Re: Problem with Protocol Transition

---

• From: Iain Mcleod <IainMcleod@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 1 Oct 2007 06:36:01 -0700

---

Thanks Joe

No, I'm not impersonating the token when I get that error.
I'm just setting httpcontext.current.user to be a new WindowsIdentity object.
I don't actually do anything with it until I need to obtain a network
credential (I do a quick impersonate, grab the credentials and then do an
immediate undo of impersonation context).

If you need further information on my code, I've a mixed authentication
setup based on the following example:

http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=a12e9f53-695f-452f-87d0-abbe9f12351e

(Except of course I'm using S4U instead of defaulting to GenericIdentity).


How can I find out which level the token is being generated with?
I'm just using the overloaded constructor for WindowsIdentity that takes
username as a string. Can't seem to see any params relating to Impersonate
or Identity level...

Cheers
Iain

"Joe Kaplan" wrote:

I did a little digging and discovered that this error occurs because an
internal call to the Windows API LsaGetLogonSessionData returns the HRESULT
0xC0000022, which translates to this Windows error message:

# for hex 0xc0000022 / decimal -1073741790 :
STATUS_ACCESS_DENIED ntstatus.h
# {Access Denied}
# A process has requested access to an object, but has not
# been granted those access rights.

I don't know why that would be the case for an S4U logon token though. Are
you impersonating the token when that happens? It might be some weird
artifact of S4U. Also, is the S4U token generated with Impersonate or
Identity level?

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Iain Mcleod" <IainMcleod@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A29AA6A0-C8F0-4584-8A02-A63FDA0801D6@xxxxxxxxxxxxxxxx

Hi

I'm using protocol transition to create user accounts in an ASP.NET
context.
The login seems to be working ok, but I'm getting a nasty security
exception
"Attempted to perform an unauthorized operation" (see stacktrace).
I get the same error message in the debugger when I quick watch
httpcontext.current.user.identity, AuthenticationType property (it's a
WindowsIdentity with name=CONTOSO\Administrator and IsAuthenticated=True).


(In the code example, request is a HttpWorkerRequest object and
GetUserName() function returns a username of the form "user@xxxxxxxxxx")

The wierd thing is that there only seems to be a problem with an identity
constructed using protocol transition (i.e. the following):

Dim user as WindowsIdentity = New
WindowsIdentity(GetUserName(request.GetServerVariable("LOGON_USER")))

If I construct the user using NTLM it works perfectly:
Dim user as WindowsIdentity = New WindowsIdentity(request.GetUserToken(),
request.GetServerVariable("AUTH_TYPE"), WindowsAccountType.Normal, True)

Here is the exception I get:

----------------------------------------------------------
Attempted to perform an unauthorized operation.
at System.Security.Principal.WindowsIdentity.get_AuthenticationType()
at
System.Web.HttpRequest.CalcDynamicServerVariable(DynamicServerVariable
var)
at System.Web.HttpServerVarsCollectionEntry.GetValue(HttpRequest
request)
at System.Web.HttpServerVarsCollection.GetServerVar(Object e)
at System.Web.HttpServerVarsCollection.Get(Int32 index)
at System.Web.HttpServerVarsCollection.GetValues(Int32 index)
at
System.Collections.Specialized.NameValueCollection.Add(NameValueCollection
c)
at System.Web.HttpRequest.FillInParamsCollection()
at System.Web.HttpRequest.GetParams()
at System.Web.HttpRequest.get_Params()
----------------------------------------------------------------

Any ideas anyone?

Thanks
Iain Mcleod

.

---

• Follow-Ups:
  • Re: Problem with Protocol Transition
    • From: Joe Kaplan

• Prev by Date: Re: Easiest way to test if asp is working correctly?
• Next by Date: Re: Problem with Protocol Transition
• Previous by thread: Re: Easiest way to test if asp is working correctly?
• Next by thread: Re: Problem with Protocol Transition
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: COM dll thread security issue while accessing from ASP.NET ... I save a reference to the current WindowsIdentity ... IIS authenticated user account. ... impersonate the identity of the WindowsIdentity object saved above. ... the 'Impersonator' event handler is running inside the COM dll thread, ... (microsoft.public.dotnet.security) Re: Impersonating when creating a process from inside a SQL Server Assembly ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... the current WindowsIdentity is still WINDOWS SERVICE. ... I'm trying to impersonate a different user when ... (microsoft.public.dotnet.security) Re: Problem with Protocol Transition ... what is the OS because windowsidentity react a little bit ... Network service or a service account. ... I've just noticed that the problem goes away if I impersonate the user. ... Joe Kaplan-MS MVP Directory Services Programming ... (microsoft.public.dotnet.framework.aspnet.security) Re: Impersonation question for network resources ... > WindowsIdentity oNewWI = new WindowsIdentity; ... >>> I have a small WinForms app that needs to copy files from a shared drive ... >>> network resource fine, but otherwise fails with permission errors. ... >>> know the code works because it allows me to impersonate local accounts, ... (microsoft.public.dotnet.framework.clr) Re: Problem with Protocol Transition ... "Attempted to perform an unauthorized operation". ... request is a HttpWorkerRequest object and ... Dim user as WindowsIdentity = New ... Dim user as WindowsIdentity = New WindowsIdentity, ... (microsoft.public.dotnet.framework.aspnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)