LogonUser access denied

L

Lee

I am having problems trying to impersonate as a user in asp.net.

I get an access denied error on the LogonUser method of the following code;

/// <summary>
/// Summary description for CustomWindowsIdentity.
/// </summary>
public class CustomWindowsIdentity : WindowsIdentity
{
[DllImport("advapi32.dll", SetLastError=true)]
private static extern int LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);

[DllImport("kernel32.dll")]
private static extern int GetLastError();

public CustomWindowsIdentity( string domain, string username, string
password ) :
base( CustomWindowsIdentity.LogonUser(domain,username,password) )
{
}

//--------------------------------------------------------------------------
// Impersonates as the supplied user.
// Domain must be in standard NT format: e.g. "DOMAIN"
//--------------------------------------------------------------------------
public static WindowsImpersonationContext Impersonate( string domain,
string username, string password )
{
IntPtr token = LogonUser( domain, username, password );

return WindowsIdentity.Impersonate( token );
}

private static IntPtr LogonUser( string domain, string username, string
password )
{
int token = 0;

int loggedOn = LogonUser( username, domain, password,
0x8, 0x0,
//WindowsLogonType.NetworkClearText,
//WindowsLogonProvider.Default,
out token );

if (loggedOn==0 || token==0)
{
int ret = GetLastError();
//int ret = Marshal.GetLastWin32Error(); //GetLastError();

if (ret!=0)
{
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();

throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());
}
}

IntPtr tokenOut = new IntPtr( token );

return tokenOut;
}
}

Its worth noting we are using a different user account for IIS anonymous
authentication so the user that is trying to impersonate is
'DOMAIN\MY_READER'.
This same code block works on the production environment so my thinking is
that its a permission or setting missing for the specific user on the staging
server? Ive even tried having IIS use an administrator account for anonymous
access but get the same error?
Any help, clues or pointers would be great.

many thanks
 
J

Joe Kaplan \(MVP - ADSI\)

This would probably be the appropriate forum for this question, yes.

Can you show the exact exception and stack trace?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Lee said:
Is this the right forum for this question?

Lee said:
I am having problems trying to impersonate as a user in asp.net.

I get an access denied error on the LogonUser method of the following
code;

/// <summary>
/// Summary description for CustomWindowsIdentity.
/// </summary>
public class CustomWindowsIdentity : WindowsIdentity
{
[DllImport("advapi32.dll", SetLastError=true)]
private static extern int LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);

[DllImport("kernel32.dll")]
private static extern int GetLastError();

public CustomWindowsIdentity( string domain, string username, string
password ) :
base( CustomWindowsIdentity.LogonUser(domain,username,password) )
{
}

//--------------------------------------------------------------------------
// Impersonates as the supplied user.
// Domain must be in standard NT format: e.g. "DOMAIN"
//--------------------------------------------------------------------------
public static WindowsImpersonationContext Impersonate( string domain,
string username, string password )
{
IntPtr token = LogonUser( domain, username, password );

return WindowsIdentity.Impersonate( token );
}

private static IntPtr LogonUser( string domain, string username, string
password )
{
int token = 0;

int loggedOn = LogonUser( username, domain, password,
0x8, 0x0,
//WindowsLogonType.NetworkClearText,
//WindowsLogonProvider.Default,
out token );

if (loggedOn==0 || token==0)
{
int ret = GetLastError();
//int ret = Marshal.GetLastWin32Error(); //GetLastError();

if (ret!=0)
{
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();

throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());
}
}

IntPtr tokenOut = new IntPtr( token );

return tokenOut;
}
}

Its worth noting we are using a different user account for IIS anonymous
authentication so the user that is trying to impersonate is
'DOMAIN\MY_READER'.
This same code block works on the production environment so my thinking
is
that its a permission or setting missing for the specific user on the
staging
server? Ive even tried having IIS use an administrator account for
anonymous
access but get the same error?
Any help, clues or pointers would be great.

many thanks
Click to expand...
Click to expand...
 
L

Lee

Thanks Joe, the expception and stack trace is as follows.

Exception Details: System.ComponentModel.Win32Exception: Access is denied

Stack Trace:

[Win32Exception (0x80004005): Access is denied]
UW.DirectoryServices.CustomWindowsIdentity.LogonUser(String domain,
String username, String password)
UW.DirectoryServices.CustomWindowsIdentity.Impersonate(String domain,
String username, String password)
UW.DirectoryServices.ADSAdmin.Load()
UW.DirectoryServices.ADSAdmin.LoadDirectory(String domain, String
organizationalunit, String loginUsername, String loginPassword)
UW.DirectoryServices.ADSAdmin..ctor(String domain, String
organizationalunit, String loginUsername, String loginPassword)
Project.Web.Common.Template.ValidateUsers.GetADSAdmin()
Project.Web.Common.Template.ValidateUsers.GetADUsers()
Project.Web.Common.Template.ValidateUsers.GetDBUsersNotMatched()
Project.Web.Common.Template.ValidateUsers.ShowDBUsersNotMatched()
Project.Web.Common.Template.ValidateUsers.Page_Load(Object sender,
EventArgs e)
System.Web.UI.Control.OnLoad(EventArgs e) +67
System.Web.UI.Control.LoadRecursive() +35
System.Web.UI.Control.LoadRecursive() +98
System.Web.UI.Control.LoadRecursive() +98
System.Web.UI.Control.LoadRecursive() +98
System.Web.UI.Page.ProcessRequestMain() +739

Joe Kaplan (MVP - ADSI) said:
This would probably be the appropriate forum for this question, yes.

Can you show the exact exception and stack trace?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Lee said:
Is this the right forum for this question?

Lee said:
I am having problems trying to impersonate as a user in asp.net.

I get an access denied error on the LogonUser method of the following
code;

/// <summary>
/// Summary description for CustomWindowsIdentity.
/// </summary>
public class CustomWindowsIdentity : WindowsIdentity
{
[DllImport("advapi32.dll", SetLastError=true)]
private static extern int LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);

[DllImport("kernel32.dll")]
private static extern int GetLastError();

public CustomWindowsIdentity( string domain, string username, string
password ) :
base( CustomWindowsIdentity.LogonUser(domain,username,password) )
{
}

//--------------------------------------------------------------------------
// Impersonates as the supplied user.
// Domain must be in standard NT format: e.g. "DOMAIN"
//--------------------------------------------------------------------------
public static WindowsImpersonationContext Impersonate( string domain,
string username, string password )
{
IntPtr token = LogonUser( domain, username, password );

return WindowsIdentity.Impersonate( token );
}

private static IntPtr LogonUser( string domain, string username, string
password )
{
int token = 0;

int loggedOn = LogonUser( username, domain, password,
0x8, 0x0,
//WindowsLogonType.NetworkClearText,
//WindowsLogonProvider.Default,
out token );

if (loggedOn==0 || token==0)
{
int ret = GetLastError();
//int ret = Marshal.GetLastWin32Error(); //GetLastError();

if (ret!=0)
{
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();

throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());
}
}

IntPtr tokenOut = new IntPtr( token );

return tokenOut;
}
}

Its worth noting we are using a different user account for IIS anonymous
authentication so the user that is trying to impersonate is
'DOMAIN\MY_READER'.
This same code block works on the production environment so my thinking
is
that its a permission or setting missing for the specific user on the
staging
server? Ive even tried having IIS use an administrator account for
anonymous
access but get the same error?
Any help, clues or pointers would be great.

many thanks
Click to expand...
Click to expand...
Click to expand...
 
J

Joe Kaplan

I agree with Dominick's reply, but the thing is that you usually get an
error indicating that a required privilege was not held by the client, not
the straight access denied. I've not actually seen that particular problem.

I'm not sure what the deal is here.

Is the OS Win2K?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Lee said:
Thanks Joe, the expception and stack trace is as follows.

Exception Details: System.ComponentModel.Win32Exception: Access is denied

Stack Trace:

[Win32Exception (0x80004005): Access is denied]
UW.DirectoryServices.CustomWindowsIdentity.LogonUser(String domain,
String username, String password)
UW.DirectoryServices.CustomWindowsIdentity.Impersonate(String domain,
String username, String password)
UW.DirectoryServices.ADSAdmin.Load()
UW.DirectoryServices.ADSAdmin.LoadDirectory(String domain, String
organizationalunit, String loginUsername, String loginPassword)
UW.DirectoryServices.ADSAdmin..ctor(String domain, String
organizationalunit, String loginUsername, String loginPassword)
Project.Web.Common.Template.ValidateUsers.GetADSAdmin()
Project.Web.Common.Template.ValidateUsers.GetADUsers()
Project.Web.Common.Template.ValidateUsers.GetDBUsersNotMatched()
Project.Web.Common.Template.ValidateUsers.ShowDBUsersNotMatched()
Project.Web.Common.Template.ValidateUsers.Page_Load(Object sender,
EventArgs e)
System.Web.UI.Control.OnLoad(EventArgs e) +67
System.Web.UI.Control.LoadRecursive() +35
System.Web.UI.Control.LoadRecursive() +98
System.Web.UI.Control.LoadRecursive() +98
System.Web.UI.Control.LoadRecursive() +98
System.Web.UI.Page.ProcessRequestMain() +739

Joe Kaplan (MVP - ADSI) said:
This would probably be the appropriate forum for this question, yes.

Can you show the exact exception and stack trace?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Lee said:
Is this the right forum for this question?

:

I am having problems trying to impersonate as a user in asp.net.

I get an access denied error on the LogonUser method of the following
code;

/// <summary>
/// Summary description for CustomWindowsIdentity.
/// </summary>
public class CustomWindowsIdentity : WindowsIdentity
{
[DllImport("advapi32.dll", SetLastError=true)]
private static extern int LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);

[DllImport("kernel32.dll")]
private static extern int GetLastError();

public CustomWindowsIdentity( string domain, string username, string
password ) :
base( CustomWindowsIdentity.LogonUser(domain,username,password) )
{
}

//--------------------------------------------------------------------------
// Impersonates as the supplied user.
// Domain must be in standard NT format: e.g. "DOMAIN"
//--------------------------------------------------------------------------
public static WindowsImpersonationContext Impersonate( string domain,
string username, string password )
{
IntPtr token = LogonUser( domain, username, password );

return WindowsIdentity.Impersonate( token );
}

private static IntPtr LogonUser( string domain, string username,
string
password )
{
int token = 0;

int loggedOn = LogonUser( username, domain, password,
0x8, 0x0,
//WindowsLogonType.NetworkClearText,
//WindowsLogonProvider.Default,
out token );

if (loggedOn==0 || token==0)
{
int ret = GetLastError();
//int ret = Marshal.GetLastWin32Error(); //GetLastError();

if (ret!=0)
{
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();

throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());
}
}

IntPtr tokenOut = new IntPtr( token );

return tokenOut;
}
}

Its worth noting we are using a different user account for IIS
anonymous
authentication so the user that is trying to impersonate is
'DOMAIN\MY_READER'.
This same code block works on the production environment so my
thinking
is
that its a permission or setting missing for the specific user on the
staging
server? Ive even tried having IIS use an administrator account for
anonymous
access but get the same error?
Any help, clues or pointers would be great.

many thanks
Click to expand...
Click to expand...
Click to expand...
 
L

Lee

Thanks for your time guys, yes to confirm the OS is w2k

Dominick Baier said:
Hi,

which OS are you using? On W2K you need SYSTEM privileges to call LogonUser...

dominick
www.leastprivilege.com
I am having problems trying to impersonate as a user in asp.net.

I get an access denied error on the LogonUser method of the following
code;

/// <summary>
/// Summary description for CustomWindowsIdentity.
/// </summary>
public class CustomWindowsIdentity : WindowsIdentity
{
[DllImport("advapi32.dll", SetLastError=true)]
private static extern int LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);
[DllImport("kernel32.dll")]
private static extern int GetLastError();
public CustomWindowsIdentity( string domain, string username, string
password ) :
base( CustomWindowsIdentity.LogonUser(domain,username,password) )
{
}

//--------------------------------------------------------------------
------
// Impersonates as the supplied user.
// Domain must be in standard NT format: e.g. "DOMAIN"

//--------------------------------------------------------------------
------
public static WindowsImpersonationContext Impersonate( string
domain,
string username, string password )
{
IntPtr token = LogonUser( domain, username, password );
return WindowsIdentity.Impersonate( token );
}
private static IntPtr LogonUser( string domain, string username,
string
password )
{
int token = 0;
int loggedOn = LogonUser( username, domain, password,
0x8, 0x0,
//WindowsLogonType.NetworkClearText,
//WindowsLogonProvider.Default,
out token );
if (loggedOn==0 || token==0)
{
int ret = GetLastError();
//int ret = Marshal.GetLastWin32Error(); //GetLastError();
if (ret!=0)
{
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
throw new Win32Exception(ret,"DEBUG: " +
currentUser.Name.ToString());
}
}
IntPtr tokenOut = new IntPtr( token );

return tokenOut;
}
}
Its worth noting we are using a different user account for IIS
anonymous
authentication so the user that is trying to impersonate is
'DOMAIN\MY_READER'.
This same code block works on the production environment so my
thinking is
that its a permission or setting missing for the specific user on the
staging
server? Ive even tried having IIS use an administrator account for
anonymous
access but get the same error?
Any help, clues or pointers would be great.
many thanks
Click to expand...
Click to expand...
 
J

Joe Kaplan

I'd expect to see a different error returned than what you are getting
(maybe there is some little coding difference), but the bottom line is that
you must either be running as SYSTEM or have the process account have the
"act as part of the operating system" OS privilege to call LogonUser on
Win2K.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Lee said:
Thanks for your time guys, yes to confirm the OS is w2k

Dominick Baier said:
Hi,

which OS are you using? On W2K you need SYSTEM privileges to call
LogonUser...

dominick
www.leastprivilege.com
I am having problems trying to impersonate as a user in asp.net.

I get an access denied error on the LogonUser method of the following
code;

/// <summary>
/// Summary description for CustomWindowsIdentity.
/// </summary>
public class CustomWindowsIdentity : WindowsIdentity
{
[DllImport("advapi32.dll", SetLastError=true)]
private static extern int LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);
[DllImport("kernel32.dll")]
private static extern int GetLastError();
public CustomWindowsIdentity( string domain, string username, string
password ) :
base( CustomWindowsIdentity.LogonUser(domain,username,password) )
{
}

//--------------------------------------------------------------------
------
// Impersonates as the supplied user.
// Domain must be in standard NT format: e.g. "DOMAIN"

//--------------------------------------------------------------------
------
public static WindowsImpersonationContext Impersonate( string
domain,
string username, string password )
{
IntPtr token = LogonUser( domain, username, password );
return WindowsIdentity.Impersonate( token );
}
private static IntPtr LogonUser( string domain, string username,
string
password )
{
int token = 0;
int loggedOn = LogonUser( username, domain, password,
0x8, 0x0,
//WindowsLogonType.NetworkClearText,
//WindowsLogonProvider.Default,
out token );
if (loggedOn==0 || token==0)
{
int ret = GetLastError();
//int ret = Marshal.GetLastWin32Error(); //GetLastError();
if (ret!=0)
{
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
throw new Win32Exception(ret,"DEBUG: " +
currentUser.Name.ToString());
}
}
IntPtr tokenOut = new IntPtr( token );

return tokenOut;
}
}
Its worth noting we are using a different user account for IIS
anonymous
authentication so the user that is trying to impersonate is
'DOMAIN\MY_READER'.
This same code block works on the production environment so my
thinking is
that its a permission or setting missing for the specific user on the
staging
server? Ive even tried having IIS use an administrator account for
anonymous
access but get the same error?
Any help, clues or pointers would be great.
many thanks
Click to expand...
Click to expand...
Click to expand...
 
L

Lee

Hi Joe,
just checking the code i posted and noticed a slight difference. I modified
the code so it would output the user name in the error message

throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());

Ive looked at the Local security policy and the account has "act as part of
the operating system" privellege? So when this didnt work i thought id
temporarily set 'Everyone' to have this privellege but still got the access
denied error. Any suggestions on how to troubleshoot this?

Joe Kaplan said:
I'd expect to see a different error returned than what you are getting
(maybe there is some little coding difference), but the bottom line is that
you must either be running as SYSTEM or have the process account have the
"act as part of the operating system" OS privilege to call LogonUser on
Win2K.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Lee said:
Thanks for your time guys, yes to confirm the OS is w2k

Dominick Baier said:
Hi,

which OS are you using? On W2K you need SYSTEM privileges to call
LogonUser...

dominick
www.leastprivilege.com

I am having problems trying to impersonate as a user in asp.net.

I get an access denied error on the LogonUser method of the following
code;

/// <summary>
/// Summary description for CustomWindowsIdentity.
/// </summary>
public class CustomWindowsIdentity : WindowsIdentity
{
[DllImport("advapi32.dll", SetLastError=true)]
private static extern int LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);
[DllImport("kernel32.dll")]
private static extern int GetLastError();
public CustomWindowsIdentity( string domain, string username, string
password ) :
base( CustomWindowsIdentity.LogonUser(domain,username,password) )
{
}

//--------------------------------------------------------------------
------
// Impersonates as the supplied user.
// Domain must be in standard NT format: e.g. "DOMAIN"

//--------------------------------------------------------------------
------
public static WindowsImpersonationContext Impersonate( string
domain,
string username, string password )
{
IntPtr token = LogonUser( domain, username, password );
return WindowsIdentity.Impersonate( token );
}
private static IntPtr LogonUser( string domain, string username,
string
password )
{
int token = 0;
int loggedOn = LogonUser( username, domain, password,
0x8, 0x0,
//WindowsLogonType.NetworkClearText,
//WindowsLogonProvider.Default,
out token );
if (loggedOn==0 || token==0)
{
int ret = GetLastError();
//int ret = Marshal.GetLastWin32Error(); //GetLastError();
if (ret!=0)
{
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
throw new Win32Exception(ret,"DEBUG: " +
currentUser.Name.ToString());
}
}
IntPtr tokenOut = new IntPtr( token );

return tokenOut;
}
}
Its worth noting we are using a different user account for IIS
anonymous
authentication so the user that is trying to impersonate is
'DOMAIN\MY_READER'.
This same code block works on the production environment so my
thinking is
that its a permission or setting missing for the specific user on the
staging
server? Ive even tried having IIS use an administrator account for
anonymous
access but get the same error?
Any help, clues or pointers would be great.
many thanks
Click to expand...
Click to expand...
Click to expand...
 
J

Joe Kaplan

It sounds like that isn't the problem. That makes some sense, as normally
when that is the problem, GetLastError returns something like "a required
privilege is not held by the client".

I just checked the docs and it says that under Win2K, the ID must have the
SE_CHANGE_NOTIFY_NAME (bypass traverse checking) privilege as well, or you
will get the Access Denied, so I'd try that next.

DO NOT leave act as part of the operating system set to everyone. It is a
very dangerous privilege! There is a reason that not even administrators
have it by default.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Lee said:
Hi Joe,
just checking the code i posted and noticed a slight difference. I
modified
the code so it would output the user name in the error message

throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());

Ive looked at the Local security policy and the account has "act as part
of
the operating system" privellege? So when this didnt work i thought id
temporarily set 'Everyone' to have this privellege but still got the
access
denied error. Any suggestions on how to troubleshoot this?

Joe Kaplan said:
I'd expect to see a different error returned than what you are getting
(maybe there is some little coding difference), but the bottom line is
that
you must either be running as SYSTEM or have the process account have the
"act as part of the operating system" OS privilege to call LogonUser on
Win2K.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Lee said:
Thanks for your time guys, yes to confirm the OS is w2k

:

Hi,

which OS are you using? On W2K you need SYSTEM privileges to call
LogonUser...

dominick
www.leastprivilege.com

I am having problems trying to impersonate as a user in asp.net.

I get an access denied error on the LogonUser method of the
following
code;

/// <summary>
/// Summary description for CustomWindowsIdentity.
/// </summary>
public class CustomWindowsIdentity : WindowsIdentity
{
[DllImport("advapi32.dll", SetLastError=true)]
private static extern int LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);
[DllImport("kernel32.dll")]
private static extern int GetLastError();
public CustomWindowsIdentity( string domain, string username, string
password ) :
base( CustomWindowsIdentity.LogonUser(domain,username,password) )
{
}

//--------------------------------------------------------------------
------
// Impersonates as the supplied user.
// Domain must be in standard NT format: e.g. "DOMAIN"

//--------------------------------------------------------------------
------
public static WindowsImpersonationContext Impersonate( string
domain,
string username, string password )
{
IntPtr token = LogonUser( domain, username, password );
return WindowsIdentity.Impersonate( token );
}
private static IntPtr LogonUser( string domain, string username,
string
password )
{
int token = 0;
int loggedOn = LogonUser( username, domain, password,
0x8, 0x0,
//WindowsLogonType.NetworkClearText,
//WindowsLogonProvider.Default,
out token );
if (loggedOn==0 || token==0)
{
int ret = GetLastError();
//int ret = Marshal.GetLastWin32Error(); //GetLastError();
if (ret!=0)
{
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
throw new Win32Exception(ret,"DEBUG: " +
currentUser.Name.ToString());
}
}
IntPtr tokenOut = new IntPtr( token );

return tokenOut;
}
}
Its worth noting we are using a different user account for IIS
anonymous
authentication so the user that is trying to impersonate is
'DOMAIN\MY_READER'.
This same code block works on the production environment so my
thinking is
that its a permission or setting missing for the specific user on
the
staging
server? Ive even tried having IIS use an administrator account for
anonymous
access but get the same error?
Any help, clues or pointers would be great.
many thanks
Click to expand...
Click to expand...
Click to expand...
 
L

Lee

Joe - really appreciate your efforts on this one, i will try the privilege
mentioned next and let you know how it goes. I was investigating the problem
today and managed to get it to work by setting impersonate in the web.config
to false. Although this seemed to get around the problem im apprehensive
about saying the problem is resolved as the web.config on my other server has
impersonate set to true?!

Oh and no worries i changed the the Everyone setting straight back!

Thanks once again,
Lee

Joe Kaplan said:
It sounds like that isn't the problem. That makes some sense, as normally
when that is the problem, GetLastError returns something like "a required
privilege is not held by the client".

I just checked the docs and it says that under Win2K, the ID must have the
SE_CHANGE_NOTIFY_NAME (bypass traverse checking) privilege as well, or you
will get the Access Denied, so I'd try that next.

DO NOT leave act as part of the operating system set to everyone. It is a
very dangerous privilege! There is a reason that not even administrators
have it by default.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Lee said:
Hi Joe,
just checking the code i posted and noticed a slight difference. I
modified
the code so it would output the user name in the error message

throw new Win32Exception(ret,"DEBUG: " + currentUser.Name.ToString());

Ive looked at the Local security policy and the account has "act as part
of
the operating system" privellege? So when this didnt work i thought id
temporarily set 'Everyone' to have this privellege but still got the
access
denied error. Any suggestions on how to troubleshoot this?

Joe Kaplan said:
I'd expect to see a different error returned than what you are getting
(maybe there is some little coding difference), but the bottom line is
that
you must either be running as SYSTEM or have the process account have the
"act as part of the operating system" OS privilege to call LogonUser on
Win2K.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
Thanks for your time guys, yes to confirm the OS is w2k

:

Hi,

which OS are you using? On W2K you need SYSTEM privileges to call
LogonUser...

dominick
www.leastprivilege.com

I am having problems trying to impersonate as a user in asp.net.

I get an access denied error on the LogonUser method of the
following
code;

/// <summary>
/// Summary description for CustomWindowsIdentity.
/// </summary>
public class CustomWindowsIdentity : WindowsIdentity
{
[DllImport("advapi32.dll", SetLastError=true)]
private static extern int LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider, out int phToken);
[DllImport("kernel32.dll")]
private static extern int GetLastError();
public CustomWindowsIdentity( string domain, string username, string
password ) :
base( CustomWindowsIdentity.LogonUser(domain,username,password) )
{
}

//--------------------------------------------------------------------
------
// Impersonates as the supplied user.
// Domain must be in standard NT format: e.g. "DOMAIN"

//--------------------------------------------------------------------
------
public static WindowsImpersonationContext Impersonate( string
domain,
string username, string password )
{
IntPtr token = LogonUser( domain, username, password );
return WindowsIdentity.Impersonate( token );
}
private static IntPtr LogonUser( string domain, string username,
string
password )
{
int token = 0;
int loggedOn = LogonUser( username, domain, password,
0x8, 0x0,
//WindowsLogonType.NetworkClearText,
//WindowsLogonProvider.Default,
out token );
if (loggedOn==0 || token==0)
{
int ret = GetLastError();
//int ret = Marshal.GetLastWin32Error(); //GetLastError();
if (ret!=0)
{
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
throw new Win32Exception(ret,"DEBUG: " +
currentUser.Name.ToString());
}
}
IntPtr tokenOut = new IntPtr( token );

return tokenOut;
}
}
Its worth noting we are using a different user account for IIS
anonymous
authentication so the user that is trying to impersonate is
'DOMAIN\MY_READER'.
This same code block works on the production environment so my
thinking is
that its a permission or setting missing for the specific user on
the
staging
server? Ive even tried having IIS use an administrator account for
anonymous
access but get the same error?
Any help, clues or pointers would be great.
many thanks
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

S4U Kerberos for calling WCF services 4
Access denied. delegation scenario accessing to a shared resource in cluster 1
Impersonation with users of 2 domain (nor trusted) 0
ADSI - Able to authenticate but unable to get memberOf information 7
Impersonation fails on all other pages 0
Facing problem while accessing virtual server count in Sharpeoint using SPGlobalAdmin 0
Windows Server 2008 impersonation. 3
Impersonate not working from command line 0

Members online

No members online now.
Total: 38 (members: 0, guests: 38)
Robots: 470

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,054
Latest member
TrimKetoBoost

Latest Threads

Top