Access denied. delegation scenario accessing to a shared resource in cluster

Discussion in 'ASP .Net Security' started by jose.cortijo, Aug 11, 2006.

  1. jose.cortijo

    jose.cortijo Guest

    I have an app and in one aspx I need to read and write in a
    shared direcotry in a cluster.
    My code is the following:

    log.Debug("I am...." +
    DirectoryInfo raiz = new DirectoryInfo(ruta_Excel);
    FileInfo[] archivos = raiz.GetFiles();

    I set the delegation to the users, servers, modify the web.conf but
    what can I do access to the cluster shared directory.

    After read tons of documentation:

    How to configure an ASP.NET application for a delegation scenario
    Authentication delegation through Kerberos does not work in
    load-balanced architectures
    Kerberos authentication and troubleshooting delegation issues

    Is it imposible to do it? I read the workaround of accesing to the
    fully qualified domain name (FQDN) but in my system adm doesnt allo me
    to do it.

    I tried to impersonate by code with new credentials using the following

    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool LogonUser(String lpszUsername, String
    lpszDomain, String lpszPassword,int dwLogonType, int dwLogonProvider,
    ref IntPtr phToken);

    [DllImport("kernel32.dll", CharSet =
    private unsafe static extern int FormatMessage(int dwFlags, ref IntPtr
    int dwMessageId, int dwLanguageId, ref String lpBuffer, int nSize,
    IntPtr* Arguments);

    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    public extern static bool CloseHandle(IntPtr handle);

    [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError =
    public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
    int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);

    private static WindowsImpersonationContext impersonatedUser;
    private static IntPtr tokenHandle;

    private static int iDesImpersonar()
    // Stop impersonating the user.

    // Free the tokens.
    if (tokenHandle != IntPtr.Zero)
    return 1;

    private static int iImpersonar(string psUsuario,string psPassword)
    IntPtr dupeTokenHandle = new IntPtr(0);
    string userName, domainName;
    domainName = psUsuario.Split("\\".ToCharArray())[0];
    userName = psUsuario.Split("\\".ToCharArray())[1];

    const int LOGON32_PROVIDER_DEFAULT = 0;
    //This parameter causes LogonUser to create a primary token.
    const int LOGON32_LOGON_INTERACTIVE = 2;

    tokenHandle = IntPtr.Zero;

    // Call LogonUser to obtain a handle to an access token.
    bool returnValue = LogonUser(userName, domainName, psPassword,
    ref tokenHandle);

    if (false == returnValue)
    int ret = Marshal.GetLastWin32Error();
    Console.WriteLine("LogonUser failed with error code : {0}", ret);
    throw new System.ComponentModel.Win32Exception(ret);

    // Use the token handle returned by LogonUser.
    WindowsIdentity newId = new WindowsIdentity(tokenHandle);
    impersonatedUser = newId.Impersonate();

    return 1;

    catch(Exception ex)
    Console.WriteLine("Exception occurred. " + ex.Message);
    return 0;

    but now when I execute

    I get an access error executing
    log.Debug("I am...." +
    It shows like I don't have enough rights to execute WindowsIdentity...

    what Can I do to set some credentials to access to the shared resource
    in cluster and afterwards continue with my impersonate/delegation

    Thanks in advance.
    jose.cortijo, Aug 11, 2006
    1. Advertisements

  2. You should be able to delegate to the remote resource, but it requires that
    your web server can do a Kerberos authentication to the remote resource
    (file system in this case). Depending on how your web server is configured
    for delegation (whether you can use protocol transition in this case), you
    may also need to ensure that you can authenticate the clients to the web
    application via Kerberos too.

    Do you know if you AD is 2003 or not? Can you do protocol transition (S4U)
    and constrained delegation? That changes your options a little bit from the
    web server perspective. Also, how is the web server process account
    configured for delegation (Kerberos-only or "any protocol")?

    The best debugging technique is to enable logon event auditing on both the
    web server and the cluster server and find out what kind of authentication
    is being performed. You'll see NTLM or Kerberos and other details. It is
    especially important that you can authenticate to the backend via Kerberos
    if you want to delegate.

    Unfortunately, troubleshooting Kerberos authentication and delegation
    scenarios can be pretty painful, but it can be done and it does with with
    the file system (as well as other services like LDAP, SQL and HTTP).

    Joe K.

    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    Joe Kaplan \(MVP - ADSI\), Aug 12, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.