Re: Access File Share from ASP.NET using Unmanaged Code

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 07/14/04


Date: Tue, 13 Jul 2004 23:49:56 -0500

How are you calling the script files in this app? Are you using the Process
class? In that case, you need to be aware that it will start the new
process with the current process' token, not the impersonation token. Since
it would appear that you have a primary token, you could get around this by
calling CreateProcessWithTokenW instead.

If that isn't how you are calling the scripts, then how are you doing it?

Joe K.

"Mark Duregon" <msdnonline@aspect.com.au> wrote in message
news:5A1E8402-3951-4673-B370-DBB71E5C85CA@microsoft.com...
> Hi,
>
> We have an application that requires appropriate users to run command
files on an adhoc basis. We have implmented a library that uses the
following code:
>
> using System;
> using System.Runtime.InteropServices;
> using System.Security.Principal;
> using System.Security.Permissions;
>
> namespace SAMIS.Porteco.Utilities
> {
> public enum LogonType : int
> {
> LOGON32_LOGON_INTERACTIVE = 2,
> LOGON32_LOGON_NETWORK = 3,
> LOGON32_LOGON_BATCH = 4,
> LOGON32_LOGON_SERVICE = 5,
> LOGON32_LOGON_UNLOCK = 7,
> LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or higher
> LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or higher
> };
>
> public enum LogonProvider : int
> {
> LOGON32_PROVIDER_DEFAULT = 0,
> LOGON32_PROVIDER_WINNT35 = 1,
> LOGON32_PROVIDER_WINNT40 = 2,
> LOGON32_PROVIDER_WINNT50 = 3
> };
>
> class SecuUtil32
> {
> [DllImport("advapi32.dll", SetLastError=true)]
> public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,
> int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);
>
> [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
> public extern static bool CloseHandle(IntPtr handle);
>
> [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
> public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
> int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
> }
>
> /// <summary>
> /// Summary description for NetworkSecurity.
> /// </summary>
> public class NetworkSecurity
> {
> private NetworkSecurity() {}
>
> public static WindowsImpersonationContext ImpersonateUser(string
domain, string login, string password,
> LogonType logonType, LogonProvider logonProvider)
> {
> IntPtr tokenHandle = new IntPtr(0);
> IntPtr dupeTokenHandle = new IntPtr(0);
> try
> {
> const int SecurityImpersonation = 2;
>
> tokenHandle = IntPtr.Zero;
> dupeTokenHandle = IntPtr.Zero;
>
> //
> // Call LogonUser to obtain a handle to an access token.
> //
> bool returnValue = SecuUtil32.LogonUser(login, domain, password,
(int)logonType,
> (int)logonProvider, ref tokenHandle);
>
> if (false == returnValue)
> {
> int ret = Marshal.GetLastWin32Error();
> string strErr = String.Format("LogonUser failed with error code
: {0}", ret);
> throw new ApplicationException(strErr, null);
> }
>
> bool retVal = SecuUtil32.DuplicateToken(tokenHandle,
SecurityImpersonation, ref dupeTokenHandle);
>
> if (false == retVal)
> {
> SecuUtil32.CloseHandle(tokenHandle);
> throw new ApplicationException("Failed to duplicate token",
null);
> }
>
> //
> // The token that is passed to the following constructor must
> // be a primary token in order to use it for impersonation.
> //
> WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
> WindowsImpersonationContext impersonatedUser =
newId.Impersonate();
>
> return impersonatedUser;
> }
> catch (Exception ex)
> {
> throw new ApplicationException(ex.Message, ex);
> }
>
> return null;
> }
> }
> }
>
> The problem we are having is that while network resources are not
restricted entirely because the batch files are able to run sql scripts
against the Oracle database, FTP etc. but the user cannot access a network
share either by unc path or trying to map a drive as part of the script.
This problem only occurs when trying to run the script in this fashion as it
works when run manually through a command prompt whic is expected, an also
on a scheduled basis by the Windows Scheduler.
>
> Is their a permission I need to request/grant on the assembly and if so
which assembly (the library/web or both). I have tried granting full trust
to the assemblies without success.
>
> Alternatively is their a way to run a defined task from the scheduler. I
read the documentation (all 2 lines of it) for the scheduler and did not get
the impression that it is possible.
>
> Regards,
> Mark.
>
> P.S. I cannot give you an exception or error messages that occur when I
try to run the task from the web application, because as soon as I try to
access a network resource using the page I have created it simply
hangs/timesout but works perfectly when dealing with only local file
resources. FYI all command files are on the local machine but need to
access network shares to ctp then delete files.
>
> Platform: Windows 2000 Server w/ 1.0 Framework



Relevant Pages

  • Re: Access File Share from ASP.NET using Unmanaged Code
    ... >> calling CreateProcessWithTokenW instead. ... >> Joe K. ... >> share either by unc path or trying to map a drive as part of the script. ... >> access a network resource using the page I have created it simply ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Authorization levels and login scripts
    ... of the sensitive data will be stuff that is from the network and not ... > in how you set it up, then run your script from the logon script. ... > then takes the laptop home and generates all kinds of sensitive reports. ... We have the task scheduler disabled with GP ...
    (microsoft.public.scripting.vbscript)
  • Re: Authorization levels and login scripts
    ... of the sensitive data will be stuff that is from the network and not ... > in how you set it up, then run your script from the logon script. ... > then takes the laptop home and generates all kinds of sensitive reports. ... We have the task scheduler disabled with GP ...
    (microsoft.public.windowsxp.security_admin)
  • Re: calling vbs scripts from a scheduled task doesnt work all the time
    ... Are there some issues with the scheduler and vbs scripts, vbs calling vbs, or script/user permissions that might be comming into play? ... Also, one file is calling another, its not like one script is calling 2 that run sequentially. ... | Actually, it calls another vbs script ...
    (microsoft.public.scripting.wsh)
  • Re: calling vbs scripts from a scheduled task doesnt work all the time
    ... Are there some issues with the scheduler and vbs scripts, vbs calling vbs, or script/user permissions that might be comming into play? ... Also, one file is calling another, its not like one script is calling 2 that run sequentially. ... | Actually, it calls another vbs script ...
    (microsoft.public.scripting.vbscript)