in a
shared direcotry in a cluster.
My code is the following:
log.Debug("I am...." +
System.Security.Principal.WindowsIdentity.GetCurrent().Name);
DirectoryInfo raiz = new DirectoryInfo(ruta_Excel);
FileInfo[] archivos = raiz.GetFiles();
I set the delegation to the users, servers, modify the web.conf but
what can I do access to the cluster shared directory.
After read tons of documentation:
How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/kb/810572/
Authentication delegation through Kerberos does not work in
load-balanced architectures
http://support.microsoft.com/kb/325608/
Kerberos authentication and troubleshooting delegation issues
http://support.microsoft.com/kb/907272/en-us
.....
Is it imposible to do it? I read the workaround of accesing to the
fully qualified domain name (FQDN) but in my system adm doesnt allo me
to do it.
I tried to impersonate by code with new credentials using the following
code:
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,int dwLogonType, int dwLogonProvider,
ref IntPtr phToken);
[DllImport("kernel32.dll", CharSet =
System.Runtime.InteropServices.CharSet.Auto)]
private unsafe static extern int FormatMessage(int dwFlags, ref IntPtr
lpSource,
int dwMessageId, int dwLanguageId, ref String lpBuffer, int nSize,
IntPtr* Arguments);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public extern static bool CloseHandle(IntPtr handle);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError =
true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
private static WindowsImpersonationContext impersonatedUser;
private static IntPtr tokenHandle;
private static int iDesImpersonar()
{
// Stop impersonating the user.
impersonatedUser.Undo();
// Free the tokens.
if (tokenHandle != IntPtr.Zero)
CloseHandle(tokenHandle);
return 1;
}
private static int iImpersonar(string psUsuario,string psPassword)
{
IntPtr dupeTokenHandle = new IntPtr(0);
try
{
string userName, domainName;
domainName = psUsuario.Split("\\".ToCharArray())[0];
userName = psUsuario.Split("\\".ToCharArray())[1];
const int LOGON32_PROVIDER_DEFAULT = 0;
//This parameter causes LogonUser to create a primary token.
const int LOGON32_LOGON_INTERACTIVE = 2;
tokenHandle = IntPtr.Zero;
// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domainName, psPassword,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);
if (false == returnValue)
{
int ret = Marshal.GetLastWin32Error();
Console.WriteLine("LogonUser failed with error code : {0}", ret);
throw new System.ComponentModel.Win32Exception(ret);
}
// Use the token handle returned by LogonUser.
WindowsIdentity newId = new WindowsIdentity(tokenHandle);
impersonatedUser = newId.Impersonate();
return 1;
}
catch(Exception ex)
{
Console.WriteLine("Exception occurred. " + ex.Message);
return 0;
}
}
but now when I execute
iImpersonar(@"DOMAIN\user1","jdf0tj07"));
I get an access error executing
log.Debug("I am...." +
System.Security.Principal.WindowsIdentity.GetCurrent().Name);
It shows like I don't have enough rights to execute WindowsIdentity...
what Can I do to set some credentials to access to the shared resource
in cluster and afterwards continue with my impersonate/delegation
webapp??
Thanks in advance.
Jose
I have an asp.net app and in one aspx I need to read and write in a
shared direcotry in a cluster.
My code is the following:
log.Debug("I am...." +
System.Security.Principal.WindowsIdentity.GetCurrent().Name);
DirectoryInfo raiz = new DirectoryInfo(ruta_Excel);
FileInfo[] archivos = raiz.GetFiles();
I set the delegation to the users, servers, modify the web.conf but
what can I do access to the cluster shared directory.
After read tons of documentation:
How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/kb/810572/
Authentication delegation through Kerberos does not work in
load-balanced architectures
http://support.microsoft.com/kb/325608/
Kerberos authentication and troubleshooting delegation issues
http://support.microsoft.com/kb/907272/en-us
.....
Is it imposible to do it? I read the workaround of accesing to the
fully qualified domain name (FQDN) but in my system adm doesnt allo me
to do it.
I tried to impersonate by code with new credentials using the following
code:
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,int dwLogonType, int dwLogonProvider,
ref IntPtr phToken);
[DllImport("kernel32.dll", CharSet =
System.Runtime.InteropServices.CharSet.Auto)]
private unsafe static extern int FormatMessage(int dwFlags, ref IntPtr
lpSource,
int dwMessageId, int dwLanguageId, ref String lpBuffer, int nSize,
IntPtr* Arguments);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public extern static bool CloseHandle(IntPtr handle);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError =
true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
private static WindowsImpersonationContext impersonatedUser;
private static IntPtr tokenHandle;
private static int iDesImpersonar()
{
// Stop impersonating the user.
impersonatedUser.Undo();
// Free the tokens.
if (tokenHandle != IntPtr.Zero)
CloseHandle(tokenHandle);
return 1;
}
private static int iImpersonar(string psUsuario,string psPassword)
{
IntPtr dupeTokenHandle = new IntPtr(0);
try
{
string userName, domainName;
domainName = psUsuario.Split("\\".ToCharArray())[0];
userName = psUsuario.Split("\\".ToCharArray())[1];
const int LOGON32_PROVIDER_DEFAULT = 0;
//This parameter causes LogonUser to create a primary token.
const int LOGON32_LOGON_INTERACTIVE = 2;
tokenHandle = IntPtr.Zero;
// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domainName, psPassword,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);
if (false == returnValue)
{
int ret = Marshal.GetLastWin32Error();
Console.WriteLine("LogonUser failed with error code : {0}", ret);
throw new System.ComponentModel.Win32Exception(ret);
}
// Use the token handle returned by LogonUser.
WindowsIdentity newId = new WindowsIdentity(tokenHandle);
impersonatedUser = newId.Impersonate();
return 1;
}
catch(Exception ex)
{
Console.WriteLine("Exception occurred. " + ex.Message);
return 0;
}
}
but now when I execute
iImpersonar(@"DOMAIN\user1","jdf0tj07"));
I get an access error executing
log.Debug("I am...." +
System.Security.Principal.WindowsIdentity.GetCurrent().Name);
It shows like I don't have enough rights to execute WindowsIdentity...
what Can I do to set some credentials to access to the shared resource
in cluster and afterwards continue with my impersonate/delegation
webapp??
Thanks in advance.
Jose