Re: Access File Share from ASP.NET using Unmanaged Code

From: Mark Duregon (msdnonline_at_aspect.com.au)
Date: 07/14/04


Date: Tue, 13 Jul 2004 22:26:01 -0700

Thanks, but I did mention that I am using Windows 2000 and 1.0 of the framework.

"Joe Kaplan (MVP - ADSI)" wrote:

> How are you calling the script files in this app? Are you using the Process
> class? In that case, you need to be aware that it will start the new
> process with the current process' token, not the impersonation token. Since
> it would appear that you have a primary token, you could get around this by
> calling CreateProcessWithTokenW instead.
>
> If that isn't how you are calling the scripts, then how are you doing it?
>
> Joe K.
>
> "Mark Duregon" <msdnonline@aspect.com.au> wrote in message
> news:5A1E8402-3951-4673-B370-DBB71E5C85CA@microsoft.com...
> > Hi,
> >
> > We have an application that requires appropriate users to run command
> files on an adhoc basis. We have implmented a library that uses the
> following code:
> >
> > using System;
> > using System.Runtime.InteropServices;
> > using System.Security.Principal;
> > using System.Security.Permissions;
> >
> > namespace SAMIS.Porteco.Utilities
> > {
> > public enum LogonType : int
> > {
> > LOGON32_LOGON_INTERACTIVE = 2,
> > LOGON32_LOGON_NETWORK = 3,
> > LOGON32_LOGON_BATCH = 4,
> > LOGON32_LOGON_SERVICE = 5,
> > LOGON32_LOGON_UNLOCK = 7,
> > LOGON32_LOGON_NETWORK_CLEARTEXT = 8, // Only for Win2K or higher
> > LOGON32_LOGON_NEW_CREDENTIALS = 9 // Only for Win2K or higher
> > };
> >
> > public enum LogonProvider : int
> > {
> > LOGON32_PROVIDER_DEFAULT = 0,
> > LOGON32_PROVIDER_WINNT35 = 1,
> > LOGON32_PROVIDER_WINNT40 = 2,
> > LOGON32_PROVIDER_WINNT50 = 3
> > };
> >
> > class SecuUtil32
> > {
> > [DllImport("advapi32.dll", SetLastError=true)]
> > public static extern bool LogonUser(String lpszUsername, String
> lpszDomain, String lpszPassword,
> > int dwLogonType, int dwLogonProvider, ref IntPtr TokenHandle);
> >
> > [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
> > public extern static bool CloseHandle(IntPtr handle);
> >
> > [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
> > public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
> > int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
> > }
> >
> > /// <summary>
> > /// Summary description for NetworkSecurity.
> > /// </summary>
> > public class NetworkSecurity
> > {
> > private NetworkSecurity() {}
> >
> > public static WindowsImpersonationContext ImpersonateUser(string
> domain, string login, string password,
> > LogonType logonType, LogonProvider logonProvider)
> > {
> > IntPtr tokenHandle = new IntPtr(0);
> > IntPtr dupeTokenHandle = new IntPtr(0);
> > try
> > {
> > const int SecurityImpersonation = 2;
> >
> > tokenHandle = IntPtr.Zero;
> > dupeTokenHandle = IntPtr.Zero;
> >
> > //
> > // Call LogonUser to obtain a handle to an access token.
> > //
> > bool returnValue = SecuUtil32.LogonUser(login, domain, password,
> (int)logonType,
> > (int)logonProvider, ref tokenHandle);
> >
> > if (false == returnValue)
> > {
> > int ret = Marshal.GetLastWin32Error();
> > string strErr = String.Format("LogonUser failed with error code
> : {0}", ret);
> > throw new ApplicationException(strErr, null);
> > }
> >
> > bool retVal = SecuUtil32.DuplicateToken(tokenHandle,
> SecurityImpersonation, ref dupeTokenHandle);
> >
> > if (false == retVal)
> > {
> > SecuUtil32.CloseHandle(tokenHandle);
> > throw new ApplicationException("Failed to duplicate token",
> null);
> > }
> >
> > //
> > // The token that is passed to the following constructor must
> > // be a primary token in order to use it for impersonation.
> > //
> > WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
> > WindowsImpersonationContext impersonatedUser =
> newId.Impersonate();
> >
> > return impersonatedUser;
> > }
> > catch (Exception ex)
> > {
> > throw new ApplicationException(ex.Message, ex);
> > }
> >
> > return null;
> > }
> > }
> > }
> >
> > The problem we are having is that while network resources are not
> restricted entirely because the batch files are able to run sql scripts
> against the Oracle database, FTP etc. but the user cannot access a network
> share either by unc path or trying to map a drive as part of the script.
> This problem only occurs when trying to run the script in this fashion as it
> works when run manually through a command prompt whic is expected, an also
> on a scheduled basis by the Windows Scheduler.
> >
> > Is their a permission I need to request/grant on the assembly and if so
> which assembly (the library/web or both). I have tried granting full trust
> to the assemblies without success.
> >
> > Alternatively is their a way to run a defined task from the scheduler. I
> read the documentation (all 2 lines of it) for the scheduler and did not get
> the impression that it is possible.
> >
> > Regards,
> > Mark.
> >
> > P.S. I cannot give you an exception or error messages that occur when I
> try to run the task from the web application, because as soon as I try to
> access a network resource using the page I have created it simply
> hangs/timesout but works perfectly when dealing with only local file
> resources. FYI all command files are on the local machine but need to
> access network shares to ctp then delete files.
> >
> > Platform: Windows 2000 Server w/ 1.0 Framework
>
>
>