Impersonating tokens don't match (get error)

From: turinreza (turin_at_csua.berkeley.edu)
Date: 02/26/04


Date: Thu, 26 Feb 2004 14:11:08 -0800


Trying to find out if I am really impersonating, get access is denied error when accessing a share
through this code. Impersonating an NT authenticated User away from the ASPNET account
to do network access.

// Windows 2000 sp4, Dotnet 1.1 VS.NET 2003 - Webserver.
// client machine is Windows 2000 sp4 with IE 6.0 (both on same network, can access shares directly)
// ASP.NET Application using Windows Authentication
(>> marks executing line of code)

>> System.Security.Principal.IIdentity userIIdentity = System.Web.HttpContext.Current.User.Identity;

// userIIdentity: token = 1840
// : user = "DOMAINNAME\DomainUser1"
// : IsAuthenticated = true
// : IsAnonymous = false
// : IsGuest = false
// : AuthenticationType = "NTLM"

(System.Security.Principal.WindowsIdentity.GetCurrent().Token equals to 684)
// GetCurrent() : token = 628
// : user = "WEBSERVER\ASPNET"
// : IsAuthenticated = true
// : IsAnonymous = false
// : IsGuest = false
// : AuthenticationType = "NTLM"

// First question: Why is .Token different than the m_token of GetCurrent()?

>> System.Security.Principal.WindowsIdentity.WindowsIdentity userIdentity = (WindowsIdentity)userIIdentity;

// userIdentity: token = 1840
// : user = "DOMAINNAME\DomainUser1"
// : IsAuthenticated = true
// : IsAnonymous = false
// : IsGuest = false
// : AuthenticationType = "NTLM"

(System.Security.Principal.WindowsIdentity.GetCurrent().Token equals to 1868)
// 2nd Question: Why is .Token different now? nothing has happened. was 684 now 1868

>> string user = System.Security.Principal.WindowsIdentity.GetCurrent().Name;

// user value : "WEBSERVER\ASPNET"

(System.Security.Principal.WindowsIdentity.GetCurrent().Token equals to 1908)
// 3rd Question: Why is .Token different now? nothing has happened. was 1868 now 1908,
// why does it keep changing everyline of code that only reads memory?

>> System.Security.Principal.WindowsImpersonationContext winImpCtx =
        System.Security.Principal.WindowsIdentity.Impersonate(userIdentity.Token);

// winImpCtx : token = 2864
// 4th Question: Why doesn't it match up to either the ASPNET acct's token or Domain User's token?

// GetCurrent() : token = 1940
// : user = "DOMAINNAME\DomainUser1"
// : IsAuthenticated = true
// : IsAnonymous = false
// : IsGuest = false
// : AuthenticationType = "NTLM"

// 5th question: Why is the token 1940 and not 1840 like the userIdentity?
// But it got the Domain User correct in the name...

// userIdentity and userIIdentity still have same values

>> user = System.Security.Principal.WindowsIdentity.GetCurrent().Name;

// user value : "DOMAINNAME\DomainUser1"

// 6th Question: GetCurrent()'s token changes for every line of code and its m_userToken doesn't match
// GetCurrent().Token value? Sounds like a bug.... and it doesn't match userIdentity's 1840.

//
//
// 7th and Biggest Question: Should be match userIdentity's token of 1840 if it's impersonating?
//
//

>> System.IO.StreamReader reader = new StreamReader("\\clientmachine\sharename\filename.csv");

// get access is denied. System.UnAuthorizedAccessException
// "Access to the path \"\\\\clientmachine\\sharename\\filename.csv\" is denied."
// -532459699 comPlusExceptionCode
// mscorlib

// Why do I get this error. It seems like I am Impersonating the NT DOmain user but
// the tokens don't match. I can access the file share from the client machine.

// if file is on a share on the webserver, works with and without impersonation ,
// permissions on shares is Everyone has full control and Everyone has full control on NTFS permissions

>> winImpCtx.Undo()
// never get to this point :(

Thanks for any input
Jimmy