Re: Impersonation and accessing Windows file share
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 31 Mar 2006 16:26:22 +0000 (UTC)
correct me if i am wrong - but when delegation is configured, NETWORK logons do have network credentials ??!
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I think I see your problem. You are using LOGON32_LOGON_NETWORK, but
if you read the docs for LogonUser in MSDN carefully, you'll see that
this type of logon doesn't have network credentials. You probably
should switch to LOGON32_LOGON_NETWORK_CLEARTEXT.
Joe K.
"Julie" <hermie@xxxxxxxxxxxxx> wrote in message
news:CA883E64-1822-48B7-9B7D-3D6859FEC262@xxxxxxxxxxxxxxxx
I can see on the Event log on my web server that the service account
is
logging in successfully.
However, on the file server, the event log shows that the user is
connecting
to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.
My Logon code looks like this:
Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
lpszUsername As [String], _
ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer,
_
ByRef phToken As IntPtr) As Boolean
Private Function Logon() As WindowsIdentity
Dim handle As IntPtr = New IntPtr(0)
handle = IntPtr.Zero
Const LOGON32_LOGON_NETWORK As Integer = 3
Const LOGON32_PROVIDER_DEFAULT As Integer = 0
Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT,
handle)
If Not logonSucceeded Then
Dim errorCode As Integer = Marshal.GetLastWin32Error
Throw New Exception("User logon failed. Error number: " &
errorCode)
Exit Function
End If
Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
CloseHandle(handle)
Return winIdentity
End Function
"Joe Kaplan (MVP - ADSI)" wrote:
If you enable logon event auditing on the file server, what does the
logon
failure say on that end? That may give you some clues.
Also, when you called LogonUser, what type of logon did you do? You
need
to
make sure you use one that gives you network credentials.
Joe K.
"Julie" <hermie@xxxxxxxxxxxxx> wrote in message
news:674C986D-5107-420D-A65C-3FC8B440766B@xxxxxxxxxxxxxxxx
I use that code and I can confirm that impersonation is
impersonating
the
correct user. And yes, I can access the file share as the system
account -
thanks for checking. :-)
"Luke Zhang [MSFT]" wrote:
Hello,
First, you can use the following code to determine what user the
thread
is
executing as:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Also, you if logon as the System account on the server, can you
access
the
Windows file share like "\\Myserver\Myshare"?
Regards,
Luke Zhang
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your
newsreader
so
that others may learn and benefit from your issue.
==================================================
(This posting is provided "AS IS", with no warranties, and confers
no rights.)
.
- Follow-Ups:
- Re: Impersonation and accessing Windows file share
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Impersonation and accessing Windows file share
- References:
- Re: Impersonation and accessing Windows file share
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Impersonation and accessing Windows file share
- Prev by Date: Re: Invoke(SetPassword) in Active Directory, Works, Then Access is
- Next by Date: Re: Impersonation and accessing Windows file share
- Previous by thread: Re: Impersonation and accessing Windows file share
- Next by thread: Re: Impersonation and accessing Windows file share
- Index(es):
Relevant Pages
|
