Re: WindowsIdentity - Invalid token; it cannot be duplicated

Dominic,

Thank you so much. Reallized after your comment that the following line of
code is not right way of doing it.

System.Security.Principal.WindowsIdentity winIden=new
System.Security.Principal.WindowsIdentity(iToken);

Replaced with

System.Security.Principal.WindowsIdentity winIden
=(WindowsIdentity)this.Context.User.Identity;

Problem is resolved now.

This helps lot to resolve few other security related questions.

http://www.leastprivilege.com/ASPNETSecurityContextTroubleshootingTool.aspx

Thanks for your Help.

-Kamal.


"Dominick Baier" wrote:

Some things strike me odd...

First - you are using WindowsIdentity.GetCurrent() - this implies you are
using client impersonation (and also that your code will only work with that
setting) - you can always get to the authenticated client name by using Context.User.Identity.Name.

This also means - why do you have to factor that out? The client information
is always available..


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Dominik,
Because the login method will be used by asp.net application and also
used
by sharepoint webpart to access some webservice calls, we splited into
two.
So, the login method is common and before that we received the Token,
we are passing the token to Login method and it tries to get the
Priniciple.

Sequence is:

1. SharepointLogin() using
WindowsIdentity wi = WindowsIdentity.GetCurrent();
IntPtr iToken = wi.Token;
and passing this token to LogInUser() method fo Global.ascx.
2. static internal void LogInUser(System.Web.HttpApplication appState,
IntPtr iToken, string domainName, string userName)

which internally calls another method to retreive valid groups list
by passing the iToken again.

3. public string CheckUserGroups(IntPtr iToken, StringCollection
strGroupsCollection)

which uses the following.
System.Security.Principal.WindowsIdentity winIden=new
System.Security.Principal.WindowsIdentity(iToken);
This is where the "Invalid token" problem happens.

I can create a sample application if you like.

Please let me know if there is any best way to accomblish this one.

Thanks
Kamal
"Dominick Baier" wrote:

Hi,

well - frankly, i don't understand what you are doing...

and why do you have to pass tokens around??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Hi Domnic,

Thanks for your response. Here the code from Login() webmethod and
the same token will be passed to another method which has the actual
problem.

WindowsIdentity wi = WindowsIdentity.GetCurrent();
IntPtr iToken = wi.Token;
string domainName="";
string userName="";
if (wi.Name != null)
{
string curUser = wi.Name;
if (curUser.Length>0)
{
int sepIndex = curUser.IndexOf(@"\");
if (sepIndex>-1)
{
domainName = curUser.Substring(0,sepIndex);
int len = curUser.Length-domainName.Length;
if (len>0)
{
userName = curUser.Substring(sepIndex+1,len-1);
}
}
else //just in case , no domain
userName=curUser;
}
}
Thanks,
Kamal.
"Dominick Baier" wrote:
Where do you get the token from?

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I am having invalid token, it cannot be duplicated error 70% of
the time on one machine. We are creating and validating the
current user. The following line of code raise exception.

System.Security.Principal.WindowsIdentity winIden=new
System.Security.Principal.WindowsIdentity(iToken);

Exception:
String Message = "LoginWI() Invalid token; it cannot be
duplicated.
at
RtReports.Security.LocalAuthentication.CheckUserGroups(IntPtr
iToken,
StringCollection strGroupsCollection)
Any help is really appreciated.
Thanks,
Kamal



.

Relevant Pages

  • Re: WindowsIdentity - Invalid token; it cannot be duplicated
    ... Because the login method will be used by asp.net application and also used ... passing the token to Login method and it tries to get the Priniciple. ... IntPtr iToken, string domainName, string userName) ... and why do you have to pass tokens around?? ...
    (microsoft.public.dotnet.security)
  • Re: WindowsIdentity - Invalid token; it cannot be duplicated
    ... Dominick Baier ... So, the login method is common and before that we received the Token, ... IntPtr iToken, string domainName, string userName) ... and why do you have to pass tokens around?? ...
    (microsoft.public.dotnet.security)
  • Re: WindowsIdentity - Invalid token; it cannot be duplicated
    ... and why do you have to pass tokens around?? ... Dominick Baier ... Developing More Secure Microsoft ASP.NET 2.0 Applications ... String Message = "LoginWIInvalid token; ...
    (microsoft.public.dotnet.security)
  • Re: WindowsIdentity - Invalid token; it cannot be duplicated
    ... So, the login method is common and before that we received the Token, we are ... IntPtr iToken, string domainName, string userName) ... and why do you have to pass tokens around?? ... Dominick Baier ...
    (microsoft.public.dotnet.security)
  • WSE402: The message does not conform to the policy it was mapped t
    ... WSE 2 SP3 webservice that is requiring client side certs and username tokens: ... The message does not conform to the policy it was mapped to. ... expression, SoapEnvelope message, EndpointReference endpoint, String action, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)