Impersonation failure with Index Server and Forms Authentication with Active Directory

[techfuzz]

I'm posting my problem experience and solution I found here for other
ASP.NET developers.

I have a web application that uses Forms Authentication with Active
Directory to control access. In this web application, I have search
page that utilizes the Windows Indexing Service (MSIDXS provider).
For reasons I'm not aware of at this time, setting <identity
impersonation="true" /> in the web.config causes an error whenever you
try to search.

This is the error message: HttpException (0x80004005): Impersonation
failure.

The only information I was able to find was another thread in the
microsoft.public.inetserver.indexserver newsgroup titled
"Impersonation Discoveries with .NET Framework" which steered me in
the right direction. SteveC, the owner of the other thread, said he
was able to fix the search by setting the impersonation to false but
other things broke probably because of his authentication method and
not being able to read the file ACL's.

Mine solution is a little different from his, I kept the overall
application's identity impersonation set to true as was originally how
I was configured, but then set the impersonation to false only for my
search.aspx page. Here's a snippet of my web.config for you with
commented notes.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>

<!-- I added this location node -->
<location allowOverride="true" />
<!-- End location node -->

<system.web>
<authentication mode="Forms">
<forms loginUrl="logon.aspx" name="adAuthCookie" timeout="60"
path="/" >
</forms>
</authentication>

<!-- I left this impersonate alone -->
<identity impersonate="true" />

</system.web>

<!-- I added this location node -->
<location path="search.aspx">
<system.web>
<identity impersonate="false" />
</system.web>
</location>
<!-- End location node -->

</configuration>

[Yan-Hong Huang[MSFT]]

Hello,

Thanks very much for your post. It benefits the whole group very much.

It seems that this problem likes the one mentioned in:
"FIX: "Access Is Denied" Error Message When You Try to Access Indexing Service from ASP.NET with Impersonation
Enabled"
[url]http://support.microsoft.com/?id=323293[/url]

The workaround is also the same.

Best regards,
Yanhong Huang
Microsoft Online Partner Support

Get Secure! - [url]www.microsoft.com/security[/url]
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
!From: [email]cruegseg@heery.com[/email] (techfuzz)
!Newsgroups: microsoft.public.dotnet.framework.aspnet
!Subject: Impersonation failure with Index Server and Forms Authentication with Active Directory
!Date: 8 Aug 2003 10:21:00 -0700
!Organization: [url]http://groups.google.com/[/url]
!Lines: 55
!Message-ID: <639a482f.0308080921.77f21448@posting.google.com >
!NNTP-Posting-Host: 67.96.192.158
!Content-Type: text/plain; charset=ISO-8859-1
!Content-Transfer-Encoding: 8bit
!X-Trace: posting.google.com 1060363261 9983 127.0.0.1 (8 Aug 2003 17:21:01 GMT)
!X-Complaints-To: [email]groups-abuse@google.com[/email]
!NNTP-Posting-Date: 8 Aug 2003 17:21:01 GMT
!Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed 00.sul.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!
news.maxwell.syr.edu!sn-xit-03!sn-xit-01!sn-xit-05!sn-xit-09!supernews.com!postnews1.google.com!not-for-mail
!Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:166191
!X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
!
!I'm posting my problem experience and solution I found here for other
!ASP.NET developers.
!
!I have a web application that uses Forms Authentication with Active
!Directory to control access. In this web application, I have search
!page that utilizes the Windows Indexing Service (MSIDXS provider).
!For reasons I'm not aware of at this time, setting <identity
!impersonation="true" /> in the web.config causes an error whenever you
!try to search.
!
!This is the error message: HttpException (0x80004005): Impersonation
!failure.
!
!The only information I was able to find was another thread in the
!microsoft.public.inetserver.indexserver newsgroup titled
!"Impersonation Discoveries with .NET Framework" which steered me in
!the right direction. SteveC, the owner of the other thread, said he
!was able to fix the search by setting the impersonation to false but
!other things broke probably because of his authentication method and
!not being able to read the file ACL's.
!
!Mine solution is a little different from his, I kept the overall
!application's identity impersonation set to true as was originally how
!I was configured, but then set the impersonation to false only for my
!search.aspx page. Here's a snippet of my web.config for you with
!commented notes.
!
!<?xml version="1.0" encoding="utf-8" ?>
!<configuration>
!
!<!-- I added this location node -->
! <location allowOverride="true" />
!<!-- End location node -->
!
! <system.web>
! <authentication mode="Forms">
! <forms loginUrl="logon.aspx" name="adAuthCookie" timeout="60"
!path="/" >
! </forms>
! </authentication>
!
!<!-- I left this impersonate alone -->
! <identity impersonate="true" />
!
! </system.web>
!
!<!-- I added this location node -->
! <location path="search.aspx">
! <system.web>
! <identity impersonate="false" />
! </system.web>
! </location>
!<!-- End location node -->
!
!</configuration>
!