Impersonate at runtime

[Anand]

Hi,

I want to move my files from web servers to a shared
folder on the database server. For this I impersonate the
aspnet user to common domainuser and gave write
permissions for that user on the folder on the database
server.

During run time it impersonates to the domainuser but it
throws an error
"System.UnauthorizedAccessException: Access to the
path "\\DBServer\Files\Test3.xls" is denied"

The code i wrote is
File.Move("C:\\Inetpub\\wwwroot\\CoradPhase2
\\Files\\Test3.xls","\\\\DBServer\\Files\\Test3.xls");

It works fine if write the identity tag on the web config.
Any help is good and Thanks

Thanks
Anand

 

[Geof Nieboer]

I'm having some similar issues, and perhaps can help a
bit...

Impersonation is used to impersonate a client on -that-
machine, in ASP.NET the web server.
I.E. If User is logged on Computer A, and accessing a web
site and other resources on B using his credentials, that
is impersonation.

However, if logged on to A, accessing B, and -then- you
want to have B send those same credentials on to a
resource on computer C (your shared drive), then that is
called "Delegation". From your description, it sounds
like that is your scenario.

There are a number of requirements for Delegation,
primarily the use of Windows Authentication, and marking
the accounts/computers (depending on setup) as 'Trusted
for Delegation' within Active Directory. You also have to
use Kerberos authenication, which is only compatible with
certain browsers/OS's.

My problem is that I can't get Kerberos to work.

In this case, I appear to have 2 options. 1 is to use
Basic Authentication. This sends the password in clear
text, and (I'm oversimplifying, so I apologies to the
experts) effectively just reusing the same username and
password. So as I've recently learned, that's not true
delegation, but the end result is the same, but with less
security in the logon method.

Another option is to create a domain account that's a
member of IIS_WPG (on W2003 at least), and have IIS run
under that account. Then when you need to access those
resources, you can call "RevertToUser" using an API (less
difficult than it may sound) and use those credentials
(which don't have to be delegated since that account is
actually logged on to Computer B) to save the file, and
then start impersonating again.

Hopefully though, you'll have more luck than I getting
Kerberos to work. That certainly is the preferred
solution. Do a search on setting up Delegation with
Kerberos and I think you'll find some helpful resources.