Re: Impersonate User asp.net

From: Adam (adamf81_at_yahoo.co.uk)
Date: 02/19/04

Next message: Adam: "Re: Impersonate User asp.net"
Previous message: Novice: "Declarative style at Assembly level"
In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Impersonate User asp.net"
Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Impersonate User asp.net"
Reply: Joe Kaplan \(MVP - ADSI\): "Re: Impersonate User asp.net"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 19 Feb 2004 07:26:36 -0800

Hi Joe,

Thanks for the reply, much appreciated.

I've had a go at going down the route you suggested, just to get the
ting working.

I've changed the processModel in the machine.config file to the user
I'm trying to impersonate. I've mapped a drive of a server, in a
different domain, to the web server. The user in the machine.config
file and the user from the other domain have the same name and
password. As a test, in my ASP code, I'm trying to read a text-file in
the root of this mapped drive.

However, when the page is executed it returns a "Logon failure:
unknown user name or bad password." error.

Adding "User.Identity.Name" to the page returns nothing (even when run
on the server). While, "Principal.WindowsIdentity.GetCurrent.Name"
returns the server's IWAM_... account. For me this is unexpected,
shouldn't the "User.Identity.Name" line return the name of the user in
the machine.config file?

This, and the fact that the user's has full control permissions to the
mapped drive, leads me to believe that my application is falling down
because the user in the machine.config file is not functioning as
expected.

This one is really starting to get to me.

Any help would help.

Thanks,

Adam

"Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:<#CPLH6k9DHA.3900@tk2msftngp13.phx.gbl>...
> Under Win2K, you need very high privileges impersonate with supplied
> credentials. This is because that calls the LogonUser API, and that
> requires "Act as part of the operating system" privilege, which normally
> only SYSTEM has. Thus, if your processModel is set up as ASPNET (machine),
> it won't be able to impersonate like that. XP and 2K3 lift this
> requirement.
>
> You can upgrade to 2K3 server or change the entire processModel to run as
> your specified user instead of just trying to impersonate in this one app.
>
> HTH,
>
> Joe K.
>
> "Adam" <adamf81@yahoo.co.uk> wrote in message
> news:95c6c7da.0402180707.7678ed73@posting.google.com...
> > Hi,
> >
> > I'm having big probs impersonating a user using VB in asp.net. I am
> > trying to run my application under another user's account. I have .NET
> > Framework 1.1 installed on IIS 5.0 on a Win 2000 server.
> >
> > I've added the following line to my web.config file:
> >
> > <identity impersonate="true" userName = "user" password = "pw" />
> >
> > When I run the page on the server I receive the error:
> >
> > "Access denied to 'D:\dotNetTest\Adam\trading'. Failed to start
> > monitoring file changes."
> >
> > I have granted the "user" account FULL access to each directory in the
> > path: 'D:\dotNetTest\Adam\trading' as per MSDN articles and news group
> > postings, yet still receive the same error!
> >
> > Is there anything I'm missing?
> >
> > Should the user have access to the machine.config file?
> > Is there anything I have to do with IIS?
> >
> > Additionally, when the <identity impersonate...." line is removed from
> > my web.config file and I output the anonymous account that it is being
> > used it is the IWAM_... account, not the ASPNET account, or IUSR_...
> > account as expected. Is this correct?
> >
> > Any help would be much appreciated, seems I've hit a brick wall on
> > this one.
> >
> > Cheers,
> >
> > Adam

Next message: Adam: "Re: Impersonate User asp.net"
Previous message: Novice: "Declarative style at Assembly level"
In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Impersonate User asp.net"
Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Impersonate User asp.net"
Reply: Joe Kaplan \(MVP - ADSI\): "Re: Impersonate User asp.net"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Sql Reporting Serviced - > ASP.NET ACCESS DENIED!
... The account you are logging in to when on the server doesn't have the ... do you have <Impersonate> set to True? ... > Exception Details: System.UnauthorizedAccessException: Access to the path ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: impersonation fails on 2K server
... You can't use this syntax on Windows 2000 to impersonate when you are set up ... with the default processModel, machine, because only system-level users have ... give the ASPNET account "act as part of the operating system" ... > details below and modify your configuration file appropriately. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Kerberos protocol transition is not working over DCOM
... can see the COM+ component's constructor being called on the server side. ... I haven't yet tried with a normal account. ... The account calling LsaLogonUser is service1 and it has the above six ... user1 is the account I'm trying to impersonate. ...
(microsoft.public.platformsdk.security)
Re: security on the web.config file
... the reason I use the impersonate is the web site will allow ... different network shares on multiple servers so the impersonated account has ... the .config file can only we accessed from the server ...
(microsoft.public.dotnet.framework.aspnet)
Re: Global.asax not allowing identity impersonation?
... When you set Identity Impersonate=true, ... request processing. ... Not allowed to use the ASPNET machine account in SQL Server (very ...
(microsoft.public.dotnet.framework.aspnet)