Problem with Protocol Transition

From: Iain Mcleod <IainMcleod@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 27 Sep 2007 00:54:00 -0700

Hi

I'm using protocol transition to create user accounts in an ASP.NET context.
The login seems to be working ok, but I'm getting a nasty security exception
"Attempted to perform an unauthorized operation" (see stacktrace).
I get the same error message in the debugger when I quick watch
httpcontext.current.user.identity, AuthenticationType property (it's a
WindowsIdentity with name=CONTOSO\Administrator and IsAuthenticated=True).

(In the code example, request is a HttpWorkerRequest object and
GetUserName() function returns a username of the form "user@xxxxxxxxxx")

The wierd thing is that there only seems to be a problem with an identity
constructed using protocol transition (i.e. the following):

Dim user as WindowsIdentity = New
WindowsIdentity(GetUserName(request.GetServerVariable("LOGON_USER")))

If I construct the user using NTLM it works perfectly:
Dim user as WindowsIdentity = New WindowsIdentity(request.GetUserToken(),
request.GetServerVariable("AUTH_TYPE"), WindowsAccountType.Normal, True)

Here is the exception I get:

----------------------------------------------------------
Attempted to perform an unauthorized operation.
at System.Security.Principal.WindowsIdentity.get_AuthenticationType()
at System.Web.HttpRequest.CalcDynamicServerVariable(DynamicServerVariable
var)
at System.Web.HttpServerVarsCollectionEntry.GetValue(HttpRequest request)
at System.Web.HttpServerVarsCollection.GetServerVar(Object e)
at System.Web.HttpServerVarsCollection.Get(Int32 index)
at System.Web.HttpServerVarsCollection.GetValues(Int32 index)
at
System.Collections.Specialized.NameValueCollection.Add(NameValueCollection c)
at System.Web.HttpRequest.FillInParamsCollection()
at System.Web.HttpRequest.GetParams()
at System.Web.HttpRequest.get_Params()
----------------------------------------------------------------

Any ideas anyone?

Thanks
Iain Mcleod

.

Follow-Ups:
- Re: Problem with Protocol Transition
  - From: Joe Kaplan

Prev by Date: feedback please on asp.net app security scenario
Next by Date: Re: login control blues
Previous by thread: feedback please on asp.net app security scenario
Next by thread: Re: Problem with Protocol Transition
Index(es):
- Date
- Thread

Relevant Pages

Re: Kerberos logon failure - Windows Server 2003 RTM
... Ok that implies that you are using protocol transition which means you have ... process that calls WindowsIdentity ON THE FRONTEND machine(where the code ... >> Have you tried logging on manually to see if that works? ... >> Also are you supplying the password to the WindowsIdentity constructor ...
(microsoft.public.win2000.security)
Re: Windows Identity within Forms Authentication in ASP.NET
... One thing you could do is use S4U (protocol transition) to create a ... WindowsIdentity for the user. ... This requires that you have the user's UPN ... of the Forms Authentication protocol for business reasons in my ...
(microsoft.public.dotnet.security)
Re: Get role for any given user name
... The Protocol Transition constructor takes the UPN syntax: ... >> have a look at the ctor of WindowsIdentity that takes a string. ...
(microsoft.public.dotnet.security)