Re: LogonUser from ASP.NET

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 01/26/05 

Date: Wed, 26 Jan 2005 15:36:35 -0600

What error did you get when you tried to impersonate? Was it a
SecurityException or some other type of exception?

If the COM+ component is running as a separate server process, then the
impersonation will happen in the context of that process. It won't affect
what's going on the ASP.NET process.

Joe K.

"laimis" <simulai@NOSPAMiit.edu> wrote in message
news:eJ18Mo8AFHA.2156@TK2MSFTNGP10.phx.gbl...
> COM+ application is running under the priviledged account so that the
> LogonUser could be invoked.
>
> I do call impersonate with the token received.
>
> I was just wondering if the impersonization was done on one thread that
> COM+
> is running under and the ASP.NET request handling thread was not affected
> by
> the impersonization since i call impersonate in the COM+ component.
>
> I tried returning the Identity object that was created using the token
> obtained from the LogonUser and then calling Impersonate from ASP.NET app.
> However I would get error message saying that impersonation not allowed
> and
> that web config should be modified or security setting for the application
> chagned. What should I change in the config file to allow ASP.NET app to
> call Impersonate?
>
> Laimis
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:esa6u7yAFHA.3376@TK2MSFTNGP12.phx.gbl...
>> Also, after you call LogonUser, do you take the resulting token and
>> impersonate it?
>>
>> Joe K.
>>
>> "Paul Clement" <UseAdddressAtEndofMessage@swspectrum.com> wrote in
>> message
>> news:05cdv0tr1hbhft9b56vh8eqp5j2d8c7aoe@4ax.com...
>> > On Tue, 25 Jan 2005 10:37:39 -0600, "laimis" <simulai@NOSPAMiit.edu>
>> > wrote:
>> >
>> > ¤ Hello everybody,
>> > ¤
>> > ¤ this is rather complicated, but intriguing problem that I have been
>> > having.
>> > ¤ What I want to do is: after user connects to my asp.net application,
>> > I
>> > want
>> > ¤ to elevate the thread's user from ASPNET to let's say administrator
>> > so
>> > that
>> > ¤ priviledged operation could be performed. I don't want to change
> account
>> > ¤ under which ASP.NET runs. My idea is to impersonate in COM+ app that
>> > runs
>> > ¤ under priviledged account.
>> > ¤
>> > ¤ Currently here is how I have it implemented.
>> > ¤
>> > ¤ 1. HttpModule intercepts the request for the application.
>> > ¤ 2. Module calls COM+ app that runs with priviledged account
>> > ¤ 3. COM+ app calls LogonUser to obtain security handle which later is
>> > used in
>> > ¤ creating windows identity and impersonaiting the identity, thus
>> > receiving
>> > ¤ context.
>> > ¤ 4. Context is returned to the module
>> > ¤ 5. Module uses it to assign to the current context of the executing
>> > thread
>> > ¤
>> > ¤ All of the steps work just fine. I call LogonUser, I can see in the
>> > security
>> > ¤ log the succesful audit event. However, the context assigned doesn't
>> > make a
>> > ¤ difference to the running thread and the thread's user still returns
>> > ASPNET.
>> > ¤
>> > ¤ Does anyone see a problem with my method?
>> > ¤
>> >
>> > Not sure if I understand your configuration completely. Is the
> privileged
>> > operation being performed
>> > by the COM+ application? From your description is appears that the COM+
>> > application is already
>> > running under a privileged account.
>> >
>> >
>> > Paul ~~~ pclement@ameritech.net
>> > Microsoft MVP (Visual Basic)
>>
>>
>
>

Relevant Pages

  • Re: LogonUser from ASP.NET
    ... COM+ to call LogonUser to get the token handle. ... The exception that I get while trying to call Impersonate from the ASP.NET ... app is the SecurityException. ... > SecurityException or some other type of exception? ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Remote call to COM impersonating another user
    ... When I call LogonUser, it fails, I think because the domain I need to log ... the local domain it works fine - I become the other user when I impersonate ... This can be done by calling "CoInitializeSecurity" using PInvoke, ... IntPtr asAuthSvc, ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Remote call to COM impersonating another user
    ... When I call LogonUser, it fails, I think because the domain I need to log ... that sends this information to the server and tells it to do this? ... type when calling LogonUser, before calling Impersonate. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: LogonUser fails across different domains
    ... You shouldn't be able to log on as a user from an untrusted domain (except ... And you shouldn't need to do an impersonate to access files on a ... > LogonUser() fails if the user is in a domain ... > different from that with which the executing process is running as. ...
    (microsoft.public.platformsdk.security)
  • Re: Running sysinternals PSPASSWD.exe from local system account
    ... skip over eveything except the local computer? ... Call LogonUser and impersonate, ... Its stdout and stderr can be captured: ...
    (microsoft.public.win2000.security)