Impersonation fails when accessing remote files.

[simonc]

I am impersonating a user by setting the details in Web.config. I have
confirmed that the .aspx page is running as the impersonated user. I then
try to access a remote file which requires authentication to view.

The log files for the remote server say that user "aspnet" tried to
connect and was (rightly) rejected.

After lots of fiddling and Googling I discovered the following:

[url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;q325791[/url]

So I changed my page definition to include aspcompat="true". The problem
is still the same - the page will not try to connect using the
impersonated user credentials.

To clarify:
Impersonation is working but the impersonated user credentials are not
being used in the authenication process.

Any ideas?

[Paul Clement]

On Mon, 08 Nov 2004 05:38:28 -0500, "simonc" <simon.c@gordian.co.uk> wrote:

¤ I am impersonating a user by setting the details in Web.config. I have
¤ confirmed that the .aspx page is running as the impersonated user. I then
¤ try to access a remote file which requires authentication to view.
¤
¤ The log files for the remote server say that user "aspnet" tried to
¤ connect and was (rightly) rejected.
¤
¤ After lots of fiddling and Googling I discovered the following:
¤
¤ [url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;q325791[/url]
¤
¤ So I changed my page definition to include aspcompat="true". The problem
¤ is still the same - the page will not try to connect using the
¤ impersonated user credentials.
¤
¤ To clarify:
¤ Impersonation is working but the impersonated user credentials are not
¤ being used in the authenication process.

Web server impersonation with .NET is limited to local web server resources. You need to use
Delegation if you're accessing a resource on another server:

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconaspnetdelegation.asp[/url]

The other solution is to implement impersonation using the LogonUser API function call:

[url]http://support.microsoft.com/?id=306158[/url]


Paul ~~~ [email]pclement@ameritech.net[/email]
Microsoft MVP (Visual Basic)

[simonc]

Paul,
thanks for the prompt reply. I have already tried using the logon user API
and the result is the same - IE the credentials used to logon are the
aspnet ones not the impersonated ones. Here's the code (Impersonate is
just a wrapper class for the MS standard example of using the logon user
API):

'**** CODE ****
Dim impersonation As Impersonate = New Impersonate

'WhoAmI - will be 'aspnet'
Dim userStr As String = impersonation.WhoAmI

impersonation.SetIdentity(user, pass, domain)
impersonation.BeginImpersonation()

'WhoAmI - will be 'user'
userStr = impersonation.WhoAmI

Dim myFileWebResponse As System.Net.FileWebResponse

Try
Dim url As String = _
"file://192.168.0.1\path\test.pdf"
Dim myFileWebRequest As System.Net.FileWebRequest = _
CType(System.Net.WebRequest.Create(url), _
System.Net.FileWebRequest)

'This call will fail with an access denied exception.
'Server logs show that user 'aspnet' tried to connect.
myFileWebResponse = _
CType(myFileWebRequest.GetResponse(), _
System.Net.FileWebResponse)
Catch ex As System.Net.WebException

Catch ex As UriFormatException

End Try

impersonation.EndImpersonation()

'WhoAmI - back to 'aspnet'
userStr = impersonation.WhoAmI
'***** END CODE ******

I guess I'll have to look into delegation...

[vetplakh]

I gues you will. A quote from the Platform SDK about LogonUser function
"The LogonUser function attempts to log a user on to the local computer. The
local computer is the computer from which LogonUser was called. You cannot
use LogonUser to log on to a remote computer."

About ASPCOMPAT=TRUE. This setting effectively switches processing threads to
STA mode (hence ASPCOMPAT). I'd not reccomend doing that unless you are
creating (explicit or implicit) some STA COM components in your ASP.NET code.

"simonc" wrote:

> Paul,
> thanks for the prompt reply. I have already tried using the logon user API
> and the result is the same - IE the credentials used to logon are the
> aspnet ones not the impersonated ones. Here's the code (Impersonate is
> just a wrapper class for the MS standard example of using the logon user
> API):
>
> '**** CODE ****
> Dim impersonation As Impersonate = New Impersonate
>
> 'WhoAmI - will be 'aspnet'
> Dim userStr As String = impersonation.WhoAmI
>
> impersonation.SetIdentity(user, pass, domain)
> impersonation.BeginImpersonation()
>
> 'WhoAmI - will be 'user'
> userStr = impersonation.WhoAmI
>
> Dim myFileWebResponse As System.Net.FileWebResponse
>
> Try
> Dim url As String = _
> "file://192.168.0.1\path\test.pdf"
> Dim myFileWebRequest As System.Net.FileWebRequest = _
> CType(System.Net.WebRequest.Create(url), _
> System.Net.FileWebRequest)
>
> 'This call will fail with an access denied exception.
> 'Server logs show that user 'aspnet' tried to connect.
> myFileWebResponse = _
> CType(myFileWebRequest.GetResponse(), _
> System.Net.FileWebResponse)
> Catch ex As System.Net.WebException
>
> Catch ex As UriFormatException
>
> End Try
>
> impersonation.EndImpersonation()
>
> 'WhoAmI - back to 'aspnet'
> userStr = impersonation.WhoAmI
> '***** END CODE ******
>
> I guess I'll have to look into delegation...
>
>