Re: Yet another permissions thing

From: Willy Denoyette [MVP] (willy.denoyette@pandora.be)
Date: 11/06/02


From: "Willy Denoyette [MVP]" <willy.denoyette@pandora.be>
Date: Wed, 6 Nov 2002 23:25:27 +0100


Not realy complicated, following illustrates how to duplicate a token and use it to handle COM security context issues related to
incompatible apartments.

using System;
using System.Threading;
using System.Security.Principal;
using System.Runtime.InteropServices;
class A {
public IntPtr _Token;
internal void ThreadFunc(){
// Run this function on a separate thread using the impersonation token of the callers thread
WindowsIdentity wi = WindowsIdentity.GetCurrent();
Console.WriteLine("Thread token {0}",wi.Token);
WindowsImpersonationContext wic = WindowsIdentity.Impersonate(_Token);
wi = WindowsIdentity.GetCurrent();
Console.WriteLine("Impersonation thread token {0}",wi.Token);
wic.Undo();
}
}

class Tester {
[DllImport("advapi32")]
static extern bool DuplicateToken(
IntPtr ExistingTokenHandle, // handle to process
int ImpersonationLevel, //
ref IntPtr TokenHandle // new handle
);

public static void Main() {
A _a = new A();
IntPtr newToken = IntPtr.Zero;
WindowsIdentity wi = WindowsIdentity.GetCurrent();
Console.WriteLine("Main token {0}",wi.Token);
// Call DuplicateToken to create an impersonate token, this is only required if the current thread token is a direct token.
//

DuplicateToken(wi.Token, 2, ref newToken);
_a._Token = newToken;
Console.WriteLine("Impersonation token {0}",newToken);
Thread t1 = new Thread( new ThreadStart(_a.ThreadFunc) );
t1.ApartmentState = ApartmentState.STA; // as a sample create a STA thread
t1.IsBackground = true;
t1.Start();
t1.Join();
Console.WriteLine("Main token {0}",wi.Token);
}

}

Hope this helps.

Willy.

"Trevor Lawrence" <TrevorL@ise.canberra.edu.au> wrote in message news:uAUm8jdhCHA.1232@tkmsftngp09...
> Thanks. Sounds a likely explanation, since the COM DLL was originally built
> in VB6. I can replace the COM object and rewrite the stuff directly as a
> VB.NET class (with some difficulty), but it will end up making direct Win32
> calls. How is a P/Invoke call to a Win32 API affected by threading issues?
>
> The alternative is to use .NET WMI mechanisms to achieve the same result.
> Still plenty of work, but still....
>
> Trevor
>
> "Willy Denoyette [MVP]" <willy.denoyette@pandora.be> wrote in message
> news:eBKt3HZhCHA.3708@tkmsftngp08...
> > You are mixing two technologies here - .NET and COM, however, this has
> some security implications.
> > Your COM component is probably a Single Threaded type, when created from a
> Multithreaded environment like ASP.NET, your component
> > will be created on a COM managed STA thread, the result is that the
> component runs in the process security context (aspnet?) not the
> > impersonating threads context.
> >
> > What you could do is create a new (STA) thread and transfer the
> impersonation token to the newly created thread before creating the
> > COM object.
> >
> > Willy.
> >
> > "Trevor Lawrence" <TrevorL@ise.canberra.edu.au> wrote in message
> news:udemrMHhCHA.1652@tkmsftngp09...
> > > I have an ASP.NET app that is required, amongst other things, to create
> a
> > > folder on another server (i.e. via a UNC path), and then set permissions
> on
> > > that folder.
> > >
> > > I have the ASP.NET app impersonating an account with permissions to
> create
> > > the folder and Directory.CreateDirectory works fine. To set the
> security I
> > > have a small COM DLL that I have used for a few years successfully for
> this
> > > sort of purpose in other software. However when I call the AddACE
> method in
> > > this DLL from the aspx page I get an Access Denied error. I can't see
> why.
> > > It is as if the impersonation that should be applying to the whole aspx
> page
> > > execution is not applying when I call a method in a COM DLL. That seems
> > > odd. There is no COM+ configuration set up for this COM object. The
> AddACE
> > > method is being called immediately after the successful create directory
> > > function.
> > >
> > > And yes the inherited permissions on the newly created folder DO allow
> the
> > > user in question to set permissions on the folder.
> > >
> > > Any clues?
> > >
> > > Trevor Lawrence
> > > University of Canberra
> > >
> > >
> >
> >
>
>



Relevant Pages

  • Re: Security Context in Threads
    ... > and within that thread change the security context of the current ... > in which i perform the impersonation under is thread B. ... but i now need to launch another thread ... however the newly created thread will have reduced access rights to ...
    (microsoft.public.dotnet.security)
  • Re: Yet another permissions thing
    ... following illustrates how to duplicate a token and ... > IntPtr ExistingTokenHandle, // handle to process ... > ref IntPtr TokenHandle // new handle ... >> component runs in the process security context not the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation in ASP.net
    ... I think what you are trying to do is impersonation in order use the current ... security context to do something to a file on a remote drive. ... An unhandled exception occurred during the execution of the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Permission required to execute a DTS package from ASP.NET applicatio?!!
    ... Yes,I've enabled impersonation in my application and that's why it is under ... > does SQL server is on the same server as your ASP.net application? ... >> I'm calling a DTS package from my asp.net application.Apparently because ... >> of the current security context and it is my Domian user name and I'm ...
    (microsoft.public.sqlserver.dts)
  • Re: Security context used for DBPROP_MULTIPLECONNECTIONS sessions
    ... Do you do the impersonation on the main thread or are you spinning off a new ... we would get a database logon failure. ... > the session created for us did not use the credentials of the session ... > opens the datasource under that security context. ...
    (microsoft.public.data.oledb)