Impersonation and UNC network resources
From: Colin Nicholls (colin_at_spacefold.com)
Date: 03/08/05
- Next message: MH: "Re: Using LogonUser API in ASP.net with an account other than ASPNet account"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Authentication 101"
- Next in thread: Colin Nicholls: "Re: Impersonation and UNC network resources"
- Reply: Colin Nicholls: "Re: Impersonation and UNC network resources"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 8 Mar 2005 12:43:00 -0800
Hi guys -
I've been getting knotted up with this for a few days now. Originally I was
in an ASP.NET context (using VFP8 OleDB to access tables located on a
network fileshare from inside of ASP.NET) but after much simplification and
reduction, I've reduced my question to a simple .NET console application.
The two tests I'm using in the console applications are: a) dirInfo on a
network folder (as per the example) and b) an VFP8 OleDB connection.
Excuse me for asking this question here in the aspnet.security when it could
be a more generic problem, but there have been some great minds answering
here...
Anyway. I based my code on this excellent sample:
http://www.netomatix.com/ImpersonateUser.aspx. It's using LogonUser() to
impersonate a known DOMAIN\user with appropriate permissions.
(I know the user credentials are fine, if for no other reason than because
if I set up ASP.NET to impersonate the user, I have no problems, providing I
don't cause ASP.NET to recompile the ASPX files. If I update the aspx files,
I get an exception on the compiler permissions. I guess the impersonated
user doesn't have appropriate rights.)
I've stepped through the code and observed two things:
On my laptop - a Windows XP Pro machine not part of the domain - the
LogonUser() succeeds, but the directory code:
System.IO.DirectoryInfo dirInfo = new
System.IO.DirectoryInfo(@"\\SERVERNAME\sharename\folder");
Console.WriteLine( dirInfo.Exists );
string strFolderToCreate = @"\\SERVERNAME\sharename\folder" + "\\" +
"boogle";
System.IO.Directory.CreateDirectory(strFolderToCreate);
I get:
False
Error: Could not find a part of the path "\\SERVERNAME\sharename".
The Vfp OleDb code generates a "invalid path or filename" exception which I
recognise from my regular VFP apps when directories aren't visible.
Interestingly, when I run the console app on a different machine, Windows
2000 SP3 which *is* on the DOMAIN, the LogonUser() fails with error 1314 -
"A required privilege is not held by the client".
I understand that on Wind2k I would have to allow this user account to "act
as part of the operating system" - which I did, but it didn't seem to make
any difference. Do I need to reboot???
But apart from that - why would LogonUser() say it succeeded, but my code is
still prevented from accessing the resources it needs?
Question 2 is, I guess, is if this is insolveable, and instead of using
custom impersonation code in my aspx.cs files, I *have* to use the
web.config <impersonate true, user, DOMAIN> etc, then why does the recompile
fail?
If I'm being an idiot, please let me know.
Thanks in advance,
- Colin
- Next message: MH: "Re: Using LogonUser API in ASP.net with an account other than ASPNet account"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Authentication 101"
- Next in thread: Colin Nicholls: "Re: Impersonation and UNC network resources"
- Reply: Colin Nicholls: "Re: Impersonation and UNC network resources"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
