Re: Impersonation headache

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 10/25/04 

Date: Mon, 25 Oct 2004 09:05:40 -0500

These both sound like double-hop delegation issues. The fact that it works
when you specify specific credentials in your impersonate tag but doesn't
work when you use Window Integrated Authentication (WIA) and try to access
resources on a different machine than the IIS box suggests this. The
impersonation token that WIA creates cannot hop to another machine on the
network (like your file server or AD) unless Kerberos delegation has been
enabled and working.

I'd suggest you read up on that first and then come back here if you can't
get it to work or need a different approach.

http://support.microsoft.com/default.aspx?scid=kb;en-us;810572

You'll find even more links with a little searching.

Cheers,

Joe K.

"James Pemberton" <james.pemberton@devro-casings.com> wrote in message
news:eD9ilYpuEHA.2172@TK2MSFTNGP14.phx.gbl...
>I have been fighting with impersonation for quite sometime now and now
>matter what I have tried it just won't work.
>
> I am trying to get information on two items:
>
> 1) I'd like to retrieve a file listing from a directory on our file
> server.
>
> As with most cases I have read about, it works fine on my development PC,
> XP OS, but when ran off of the web server, I receive <error: an exception
> of type: {System.UnauthorizedAccessException} occurred>.
>
> The only way I can get it to work is to set impersonation=true and set the
> username and password as out system administrator. I did try to set the
> user name and password as an AD user we created with full access to the
> directory, but to no avail.
>
> On IIS I have just Integrated Windows Authentication checked.
>
> Web.config is as follows: <identity impersonate="true" />
>
> Code:
> Private Sub LoadFiles()
>
> Dim impersonationContext As WindowsImpersonationContext
>
> Dim currentWindowsIdentity As WindowsIdentity
>
> currentWindowsIdentity = CType(WindowsIdentity.GetCurrent,
> WindowsIdentity)
>
> impersonationContext = currentWindowsIdentity.Impersonate()
>
> Dim dt As DataTable = New DataTable
>
> Dim dr As DataRow
>
> dt.Columns.Add("linkname")
>
> dt.Columns.Add("textname")
>
> Dim di As System.IO.DirectoryInfo
>
> 'Dim DirectoryDefault As String =
> "\\ussfs01\private\Manufacturing\ProductRequest\" & intRequestNbr & "\"
>
> Dim DirectoryDefault As String = "\\ussfs01\ProductRequest\" &
> intRequestNbr & "\"
>
> di = New System.IO.DirectoryInfo(DirectoryDefault)
>
> If di.Exists Then
>
> For Each filename As System.IO.FileInfo In di.GetFiles()
>
> dr = dt.NewRow()
>
> dr("linkname") = DirectoryDefault & filename.Name
>
> dr("textname") = filename.Name
>
> dt.Rows.Add(dr)
>
> Next
>
> Dim dv As DataView = New DataView(dt)
>
> dlAttachments.DataSource = dv
>
> dlAttachments.DataBind()
>
> dlAttachments.Visible = True
>
> End If
>
> impersonationContext.Undo()
>
> End Sub
>
>
> 2) In the same program I have been trying to retrive the users
> fullname, displayname, or given name from our AD. Once again this works
> fine on my Development PC, but on the web server I can't even retrieve
> those attributes.
>
> I have tried the following code to no avail:
>
> Dim userkey As String = WindowsIdentity.GetCurrent.Name.Substring(3)
>
> Dim dse As New DirectoryEntry("LDAP://US")
>
> Dim dsearch As DirectorySearcher = New DirectorySearcher(dse)
>
> dsearch.Filter = "(&(objectclass=user)(cn=" & userkey & "))"
>
> dsearch.PropertiesToLoad.Add("displayname")
>
> Dim sr As SearchResult = dsearch.FindOne
>
> If Not (sr Is Nothing) Then
>
> Dim rp As ResultPropertyCollection = sr.Properties
>
> UserName = rp.Item("displayname").Item(0)
>
> Else
>
> UserName = Nothing
>
> End If
>
> I have tried the following code to no avail:
>
> Any help would be greatly appreciated!
>
> James Pemberton
>
>

Relevant Pages

  • Re: Impersonation headache
    ... > These both sound like double-hop delegation issues. ... > The impersonation token that WIA creates cannot hop to another machine on ... >> Dim impersonationContext As WindowsImpersonationContext ... >> Dim currentWindowsIdentity As WindowsIdentity ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: declarative security and impersonation
    ... all that does is calling IsInRole on Thread.CurrentPrincipal ... you impersonate and AFTER that start a new thread - the impersonation token ... > DirectCast(Thread.CurrentPrincipal.Identity, WindowsIdentity) ... > Dim windowsImpersonationContext As WindowsImpersonationContext = ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation headache
    ... > These both sound like double-hop delegation issues. ... > The impersonation token that WIA creates cannot hop to another machine on ... >> Dim impersonationContext As WindowsImpersonationContext ... >> Dim currentWindowsIdentity As WindowsIdentity ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Prompting for user id/password when using Integrated Security
    ... ' Description: Encapsulates Win32 impersonation API ... (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal ... Private Sub Class_Initialize ... Dim nSuccess As Long ...
    (microsoft.public.data.ado)
  • Re: impersonate user in windows forms
    ... > Public Class Impersonation ... > Public Shared Function LogonUser(lpszUsername As String, lpszDomain As> String, lpszPassword As String, _ ... > 'The Windows NT user token. ... > Dim token1 As Integer ...
    (microsoft.public.dotnet.languages.vb)