ASPNET and Impersonation

From: Charles Leonard (elmsdn13_at_hotmail.com)
Date: 09/04/03

• Next message: Mike Bird: "Framework 1.0 to 1.1 Security Change"
• Previous message: Tim Cartwright: "Re: HTTPS with WebResponse class"
• In reply to: Charles Leonard: "ASPNET and Impersonation"
• Next in thread: Shel Blauman [MSFT]: "Re: ASPNET and Impersonation"
• Reply: Shel Blauman [MSFT]: "Re: ASPNET and Impersonation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 4 Sep 2003 09:05:09 -0700

In case anyone is interested, the solution to the above
problem appears to be that there is no solution-at least
not through any additional configuration using the
Web.config file.

There is some hint of achieving such authorization
programmatically using "advapi32.dll" and the LogonUser()
API. However, there is a suggestion that any such code
may not work on all platforms.

In any event, I took another approach to solve the
problem. By modifying the Machine.config file (in the
directory C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322
\CONFIG) and changing the <processModel> contents of
userName and password from the default settings to the
userName and password references I had previously defined
for the <identity> tag of my Web.config file, the identity
problem with thread creation is resolved and access to
the "shared drive" is achieved by both threads without
further incident.

The unfortunate drawback in this approach is that the
process identity for all .Net applications installed on
the machine will be the one defined in the Machine.config
file (instead of being localized to the single Web Service
being configured by the Web.config file).

If anyone does find away to achieve Impersonation that
actually can be applied to all threads created by the
target web service (and/or configured by the Web.config
file), let me know. And for that matter, if anyone has a
better suggestion on how to access a shared drive without
using Impersonation or changing the process identity, I'd
be very interested in this as well.

Thanks.

--Charles Leonard

References:

http://www.15seconds.com/Issue/030115.htm?voteresult=5
http://support.microsoft.com/default.aspx?
scid=http://support.microsoft.com:80/support/kb/articles/q3
17/0/12.asp&NoWebContent=1
http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/vsent7/html/vxconimpersonation.asp
http://www.msdnaa.net/Resources/Display.aspx?ResID=641
http://support.microsoft.com/default.aspx?
scid=http://support.microsoft.com:80/support/kb/articles/q3
06/1/58.asp&NoWebContent=1
http://www.codeproject.com/csharp/cpimpersonation1.asp
http://www.codeproject.com/csharp/lsadotnet.asp

>-----Original Message-----
>OK. So just when I think I am making progress, 2 steps
>forward, I am thrown another curve ball, one step
>backwards. I am employing impersonation for my Web
>Service. Impersonation is being used because of a
>requirement that we have to access a "shared drive."
>
>Here is what I have done:
>
>1. aspnet_setreg.exe has been used to encrypt my
> credentials.
>2. Web.config has been edited to include:
>
><identity impersonate="true"
>
>userName="registry:HKLM\SOFTWARE\MySoftware\identity\ASPNE
T
>_SETREG,userName"
>
>password="registry:HKLM\SOFTWARE\MySoftware\identity\ASPNE
T
>_SETREG,password"
> />
>
>So far, so good. When I run my web service, the
>impersonation happens. Which is great-except for one
>thing. My web service creates a thread. The thread must
>also access the same network share. Unfortunately, the
>thread is reverting back to the "ASPNET" user despite the
>Web.config settings.
>
>Does anyone know how to correct this problem?
Preferably,
>I'd like to correct it through configuration settings, if
>possible, rather than programmatically. But, I will
>welcome all suggestions.
>
>Thanks.
>
>--Charles Leonard
>
>.
>

---

• Next message: Mike Bird: "Framework 1.0 to 1.1 Security Change"
• Previous message: Tim Cartwright: "Re: HTTPS with WebResponse class"
• In reply to: Charles Leonard: "ASPNET and Impersonation"
• Next in thread: Shel Blauman [MSFT]: "Re: ASPNET and Impersonation"
• Reply: Shel Blauman [MSFT]: "Re: ASPNET and Impersonation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: ASPNET and Impersonation ... > not through any additional configuration using the ... > file (instead of being localized to the single Web Service ... > using Impersonation or changing the process identity, ... (microsoft.public.dotnet.framework.aspnet.security) Re: ASPNET and Impersonation ... > not through any additional configuration using the ... > file (instead of being localized to the single Web Service ... > using Impersonation or changing the process identity, ... (microsoft.public.dotnet.security) Re: FileExists returns false for remote files when run under IIS ... What IIS Authentication should I use? ... If I use impersonation, what user name should I use? ... Impersonation in the ASP.Net application or the Web Service. ... (microsoft.public.dotnet.security) RE: Dynamic URL Behavior & Configuration ... I have a 3rd party web service running in a Web Server within our network. ... Dynamic URL Behavior & Configuration ... references a class library which in turn has a web reference. ... (microsoft.public.dotnet.framework.webservices) RE: Unable to open the BAM portal from Biztalk 2006 ... Amlan Chakraborty ... | BAMMgmtWebService directory in program files,thus the web service is ... | Jayanta Chatterjee ... An error occurred during the processing of a configuration ... (microsoft.public.biztalk.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.security  > 2003-09