RE: UNC Path access is denied

From: Russ (Russ_at_discussions.microsoft.com)
Date: 08/30/04


Date: Mon, 30 Aug 2004 11:55:03 -0700

Update...

I was able to get a list of the files on the share by changing to the IIS
configuration to use a domain account instead of the IUSR_<machinename>
account. This still doesn't explain why when I'm impersonating a domain user
that the call context appears to continue to use the local IUSR account. I
verified that the call context is the IUSR account by enabling auditing on
the source server.

Thanks for you help.

Russ

"Russ" wrote:

> I have an asp.net app that needs to retrieve a list of files from a UNC path.
> All attempts to access have resulted in "Access Denied". I'm using
> LogonUser in the Win32 API to authenticate using a process account in our
> internal domain. Authentication is successful. After authenticating, I call
> ImpersonateLoggedOnUser (I've also tried impersonate in the
> WindowsImpersonationContext class) also in the Win32 api and pass in the
> token received from LogonUser. All result codes are successful at this point.
>
> Prior to the LogonUser call, I get the current WindowsIdentity which returns
> the IUSR_<machinename>. After the LogonUser call and ImpersonateLoggedOnUser
> calls, the current identity is changed to the process account that I used for
> authentication. Using the new windowsidentity object a create a new
> WindowsPrincipal object and attach it to the current thread.
>
> At this point, I create a directoryInfo object and pass in the UNC Path.
> Using the new object, I call its GetFiles method passing in the filter
> "*.xls". This call thrrows an System.UnauthorizedAccessException: Access to
> the path "\\myservername\\mysharename" is denied Exception.
>
> I've included the code below. Thanks in advance for your assistance.
>
> '======================================================================
> 'Code-behind Class
> '======================================================================
> Imports System
> Imports System.IO
> Imports System.Security.Principal
> Imports IMS.WSD.IMSApplication
>
> Public Class WebForm2
> Inherits System.Web.UI.Page
>
> Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
> System.EventArgs) Handles MyBase.Load
> 'Put user code to initialize the page here
> GetFiles3()
>
> End Sub
> Private Sub GetFiles3()
>
> Try
> Dim oFileIO As New FileIO()
> Dim oSecurity As New Security()
> Dim oFileInfo As FileInfo()
> Dim strPath As String = "\\plysdev09\\prod"
>
> 'Starting impersonation here:
> 'Console.WriteLine("Before impersonation:")
> Dim mWI1 As WindowsIdentity = WindowsIdentity.GetCurrent()
> Console.WriteLine(mWI1.Name)
> Console.WriteLine(mWI1.Token)
> Dim token1 As Integer = oSecurity.NetworkImpersonate("rbasiura",
> "password", "Domain")
>
> Dim token2 As IntPtr = New IntPtr(token1)
>
> 'Console.WriteLine("New identity created:")
> Dim mWI2 As WindowsIdentity = New WindowsIdentity(token2)
>
> Console.WriteLine(mWI2.Name)
> Console.WriteLine(mWI2.Token)
>
> 'Impersonate the user.
> 'Dim mWIC As WindowsImpersonationContext = mWI2.Impersonate()
> Dim mWIC As WindowsImpersonationContext = mWI2.Impersonate()
>
> Console.WriteLine("After impersonation:")
> Dim mWI3 As WindowsIdentity = WindowsIdentity.GetCurrent()
> Console.WriteLine(mWI3.Name)
> Console.WriteLine(mWI3.Token)
>
> ' Create a new WindowsPrincipal
> Dim MyPrincipal As New WindowsPrincipal(mWI3)
>
> ' Attach the Principal to the HttpContext
> HttpContext.Current.User = MyPrincipal
>
> oFileInfo = oFileIO.GetFiles(strPath)
>
> 'Revert to previous identity.
> mWIC.Undo()
>
> 'Console.WriteLine("After impersonation is reverted:")
> Dim mWI4 As WindowsIdentity = WindowsIdentity.GetCurrent()
> Console.WriteLine(mWI4.Name)
> Console.WriteLine(mWI4.Token)
>
> ' Print out the names of the files in the current directory.
> Dim lstItem As ListItem
> DropDownList1.Items.Clear()
> Dim fiTemp As FileInfo
> For Each fiTemp In oFileInfo
> lstItem = New ListItem()
> lstItem.Text = fiTemp.Name.ToString
> DropDownList1.Items.Add(lstItem)
> Next fiTemp
>
> Catch ex As Exception
> Throw ex
> End Try
>
> End Sub
> End Class
>
> '======================================================================
> 'Security Class
> '======================================================================
>
> Imports System.Runtime.InteropServices
> Imports System.Security.Principal
> Imports System.Security.Permissions
> Imports System.Web
>
> <Assembly: SecurityPermissionAttribute(SecurityAction.RequestMinimum,
> UnmanagedCode:=True)>
> Public Class Security
>
> <DllImport("C:\\WINNT\\System32\\advapi32.dll")> _
> Public Shared Function LogonUser(ByVal lpszUsername As String, _
> ByVal lpszDomain As String, _
> ByVal lpszPassword As String, _
> ByVal dwLogonType As Integer, _
> ByVal dwLogonProvider As Integer, _
> ByRef phToken As Integer) As Boolean
>
> End Function
>
> <DllImport("C:\\WINNT\\System32\\Kernel32.dll")> _
> Public Shared Function GetLastError() As Integer
> End Function
>
> Private Function ImpersonateNetworkUser()
>
> Try
>
> 'The Windows NT user token.
> Dim token1 As Integer
>
> 'Get the user token for the specified user, machine, and
> password using the unmanaged LogonUser method.
>
> 'The parameters for LogonUser are the user name, computer name,
> password,
> 'Logon type (LOGON32_LOGON_NETWORK_CLEARTEXT), Logon provider
> (LOGON32_PROVIDER_DEFAULT),
> 'and user token.
> Dim loggedOn As Boolean = LogonUser("username", "Domain",
> "password", 3, 0, token1)
> 'Response.Write("LogonUser called")
>
> 'Call GetLastError to try to determine why logon failed if it
> did not succeed.
> Dim ret As Integer = GetLastError()
>
> 'Console.WriteLine("LogonUser Success? " + loggedOn)
> 'Console.WriteLine("NT Token Value: " + token1)
> If ret <> 0 Then
> Console.WriteLine("Error code (126 == ""Specified module
> could not be found""): " + ret)
> End If
>
> 'Starting impersonation here:
> Console.WriteLine("Before impersonation:")
> Dim mWI1 As WindowsIdentity = WindowsIdentity.GetCurrent()
> Console.WriteLine(mWI1.Name)
> Console.WriteLine(mWI1.Token)
>
> Dim token2 As IntPtr = New IntPtr(token1)
>
> Console.WriteLine("New identity created:")
> Dim mWI2 As WindowsIdentity = New WindowsIdentity(token2)
> Console.WriteLine(mWI2.Name)
> Console.WriteLine(mWI2.Token)
>
> 'Impersonate the user.
> Dim mWIC As WindowsImpersonationContext = mWI2.Impersonate()
>
> Console.WriteLine("After impersonation:")
> Dim mWI3 As WindowsIdentity = WindowsIdentity.GetCurrent()
> Console.WriteLine(mWI3.Name)
> Console.WriteLine(mWI3.Token)
>
> 'Revert to previous identity.
> mWIC.Undo()
>
> Console.WriteLine("After impersonation is reverted:")
> Dim mWI4 As WindowsIdentity = WindowsIdentity.GetCurrent()
> Console.WriteLine(mWI4.Name)
> Console.WriteLine(mWI4.Token)
>
> Catch ex As Exception
> Throw ex
> End Try
>
>
> End Function
>
> <DllImport("C:\\WINNT\\System32\\advapi32.dll")> _
> Public Shared Function ImpersonateLoggedOnUser(ByVal token As
> Integer) As Boolean
>
> End Function
>
> Public Function NetworkImpersonate(ByVal strUserName As String, _
> ByVal strPassword As String, _
> ByVal strDomain As String) As Integer
>
> 'The Windows NT user token.
> Dim token1 As Integer
>
> 'Get the user token for the specified user, machine, and password
> using the unmanaged LogonUser method.
> 'The parameters for LogonUser are the user name, computer name,
> password,
> 'Logon type (LOGON32_LOGON_NETWORK_CLEARTEXT), Logon provider
> (LOGON32_PROVIDER_DEFAULT),
> 'and user token.
> Dim loggedOn As Boolean = LogonUser(strUserName, strDomain,
> strPassword, 3, 0, token1)
> 'Console.WriteLine("LogonUser called")
> If loggedOn = False Then
> Throw New Exception("Authorization Failed.")
> Else
> 'impersonate the logged on user
> Dim blnSuccess As Boolean = ImpersonateLoggedOnUser(token1)
>
> If blnSuccess = True Then
> Return token1
> End If
> 'Return ImpersonateLoggedOnUser(token1)
> End If
>
> End Function
>
> End Class
>
> '======================================================================
> 'FileIO Class
> '======================================================================
>
> Imports System
> Imports System.IO
> Imports System.Collections
> Imports System.Web
> Imports System.Security.Principal
>
> Public Class IMSFileIO
>
> Public Function GetFiles(ByVal strPath As String) As FileInfo()
> Try
>
> Dim mWI1 As WindowsIdentity = WindowsIdentity.GetCurrent()
> Console.WriteLine(mWI1.Name)
>
> ' Create a reference to the current directory.
> Dim di As New DirectoryInfo(strPath)
> ' Create an array representing the files in the current directory.
> Dim fi As FileInfo() = di.GetFiles("*.xls")
> ' Print out the names of the files in the current directory.
>
> GetFiles = fi
>
> Catch ex As Exception
> Throw ex
>
> End Try
>
> End Function
>
> End Class



Relevant Pages

  • Re: Office interop from asp.net (vb) - permissions problem....
    ... No. ASPNET is a restricted account that's somewhat like "guest" account. ... > Imports Microsoft.Office.Interop ... > 'Authenticated user' that I need and b) which file needs to be given ... > granting access rights to the resource to the ASP.NET request identity. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Office interop from asp.net (vb) - permissions problem....
    ... > No. ASPNET is a restricted account that's somewhat like "guest" account. ... >> Imports Microsoft.Office.Interop ... >> 'Authenticated user' that I need and b) which file needs to be given ... >> granting access rights to the resource to the ASP.NET request identity. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Office interop from asp.net (vb) - permissions problem....
    ... > No. ASPNET is a restricted account that's somewhat like "guest" account. ... >> Imports Microsoft.Office.Interop ... >> 'Authenticated user' that I need and b) which file needs to be given ... >> granting access rights to the resource to the ASP.NET request identity. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Forms Authentication Security questions...
    ... Login page, in you case default.aspx. ... string ReturnUrl=/admin/admin.aspx for late return. ... >Imports Microsoft.VisualBasic ... > Private Sub Page_Load(sender as Object, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Send Email Using VB 2008 Express
    ... Imports System.Web.Mail.SmtpMail.Send ... Public Class Form1 ... Private Sub btnSend_Click(ByVal sender As System.Object, ... The System.Web namespace has been deprecated, ...
    (microsoft.public.dotnet.languages.vb)