Impersonation headache

[James Pemberton]

I have been fighting with impersonation for quite sometime now and now
matter what I have tried it just won't work.

I am trying to get information on two items:

1) I'd like to retrieve a file listing from a directory on our file
server.

As with most cases I have read about, it works fine on my development PC, XP
OS, but when ran off of the web server, I receive <error: an exception of
type: {System.UnauthorizedAccessException} occurred>.

The only way I can get it to work is to set impersonation=true and set the
username and password as out system administrator. I did try to set the
user name and password as an AD user we created with full access to the
directory, but to no avail.

On IIS I have just Integrated Windows Authentication checked.

Web.config is as follows: <identity impersonate="true" />

Code:
Private Sub LoadFiles()

Dim impersonationContext As WindowsImpersonationContext

Dim currentWindowsIdentity As WindowsIdentity

currentWindowsIdentity = CType(WindowsIdentity.GetCurrent, WindowsIdentity)

impersonationContext = currentWindowsIdentity.Impersonate()

Dim dt As DataTable = New DataTable

Dim dr As DataRow

dt.Columns.Add("linkname")

dt.Columns.Add("textname")

Dim di As System.IO.DirectoryInfo

'Dim DirectoryDefault As String =
"\\ussfs01\private\Manufacturing\ProductReques t\" & intRequestNbr & "\"

Dim DirectoryDefault As String = "\\ussfs01\ProductRequest\" & intRequestNbr
& "\"

di = New System.IO.DirectoryInfo(DirectoryDefault)

If di.Exists Then

For Each filename As System.IO.FileInfo In di.GetFiles()

dr = dt.NewRow()

dr("linkname") = DirectoryDefault & filename.Name

dr("textname") = filename.Name

dt.Rows.Add(dr)

Next

Dim dv As DataView = New DataView(dt)

dlAttachments.DataSource = dv

dlAttachments.DataBind()

dlAttachments.Visible = True

End If

impersonationContext.Undo()

End Sub


2) In the same program I have been trying to retrive the users fullname,
displayname, or given name from our AD. Once again this works fine on my
Development PC, but on the web server I can't even retrieve those
attributes.

I have tried the following code to no avail:

Dim userkey As String = WindowsIdentity.GetCurrent.Name.Substring(3)

Dim dse As New DirectoryEntry("LDAP://US")

Dim dsearch As DirectorySearcher = New DirectorySearcher(dse)

dsearch.Filter = "(&(objectclass=user)(cn=" & userkey & "))"

dsearch.PropertiesToLoad.Add("displayname")

Dim sr As SearchResult = dsearch.FindOne

If Not (sr Is Nothing) Then

Dim rp As ResultPropertyCollection = sr.Properties

UserName = rp.Item("displayname").Item(0)

Else

UserName = Nothing

End If

I have tried the following code to no avail:

Any help would be greatly appreciated!

James Pemberton

[Joe Kaplan \(MVP - ADSI\)]

These both sound like double-hop delegation issues. The fact that it works
when you specify specific credentials in your impersonate tag but doesn't
work when you use Window Integrated Authentication (WIA) and try to access
resources on a different machine than the IIS box suggests this. The
impersonation token that WIA creates cannot hop to another machine on the
network (like your file server or AD) unless Kerberos delegation has been
enabled and working.

I'd suggest you read up on that first and then come back here if you can't
get it to work or need a different approach.

[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;810572[/url]

You'll find even more links with a little searching.

Cheers,

Joe K.

"James Pemberton" <james.pemberton@devro-casings.com> wrote in message
news:eD9ilYpuEHA.2172@TK2MSFTNGP14.phx.gbl...

>I have been fighting with impersonation for quite sometime now and now
>matter what I have tried it just won't work.
>
> I am trying to get information on two items:
>
> 1) I'd like to retrieve a file listing from a directory on our file
> server.
>
> As with most cases I have read about, it works fine on my development PC,
> XP OS, but when ran off of the web server, I receive <error: an exception
> of type: {System.UnauthorizedAccessException} occurred>.
>
> The only way I can get it to work is to set impersonation=true and set the
> username and password as out system administrator. I did try to set the
> user name and password as an AD user we created with full access to the
> directory, but to no avail.
>
> On IIS I have just Integrated Windows Authentication checked.
>
> Web.config is as follows: <identity impersonate="true" />
>
> Code:
> Private Sub LoadFiles()
>
> Dim impersonationContext As WindowsImpersonationContext
>
> Dim currentWindowsIdentity As WindowsIdentity
>
> currentWindowsIdentity = CType(WindowsIdentity.GetCurrent,
> WindowsIdentity)
>
> impersonationContext = currentWindowsIdentity.Impersonate()
>
> Dim dt As DataTable = New DataTable
>
> Dim dr As DataRow
>
> dt.Columns.Add("linkname")
>
> dt.Columns.Add("textname")
>
> Dim di As System.IO.DirectoryInfo
>
> 'Dim DirectoryDefault As String =
> "\\ussfs01\private\Manufacturing\ProductReques t\" & intRequestNbr & "\"
>
> Dim DirectoryDefault As String = "\\ussfs01\ProductRequest\" &
> intRequestNbr & "\"
>
> di = New System.IO.DirectoryInfo(DirectoryDefault)
>
> If di.Exists Then
>
> For Each filename As System.IO.FileInfo In di.GetFiles()
>
> dr = dt.NewRow()
>
> dr("linkname") = DirectoryDefault & filename.Name
>
> dr("textname") = filename.Name
>
> dt.Rows.Add(dr)
>
> Next
>
> Dim dv As DataView = New DataView(dt)
>
> dlAttachments.DataSource = dv
>
> dlAttachments.DataBind()
>
> dlAttachments.Visible = True
>
> End If
>
> impersonationContext.Undo()
>
> End Sub
>
>
> 2) In the same program I have been trying to retrive the users
> fullname, displayname, or given name from our AD. Once again this works
> fine on my Development PC, but on the web server I can't even retrieve
> those attributes.
>
> I have tried the following code to no avail:
>
> Dim userkey As String = WindowsIdentity.GetCurrent.Name.Substring(3)
>
> Dim dse As New DirectoryEntry("LDAP://US")
>
> Dim dsearch As DirectorySearcher = New DirectorySearcher(dse)
>
> dsearch.Filter = "(&(objectclass=user)(cn=" & userkey & "))"
>
> dsearch.PropertiesToLoad.Add("displayname")
>
> Dim sr As SearchResult = dsearch.FindOne
>
> If Not (sr Is Nothing) Then
>
> Dim rp As ResultPropertyCollection = sr.Properties
>
> UserName = rp.Item("displayname").Item(0)
>
> Else
>
> UserName = Nothing
>
> End If
>
> I have tried the following code to no avail:
>
> Any help would be greatly appreciated!
>
> James Pemberton
>
>

[James Pemberton]

Thanks for the site.

I've read quite a bit about delegates, but I have one more question. Do you
have to setup your entire network, hardware and users, to utilize
delegation? Or can you just set up those users or servers that you think
will need to access information remotely?


"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:OOPj1upuEHA.272@TK2MSFTNGP15.phx.gbl...

> These both sound like double-hop delegation issues. The fact that it
> works when you specify specific credentials in your impersonate tag but
> doesn't work when you use Window Integrated Authentication (WIA) and try
> to access resources on a different machine than the IIS box suggests this.
> The impersonation token that WIA creates cannot hop to another machine on
> the network (like your file server or AD) unless Kerberos delegation has
> been enabled and working.
>
> I'd suggest you read up on that first and then come back here if you can't
> get it to work or need a different approach.
>
> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;810572[/url]
>
> You'll find even more links with a little searching.
>
> Cheers,
>
> Joe K.
>
> "James Pemberton" <james.pemberton@devro-casings.com> wrote in message
> news:eD9ilYpuEHA.2172@TK2MSFTNGP14.phx.gbl...

>>I have been fighting with impersonation for quite sometime now and now
>>matter what I have tried it just won't work.
>>
>> I am trying to get information on two items:
>>
>> 1) I'd like to retrieve a file listing from a directory on our file
>> server.
>>
>> As with most cases I have read about, it works fine on my development PC,
>> XP OS, but when ran off of the web server, I receive <error: an exception
>> of type: {System.UnauthorizedAccessException} occurred>.
>>
>> The only way I can get it to work is to set impersonation=true and set
>> the username and password as out system administrator. I did try to set
>> the user name and password as an AD user we created with full access to
>> the directory, but to no avail.
>>
>> On IIS I have just Integrated Windows Authentication checked.
>>
>> Web.config is as follows: <identity impersonate="true" />
>>
>> Code:
>> Private Sub LoadFiles()
>>
>> Dim impersonationContext As WindowsImpersonationContext
>>
>> Dim currentWindowsIdentity As WindowsIdentity
>>
>> currentWindowsIdentity = CType(WindowsIdentity.GetCurrent,
>> WindowsIdentity)
>>
>> impersonationContext = currentWindowsIdentity.Impersonate()
>>
>> Dim dt As DataTable = New DataTable
>>
>> Dim dr As DataRow
>>
>> dt.Columns.Add("linkname")
>>
>> dt.Columns.Add("textname")
>>
>> Dim di As System.IO.DirectoryInfo
>>
>> 'Dim DirectoryDefault As String =
>> "\\ussfs01\private\Manufacturing\ProductReques t\" & intRequestNbr & "\"
>>
>> Dim DirectoryDefault As String = "\\ussfs01\ProductRequest\" &
>> intRequestNbr & "\"
>>
>> di = New System.IO.DirectoryInfo(DirectoryDefault)
>>
>> If di.Exists Then
>>
>> For Each filename As System.IO.FileInfo In di.GetFiles()
>>
>> dr = dt.NewRow()
>>
>> dr("linkname") = DirectoryDefault & filename.Name
>>
>> dr("textname") = filename.Name
>>
>> dt.Rows.Add(dr)
>>
>> Next
>>
>> Dim dv As DataView = New DataView(dt)
>>
>> dlAttachments.DataSource = dv
>>
>> dlAttachments.DataBind()
>>
>> dlAttachments.Visible = True
>>
>> End If
>>
>> impersonationContext.Undo()
>>
>> End Sub
>>
>>
>> 2) In the same program I have been trying to retrive the users
>> fullname, displayname, or given name from our AD. Once again this works
>> fine on my Development PC, but on the web server I can't even retrieve
>> those attributes.
>>
>> I have tried the following code to no avail:
>>
>> Dim userkey As String = WindowsIdentity.GetCurrent.Name.Substring(3)
>>
>> Dim dse As New DirectoryEntry("LDAP://US")
>>
>> Dim dsearch As DirectorySearcher = New DirectorySearcher(dse)
>>
>> dsearch.Filter = "(&(objectclass=user)(cn=" & userkey & "))"
>>
>> dsearch.PropertiesToLoad.Add("displayname")
>>
>> Dim sr As SearchResult = dsearch.FindOne
>>
>> If Not (sr Is Nothing) Then
>>
>> Dim rp As ResultPropertyCollection = sr.Properties
>>
>> UserName = rp.Item("displayname").Item(0)
>>
>> Else
>>
>> UserName = Nothing
>>
>> End If
>>
>> I have tried the following code to no avail:
>>
>> Any help would be greatly appreciated!
>>
>> James Pemberton
>>
>>

>
>

[Joe Kaplan \(MVP - ADSI\)]

I'm not a great expert on delegation, but you can enable delegation on a per
user basis in AD. The other trick you have to be careful with is that
delegation requires Kerberos, so you need to make sure your authentication
is Kerberos end to end. If it fails over to NTLM, then delegation will
suddenly break. Sometimes this will manifest itself as intermittent
problems, where the user fails on one workstation, but works on another or a
different network.

Joe K.

"James Pemberton" <james.pemberton@devro-casings.com> wrote in message
news:Olwt45suEHA.2016@TK2MSFTNGP15.phx.gbl...

> Thanks for the site.
>
> I've read quite a bit about delegates, but I have one more question. Do
> you have to setup your entire network, hardware and users, to utilize
> delegation? Or can you just set up those users or servers that you think
> will need to access information remotely?
>
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:OOPj1upuEHA.272@TK2MSFTNGP15.phx.gbl...

>> These both sound like double-hop delegation issues. The fact that it
>> works when you specify specific credentials in your impersonate tag but
>> doesn't work when you use Window Integrated Authentication (WIA) and try
>> to access resources on a different machine than the IIS box suggests
>> this. The impersonation token that WIA creates cannot hop to another
>> machine on the network (like your file server or AD) unless Kerberos
>> delegation has been enabled and working.
>>
>> I'd suggest you read up on that first and then come back here if you
>> can't get it to work or need a different approach.
>>
>> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;810572[/url]
>>
>> You'll find even more links with a little searching.
>>
>> Cheers,
>>
>> Joe K.
>>
>> "James Pemberton" <james.pemberton@devro-casings.com> wrote in message
>> news:eD9ilYpuEHA.2172@TK2MSFTNGP14.phx.gbl...

>>>I have been fighting with impersonation for quite sometime now and now
>>>matter what I have tried it just won't work.
>>>
>>> I am trying to get information on two items:
>>>
>>> 1) I'd like to retrieve a file listing from a directory on our file
>>> server.
>>>
>>> As with most cases I have read about, it works fine on my development
>>> PC, XP OS, but when ran off of the web server, I receive <error: an
>>> exception of type: {System.UnauthorizedAccessException} occurred>.
>>>
>>> The only way I can get it to work is to set impersonation=true and set
>>> the username and password as out system administrator. I did try to set
>>> the user name and password as an AD user we created with full access to
>>> the directory, but to no avail.
>>>
>>> On IIS I have just Integrated Windows Authentication checked.
>>>
>>> Web.config is as follows: <identity impersonate="true" />
>>>
>>> Code:
>>> Private Sub LoadFiles()
>>>
>>> Dim impersonationContext As WindowsImpersonationContext
>>>
>>> Dim currentWindowsIdentity As WindowsIdentity
>>>
>>> currentWindowsIdentity = CType(WindowsIdentity.GetCurrent,
>>> WindowsIdentity)
>>>
>>> impersonationContext = currentWindowsIdentity.Impersonate()
>>>
>>> Dim dt As DataTable = New DataTable
>>>
>>> Dim dr As DataRow
>>>
>>> dt.Columns.Add("linkname")
>>>
>>> dt.Columns.Add("textname")
>>>
>>> Dim di As System.IO.DirectoryInfo
>>>
>>> 'Dim DirectoryDefault As String =
>>> "\\ussfs01\private\Manufacturing\ProductReques t\" & intRequestNbr & "\"
>>>
>>> Dim DirectoryDefault As String = "\\ussfs01\ProductRequest\" &
>>> intRequestNbr & "\"
>>>
>>> di = New System.IO.DirectoryInfo(DirectoryDefault)
>>>
>>> If di.Exists Then
>>>
>>> For Each filename As System.IO.FileInfo In di.GetFiles()
>>>
>>> dr = dt.NewRow()
>>>
>>> dr("linkname") = DirectoryDefault & filename.Name
>>>
>>> dr("textname") = filename.Name
>>>
>>> dt.Rows.Add(dr)
>>>
>>> Next
>>>
>>> Dim dv As DataView = New DataView(dt)
>>>
>>> dlAttachments.DataSource = dv
>>>
>>> dlAttachments.DataBind()
>>>
>>> dlAttachments.Visible = True
>>>
>>> End If
>>>
>>> impersonationContext.Undo()
>>>
>>> End Sub
>>>
>>>
>>> 2) In the same program I have been trying to retrive the users
>>> fullname, displayname, or given name from our AD. Once again this works
>>> fine on my Development PC, but on the web server I can't even retrieve
>>> those attributes.
>>>
>>> I have tried the following code to no avail:
>>>
>>> Dim userkey As String = WindowsIdentity.GetCurrent.Name.Substring(3)
>>>
>>> Dim dse As New DirectoryEntry("LDAP://US")
>>>
>>> Dim dsearch As DirectorySearcher = New DirectorySearcher(dse)
>>>
>>> dsearch.Filter = "(&(objectclass=user)(cn=" & userkey & "))"
>>>
>>> dsearch.PropertiesToLoad.Add("displayname")
>>>
>>> Dim sr As SearchResult = dsearch.FindOne
>>>
>>> If Not (sr Is Nothing) Then
>>>
>>> Dim rp As ResultPropertyCollection = sr.Properties
>>>
>>> UserName = rp.Item("displayname").Item(0)
>>>
>>> Else
>>>
>>> UserName = Nothing
>>>
>>> End If
>>>
>>> I have tried the following code to no avail:
>>>
>>> Any help would be greatly appreciated!
>>>
>>> James Pemberton
>>>
>>>

>>
>>

>
>

[Ken Schaefer]

In addition to Joe's comments, the following document is quite useful in
getting these things setup:

Troubleshooting Kerberos Errors
[url]http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx[/url]

It covers Kerberos and delegation basics, common scenarios and
troubleshooting tips and tools.

Cheers
Ken

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:eRzBBatuEHA.1396@tk2msftngp13.phx.gbl...

> I'm not a great expert on delegation, but you can enable delegation on a
> per user basis in AD. The other trick you have to be careful with is that
> delegation requires Kerberos, so you need to make sure your authentication
> is Kerberos end to end. If it fails over to NTLM, then delegation will
> suddenly break. Sometimes this will manifest itself as intermittent
> problems, where the user fails on one workstation, but works on another or
> a different network.
>
> Joe K.
>
> "James Pemberton" <james.pemberton@devro-casings.com> wrote in message
> news:Olwt45suEHA.2016@TK2MSFTNGP15.phx.gbl...

>> Thanks for the site.
>>
>> I've read quite a bit about delegates, but I have one more question. Do
>> you have to setup your entire network, hardware and users, to utilize
>> delegation? Or can you just set up those users or servers that you think
>> will need to access information remotely?
>>
>>
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> wrote in message news:OOPj1upuEHA.272@TK2MSFTNGP15.phx.gbl...

>>> These both sound like double-hop delegation issues. The fact that it
>>> works when you specify specific credentials in your impersonate tag but
>>> doesn't work when you use Window Integrated Authentication (WIA) and try
>>> to access resources on a different machine than the IIS box suggests
>>> this. The impersonation token that WIA creates cannot hop to another
>>> machine on the network (like your file server or AD) unless Kerberos
>>> delegation has been enabled and working.
>>>
>>> I'd suggest you read up on that first and then come back here if you
>>> can't get it to work or need a different approach.
>>>
>>> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;810572[/url]
>>>
>>> You'll find even more links with a little searching.
>>>
>>> Cheers,
>>>
>>> Joe K.
>>>
>>> "James Pemberton" <james.pemberton@devro-casings.com> wrote in message
>>> news:eD9ilYpuEHA.2172@TK2MSFTNGP14.phx.gbl...
>>>>I have been fighting with impersonation for quite sometime now and now
>>>>matter what I have tried it just won't work.
>>>>
>>>> I am trying to get information on two items:
>>>>
>>>> 1) I'd like to retrieve a file listing from a directory on our file
>>>> server.
>>>>
>>>> As with most cases I have read about, it works fine on my development
>>>> PC, XP OS, but when ran off of the web server, I receive <error: an
>>>> exception of type: {System.UnauthorizedAccessException} occurred>.
>>>>
>>>> The only way I can get it to work is to set impersonation=true and set
>>>> the username and password as out system administrator. I did try to
>>>> set the user name and password as an AD user we created with full
>>>> access to the directory, but to no avail.
>>>>
>>>> On IIS I have just Integrated Windows Authentication checked.
>>>>
>>>> Web.config is as follows: <identity impersonate="true" />
>>>>
>>>> Code:
>>>> Private Sub LoadFiles()
>>>>
>>>> Dim impersonationContext As WindowsImpersonationContext
>>>>
>>>> Dim currentWindowsIdentity As WindowsIdentity
>>>>
>>>> currentWindowsIdentity = CType(WindowsIdentity.GetCurrent,
>>>> WindowsIdentity)
>>>>
>>>> impersonationContext = currentWindowsIdentity.Impersonate()
>>>>
>>>> Dim dt As DataTable = New DataTable
>>>>
>>>> Dim dr As DataRow
>>>>
>>>> dt.Columns.Add("linkname")
>>>>
>>>> dt.Columns.Add("textname")
>>>>
>>>> Dim di As System.IO.DirectoryInfo
>>>>
>>>> 'Dim DirectoryDefault As String =
>>>> "\\ussfs01\private\Manufacturing\ProductReques t\" & intRequestNbr & "\"
>>>>
>>>> Dim DirectoryDefault As String = "\\ussfs01\ProductRequest\" &
>>>> intRequestNbr & "\"
>>>>
>>>> di = New System.IO.DirectoryInfo(DirectoryDefault)
>>>>
>>>> If di.Exists Then
>>>>
>>>> For Each filename As System.IO.FileInfo In di.GetFiles()
>>>>
>>>> dr = dt.NewRow()
>>>>
>>>> dr("linkname") = DirectoryDefault & filename.Name
>>>>
>>>> dr("textname") = filename.Name
>>>>
>>>> dt.Rows.Add(dr)
>>>>
>>>> Next
>>>>
>>>> Dim dv As DataView = New DataView(dt)
>>>>
>>>> dlAttachments.DataSource = dv
>>>>
>>>> dlAttachments.DataBind()
>>>>
>>>> dlAttachments.Visible = True
>>>>
>>>> End If
>>>>
>>>> impersonationContext.Undo()
>>>>
>>>> End Sub
>>>>
>>>>
>>>> 2) In the same program I have been trying to retrive the users
>>>> fullname, displayname, or given name from our AD. Once again this
>>>> works fine on my Development PC, but on the web server I can't even
>>>> retrieve those attributes.
>>>>
>>>> I have tried the following code to no avail:
>>>>
>>>> Dim userkey As String = WindowsIdentity.GetCurrent.Name.Substring(3)
>>>>
>>>> Dim dse As New DirectoryEntry("LDAP://US")
>>>>
>>>> Dim dsearch As DirectorySearcher = New DirectorySearcher(dse)
>>>>
>>>> dsearch.Filter = "(&(objectclass=user)(cn=" & userkey & "))"
>>>>
>>>> dsearch.PropertiesToLoad.Add("displayname")
>>>>
>>>> Dim sr As SearchResult = dsearch.FindOne
>>>>
>>>> If Not (sr Is Nothing) Then
>>>>
>>>> Dim rp As ResultPropertyCollection = sr.Properties
>>>>
>>>> UserName = rp.Item("displayname").Item(0)
>>>>
>>>> Else
>>>>
>>>> UserName = Nothing
>>>>
>>>> End If
>>>>
>>>> I have tried the following code to no avail:
>>>>
>>>> Any help would be greatly appreciated!
>>>>
>>>> James Pemberton
>>>>
>>>>
>>>
>>>

>>
>>

>
>

[James Pemberton]

I actually did get this to work, without using delegation on the users and
hardware in AD, using the example from:
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;306158[/url]


Hopefully one last question though. I am currently hardcoding the user
name, password, and domain into the code and really don't like doing that.
I know I can retrieve the domain and username from the
WindowsIdentity.Getcurrent.Name, but is there anyway to exacting the users
password without having them type it in on a logon screen?

Thanks

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:OOPj1upuEHA.272@TK2MSFTNGP15.phx.gbl...

> These both sound like double-hop delegation issues. The fact that it
> works when you specify specific credentials in your impersonate tag but
> doesn't work when you use Window Integrated Authentication (WIA) and try
> to access resources on a different machine than the IIS box suggests this.
> The impersonation token that WIA creates cannot hop to another machine on
> the network (like your file server or AD) unless Kerberos delegation has
> been enabled and working.
>
> I'd suggest you read up on that first and then come back here if you can't
> get it to work or need a different approach.
>
> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;810572[/url]
>
> You'll find even more links with a little searching.
>
> Cheers,
>
> Joe K.
>
> "James Pemberton" <james.pemberton@devro-casings.com> wrote in message
> news:eD9ilYpuEHA.2172@TK2MSFTNGP14.phx.gbl...

>>I have been fighting with impersonation for quite sometime now and now
>>matter what I have tried it just won't work.
>>
>> I am trying to get information on two items:
>>
>> 1) I'd like to retrieve a file listing from a directory on our file
>> server.
>>
>> As with most cases I have read about, it works fine on my development PC,
>> XP OS, but when ran off of the web server, I receive <error: an exception
>> of type: {System.UnauthorizedAccessException} occurred>.
>>
>> The only way I can get it to work is to set impersonation=true and set
>> the username and password as out system administrator. I did try to set
>> the user name and password as an AD user we created with full access to
>> the directory, but to no avail.
>>
>> On IIS I have just Integrated Windows Authentication checked.
>>
>> Web.config is as follows: <identity impersonate="true" />
>>
>> Code:
>> Private Sub LoadFiles()
>>
>> Dim impersonationContext As WindowsImpersonationContext
>>
>> Dim currentWindowsIdentity As WindowsIdentity
>>
>> currentWindowsIdentity = CType(WindowsIdentity.GetCurrent,
>> WindowsIdentity)
>>
>> impersonationContext = currentWindowsIdentity.Impersonate()
>>
>> Dim dt As DataTable = New DataTable
>>
>> Dim dr As DataRow
>>
>> dt.Columns.Add("linkname")
>>
>> dt.Columns.Add("textname")
>>
>> Dim di As System.IO.DirectoryInfo
>>
>> 'Dim DirectoryDefault As String =
>> "\\ussfs01\private\Manufacturing\ProductReques t\" & intRequestNbr & "\"
>>
>> Dim DirectoryDefault As String = "\\ussfs01\ProductRequest\" &
>> intRequestNbr & "\"
>>
>> di = New System.IO.DirectoryInfo(DirectoryDefault)
>>
>> If di.Exists Then
>>
>> For Each filename As System.IO.FileInfo In di.GetFiles()
>>
>> dr = dt.NewRow()
>>
>> dr("linkname") = DirectoryDefault & filename.Name
>>
>> dr("textname") = filename.Name
>>
>> dt.Rows.Add(dr)
>>
>> Next
>>
>> Dim dv As DataView = New DataView(dt)
>>
>> dlAttachments.DataSource = dv
>>
>> dlAttachments.DataBind()
>>
>> dlAttachments.Visible = True
>>
>> End If
>>
>> impersonationContext.Undo()
>>
>> End Sub
>>
>>
>> 2) In the same program I have been trying to retrive the users
>> fullname, displayname, or given name from our AD. Once again this works
>> fine on my Development PC, but on the web server I can't even retrieve
>> those attributes.
>>
>> I have tried the following code to no avail:
>>
>> Dim userkey As String = WindowsIdentity.GetCurrent.Name.Substring(3)
>>
>> Dim dse As New DirectoryEntry("LDAP://US")
>>
>> Dim dsearch As DirectorySearcher = New DirectorySearcher(dse)
>>
>> dsearch.Filter = "(&(objectclass=user)(cn=" & userkey & "))"
>>
>> dsearch.PropertiesToLoad.Add("displayname")
>>
>> Dim sr As SearchResult = dsearch.FindOne
>>
>> If Not (sr Is Nothing) Then
>>
>> Dim rp As ResultPropertyCollection = sr.Properties
>>
>> UserName = rp.Item("displayname").Item(0)
>>
>> Else
>>
>> UserName = Nothing
>>
>> End If
>>
>> I have tried the following code to no avail:
>>
>> Any help would be greatly appreciated!
>>
>> James Pemberton
>>
>>

>
>

[Joe Kaplan \(MVP - ADSI\)]

The only way to get a plain text password is to either use forms
authentication or use Basic authentication. With Windows Integrated
authentication, the plain password is never sent to the IIS server, only a
hash, so you can't get it. This is why IIS creates an impersonation token
and you end up in your double-hop/delegation problem to begin with.

So basically, you can't have it both ways. You either prompt for the
password somehow or use delegation.

If you have 2003 AD, you might also be able to use what is called Kerberos
S4U. Essentially, this allows you to specify a machine as trusted and allow
it to create a token for the user given only their userPrincipalName. There
is a good article on this here:

[url]http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/default.aspx[/url]

Joe K.

"James Pemberton" <james.pemberton@devro-casings.com> wrote in message
news:e0lGoz3uEHA.452@TK2MSFTNGP09.phx.gbl...

>I actually did get this to work, without using delegation on the users and
>hardware in AD, using the example from:
> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;306158[/url]
>
>
> Hopefully one last question though. I am currently hardcoding the user
> name, password, and domain into the code and really don't like doing that.
> I know I can retrieve the domain and username from the
> WindowsIdentity.Getcurrent.Name, but is there anyway to exacting the users
> password without having them type it in on a logon screen?
>
> Thanks
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:OOPj1upuEHA.272@TK2MSFTNGP15.phx.gbl...

>> These both sound like double-hop delegation issues. The fact that it
>> works when you specify specific credentials in your impersonate tag but
>> doesn't work when you use Window Integrated Authentication (WIA) and try
>> to access resources on a different machine than the IIS box suggests
>> this. The impersonation token that WIA creates cannot hop to another
>> machine on the network (like your file server or AD) unless Kerberos
>> delegation has been enabled and working.
>>
>> I'd suggest you read up on that first and then come back here if you
>> can't get it to work or need a different approach.
>>
>> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;810572[/url]
>>
>> You'll find even more links with a little searching.
>>
>> Cheers,
>>
>> Joe K.
>>
>> "James Pemberton" <james.pemberton@devro-casings.com> wrote in message
>> news:eD9ilYpuEHA.2172@TK2MSFTNGP14.phx.gbl...

>>>I have been fighting with impersonation for quite sometime now and now
>>>matter what I have tried it just won't work.
>>>
>>> I am trying to get information on two items:
>>>
>>> 1) I'd like to retrieve a file listing from a directory on our file
>>> server.
>>>
>>> As with most cases I have read about, it works fine on my development
>>> PC, XP OS, but when ran off of the web server, I receive <error: an
>>> exception of type: {System.UnauthorizedAccessException} occurred>.
>>>
>>> The only way I can get it to work is to set impersonation=true and set
>>> the username and password as out system administrator. I did try to set
>>> the user name and password as an AD user we created with full access to
>>> the directory, but to no avail.
>>>
>>> On IIS I have just Integrated Windows Authentication checked.
>>>
>>> Web.config is as follows: <identity impersonate="true" />
>>>
>>> Code:
>>> Private Sub LoadFiles()
>>>
>>> Dim impersonationContext As WindowsImpersonationContext
>>>
>>> Dim currentWindowsIdentity As WindowsIdentity
>>>
>>> currentWindowsIdentity = CType(WindowsIdentity.GetCurrent,
>>> WindowsIdentity)
>>>
>>> impersonationContext = currentWindowsIdentity.Impersonate()
>>>
>>> Dim dt As DataTable = New DataTable
>>>
>>> Dim dr As DataRow
>>>
>>> dt.Columns.Add("linkname")
>>>
>>> dt.Columns.Add("textname")
>>>
>>> Dim di As System.IO.DirectoryInfo
>>>
>>> 'Dim DirectoryDefault As String =
>>> "\\ussfs01\private\Manufacturing\ProductReques t\" & intRequestNbr & "\"
>>>
>>> Dim DirectoryDefault As String = "\\ussfs01\ProductRequest\" &
>>> intRequestNbr & "\"
>>>
>>> di = New System.IO.DirectoryInfo(DirectoryDefault)
>>>
>>> If di.Exists Then
>>>
>>> For Each filename As System.IO.FileInfo In di.GetFiles()
>>>
>>> dr = dt.NewRow()
>>>
>>> dr("linkname") = DirectoryDefault & filename.Name
>>>
>>> dr("textname") = filename.Name
>>>
>>> dt.Rows.Add(dr)
>>>
>>> Next
>>>
>>> Dim dv As DataView = New DataView(dt)
>>>
>>> dlAttachments.DataSource = dv
>>>
>>> dlAttachments.DataBind()
>>>
>>> dlAttachments.Visible = True
>>>
>>> End If
>>>
>>> impersonationContext.Undo()
>>>
>>> End Sub
>>>
>>>
>>> 2) In the same program I have been trying to retrive the users
>>> fullname, displayname, or given name from our AD. Once again this works
>>> fine on my Development PC, but on the web server I can't even retrieve
>>> those attributes.
>>>
>>> I have tried the following code to no avail:
>>>
>>> Dim userkey As String = WindowsIdentity.GetCurrent.Name.Substring(3)
>>>
>>> Dim dse As New DirectoryEntry("LDAP://US")
>>>
>>> Dim dsearch As DirectorySearcher = New DirectorySearcher(dse)
>>>
>>> dsearch.Filter = "(&(objectclass=user)(cn=" & userkey & "))"
>>>
>>> dsearch.PropertiesToLoad.Add("displayname")
>>>
>>> Dim sr As SearchResult = dsearch.FindOne
>>>
>>> If Not (sr Is Nothing) Then
>>>
>>> Dim rp As ResultPropertyCollection = sr.Properties
>>>
>>> UserName = rp.Item("displayname").Item(0)
>>>
>>> Else
>>>
>>> UserName = Nothing
>>>
>>> End If
>>>
>>> I have tried the following code to no avail:
>>>
>>> Any help would be greatly appreciated!
>>>
>>> James Pemberton
>>>
>>>

>>
>>

>
>