What you are doing is possible. What Mitch is talking about in his post is
delegation of credentials. Essentially, this means that if you are
browsing the site and using your credentials sent by the browser, those
same credentials cannot be used to access another resource on a machine
remote to the Web server. In that scenario, the Web server is delegating
your credentials, and such is prevented when using NTLM authentication. If
all of the boxes are using Windows 2000 or later, you can use Kerberos and
delegation to get around that.
However, what you really want to do is impersonate this user just to run a
certain section of code and to write to the network resource. In that
case, code-level impersonation using PInvoke to call LogonUser is the
Here is an article that explains how to do that:
306158 INFO: Implementing Impersonation in an ASP.NET Application
Jim Cheshire [MSFT]
This post is provided as-is with no warranties and confers no rights.
--------------------microsoft.public.dotnet.framework.aspnet.security: 7296>From: "Dima Semensky" <dsemenbellsouth.net>
>Subject: Access network resources from ASP.NET
>Date: Thu, 23 Oct 2003 10:55:28 -0400
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>Xref: cpmsftngxa06.phx.gblame+or+bad+password.++group:microsoft.public.dotne t.*&hl=en&lr=&ie=UTF-8&oe=>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>after extensive research of this topic, I'm still not sure what is
>"official" way to do it.
> 1. User submits some request to ASP.NET application and the app should
>write the result to a network share.
> 2. Integrated Authentication must be used
> 3. No open password are allowed to be specified in any config files
> 4. Can't assign special domain user as Local Administrator
> With default setup, it is not possible due to security reasons.
> - impersonation
> - machine.config - processModel.userName
> - IUSR_MACHINE user
> - delagation
>Here is where I'm stuck: I'd like to use impersonation like this:
> <identity impersonate="true" userName="Bob" password="pwd" />
>but this topic explains that it's not possible: