Re: Impersonation in ASP.net
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 12/10/04
- Previous message: Ramadass: "Re: authentication and session issues with resources"
- In reply to: Bunty: "Re: Impersonation in ASP.net"
- Next in thread: Bunty: "Re: Impersonation in ASP.net"
- Reply: Bunty: "Re: Impersonation in ASP.net"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 10 Dec 2004 15:53:51 -0600
No, the message below was in regards to a discussion about launching an
external process from within ASP.NET under a different security context than
the worker process account.
I think what you are trying to do is impersonation in order use the current
security context to do something to a file on a remote drive. I'm not a
super expert on this, but typically, these issues have to do with double hop
problems that are fixed by implementing Kerberos delegation.
The problem is usually that you impersonate the logged on user, but because
you used Windows Integrated Auth in IIS, the token created for that user is
an impersonation token and it cannot "hop" to a different machine. As a
result, the caller on the remote machine is actually the anonymous user, not
the user in question. You can verify that by turning on object access
auditing in the remote machine's local security policy and setting the SACL
on the file to allow audits.
Joe K.
"Bunty" <Bunty@discussions.microsoft.com> wrote in message
news:1E60121C-9541-4A37-9303-532B915B3246@microsoft.com...
> Joe,
>
> I came across the message this message in the messageboard.
>
> If I understood it correctly, Did you mean that we can not implement
> impersonation in ASP.Net process either?
>
> I am trying to impersonate a windows user in the Asp.Net application for
> copying files from the Remote directory to another another remote
> directory
> on the same server. Impersonation seems to be working fine.
>
> But it is raising the exception 'Could not find the file "...."'. I am
> sure
> that the file exists in that folder but still getting the same error.
>
> Here is the complete error message:
>
> Server Error in '/' Application.
>
>
> --------------------------------------------------------------------------------
>
>
> Could not find file "\\remotecomputer\cs\Asset\x.txt".
> Description: An unhandled exception occurred during the execution of the
> current web request. Please review the stack trace for more information
> about
> the error and where it originated in the code.
>
> Exception Details: System.IO.FileNotFoundException: Could not find file
> "\\remotecomputer\cs\Asset\x.txt".
>
> Source Error:
> An unhandled exception was generated during the execution of the current
> web
> request. Information regarding the origin and location of the exception
> can
> be identified using the exception stack trace below.
>
>
> Stack Trace:
>
>
> [FileNotFoundException: Could not find file
> "\\remotecomputer\cs\Asset\x.txt".]
> System.IO.__Error.WinIOError(Int32 errorCode, String str) +181
> System.IO.File.InternalCopy(String sourceFileName, String destFileName,
> Boolean overwrite) +314
> System.IO.File.Copy(String sourceFileName, String destFileName) +7
> SampleDailies.createclip.CreateFile() in C:\test\filecopy.aspx.vb:159
> SampleDailies.createclip.Page_Load(Object sender, EventArgs e) in
> C:\test\filecopy.aspx.vb:28
> System.Web.UI.Control.OnLoad(EventArgs e) +67
> System.Web.UI.Control.LoadRecursive() +35
> System.Web.UI.Page.ProcessRequestMain() +750
>
>
>
>
>
> --------------------------------------------------------------------------------
>
>
> Version Information: Microsoft .NET Framework Version:1.1.4322.2032;
> ASP.NET
> Version:1.1.4322.2032
>
> Thanks in advance,
> Bunty
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> Do a search in this group or microsoft.public.dotnet.security with Google
>> for a thread that discussed using WMI to do this.
>>
>> Essentially, you can't use impersonation and the standard .NET Process
>> class
>> to do this as it doesn't pick up the impersonated identity and will alway
>> use the process identity. Other people have tried calling
>> CreateProcessWithLogonW or the AsUser or WithTokenW via p/invoke and
>> haven't
>> had much luck either. The WMI approach seems to work very well.
>>
>> You do need the users plaintext password for this though I'm pretty sure.
>> You definitely need a primary token one way or the other.
>>
>> Best of luck,
>>
>> Joe K.
>>
>> "Hananiel" <hananiel@yahoo.com> wrote in message
>> news:e338e321.0410151204.47822a55@posting.google.com...
>> >I want an asp.net buttonclick_onserver event to run a process as a
>> > given domain user on the server. What is the easiest way to do this.
>> >
>> > For some reason "LogonUser" fails with "Unknown user or password"
>> > LocalMachine/Administrator also failed.
>>
>>
>>
- Previous message: Ramadass: "Re: authentication and session issues with resources"
- In reply to: Bunty: "Re: Impersonation in ASP.net"
- Next in thread: Bunty: "Re: Impersonation in ASP.net"
- Reply: Bunty: "Re: Impersonation in ASP.net"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
