Impersonation in ASP.Net

[Bjoern Wolfgardt]

Hi,

you can enter a domainuser for the anonymous access. Than you just have to
activate impersonation for your web application. Modify the web.config for
impersonation in <system.web> section:
<identity
impersonate="true"
/>

I know there is a way to impersonate a webserive call. But I am not sure
about if there is a way to imperonate a file access (without http).

cu
Bjoern Wolfgardt

"Sanjay Poojari" <sanjay@rheal.com> schrieb im Newsbeitrag
news:O1nxXv3TDHA.2008@TK2MSFTNGP11.phx.gbl...

> Hi All,
>
> I have an ASP.Net application in which I need to run certain sections of

the

> code in another user context (other than that aspnet user). The scenerio

is

> like this:
>
> I have a file server (a different machine from the web server) that stores
> directories and documents (files). My application needs to access the

files

> and directories from the other machine. But the aspnet user will not be
> given access rights to the other machine. So in the code sections that
> access the file server, has to be run in a different user context (a user
> account that HAS access to the file server).
>
> Can anyone tell me what would be the best way to implement this. Would

like

> to know all the issues involved and also how difficult (or easy) it would

be

> to implement. Any suggestion/advice/pointers would be appreciated.
>
> Thanks in advance.
> Sanjay
>
>

[Bjoern Wolfgardt]

Hi,

you can enter a domainuser for the anonymous access. Than you just have to
activate impersonation for your web application. Modify the web.config for
impersonation in <system.web> section:
<identity
impersonate="true"
/>

I know there is a way to impersonate a webserive call. But I am not sure
about if there is a way to imperonate a file access (without http).

cu
Bjoern Wolfgardt

"Sanjay Poojari" <sanjay@rheal.com> schrieb im Newsbeitrag
news:O1nxXv3TDHA.2008@TK2MSFTNGP11.phx.gbl...

> Hi All,
>
> I have an ASP.Net application in which I need to run certain sections of

the

> code in another user context (other than that aspnet user). The scenerio

is

> like this:
>
> I have a file server (a different machine from the web server) that stores
> directories and documents (files). My application needs to access the

files

> and directories from the other machine. But the aspnet user will not be
> given access rights to the other machine. So in the code sections that
> access the file server, has to be run in a different user context (a user
> account that HAS access to the file server).
>
> Can anyone tell me what would be the best way to implement this. Would

like

> to know all the issues involved and also how difficult (or easy) it would

be

> to implement. Any suggestion/advice/pointers would be appreciated.
>
> Thanks in advance.
> Sanjay
>
>

[Bjoern Wolfgardt]

Sorry,

if you talk about an intranet application you just have to activate the
impersonation. The logged on user (on the client will) will be used for
impersonation if integrated authentication is enabled on your webserver (or
webapplication).

But if you work with anonymous access you can use the domainuser account.

cu
Bjoern Wolfgardt

"Sanjay Poojari" <sanjay@rheal.com> schrieb im Newsbeitrag
news:O1nxXv3TDHA.2008@TK2MSFTNGP11.phx.gbl...

> Hi All,
>
> I have an ASP.Net application in which I need to run certain sections of

the

> code in another user context (other than that aspnet user). The scenerio

is

> like this:
>
> I have a file server (a different machine from the web server) that stores
> directories and documents (files). My application needs to access the

files

> and directories from the other machine. But the aspnet user will not be
> given access rights to the other machine. So in the code sections that
> access the file server, has to be run in a different user context (a user
> account that HAS access to the file server).
>
> Can anyone tell me what would be the best way to implement this. Would

like

> to know all the issues involved and also how difficult (or easy) it would

be

> to implement. Any suggestion/advice/pointers would be appreciated.
>
> Thanks in advance.
> Sanjay
>
>

[Bjoern Wolfgardt]

Sorry,

if you talk about an intranet application you just have to activate the
impersonation. The logged on user (on the client will) will be used for
impersonation if integrated authentication is enabled on your webserver (or
webapplication).

But if you work with anonymous access you can use the domainuser account.

cu
Bjoern Wolfgardt

"Sanjay Poojari" <sanjay@rheal.com> schrieb im Newsbeitrag
news:O1nxXv3TDHA.2008@TK2MSFTNGP11.phx.gbl...

> Hi All,
>
> I have an ASP.Net application in which I need to run certain sections of

the

> code in another user context (other than that aspnet user). The scenerio

is

> like this:
>
> I have a file server (a different machine from the web server) that stores
> directories and documents (files). My application needs to access the

files

> and directories from the other machine. But the aspnet user will not be
> given access rights to the other machine. So in the code sections that
> access the file server, has to be run in a different user context (a user
> account that HAS access to the file server).
>
> Can anyone tell me what would be the best way to implement this. Would

like

> to know all the issues involved and also how difficult (or easy) it would

be

> to implement. Any suggestion/advice/pointers would be appreciated.
>
> Thanks in advance.
> Sanjay
>
>

[Sanjay Poojari]

thanks for the reply Bjoern. I know I can impersonate a domainuser in the
web.config file. However I don't want to run the entire the complete
application in another user's context. Only some parts of the code. Can
you tell me how can i do this?

Thanks,
Sanjay


"Bjoern Wolfgardt" <bjoern.wolfgardt@donotspamme-i-ventions.de> wrote in
message news:#WCQwS4TDHA.1688@TK2MSFTNGP11.phx.gbl...

> Hi,
>
> you can enter a domainuser for the anonymous access. Than you just have to
> activate impersonation for your web application. Modify the web.config for
> impersonation in <system.web> section:
> <identity
> impersonate="true"
> />
>
> I know there is a way to impersonate a webserive call. But I am not sure
> about if there is a way to imperonate a file access (without http).
>

[Sanjay Poojari]

thanks for the reply Bjoern. I know I can impersonate a domainuser in the
web.config file. However I don't want to run the entire the complete
application in another user's context. Only some parts of the code. Can
you tell me how can i do this?

Thanks,
Sanjay


"Bjoern Wolfgardt" <bjoern.wolfgardt@donotspamme-i-ventions.de> wrote in
message news:#WCQwS4TDHA.1688@TK2MSFTNGP11.phx.gbl...

> Hi,
>
> you can enter a domainuser for the anonymous access. Than you just have to
> activate impersonation for your web application. Modify the web.config for
> impersonation in <system.web> section:
> <identity
> impersonate="true"
> />
>
> I know there is a way to impersonate a webserive call. But I am not sure
> about if there is a way to imperonate a file access (without http).
>

[Sanjay Poojari]

yes, that is exactly what i was looking for. Thanx a lot.

Sanjay


"Bjoern Wolfgardt" <bjoern.wolfgardt@donotspamme-i-ventions.de> wrote in
message news:OgjA8p4TDHA.2180@TK2MSFTNGP10.phx.gbl...

> Not sure if this helps:
> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;306158[/url]
>

[Sanjay Poojari]

yes, that is exactly what i was looking for. Thanx a lot.

Sanjay


"Bjoern Wolfgardt" <bjoern.wolfgardt@donotspamme-i-ventions.de> wrote in
message news:OgjA8p4TDHA.2180@TK2MSFTNGP10.phx.gbl...

> Not sure if this helps:
> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;306158[/url]
>

[Bjoern Wolfgardt]

Hi,

I have checked this. I created a textfile on another server. I gave
only my user read access. I than build a asp.net application on my
client. I disabled all access types but windows integrated. I enabled
impersonation in my web.config and it works. I than deployed the
application to another server and it also worked.
Config:
Windows 2000 Server
Windows XP Pro.

Maybe you will give me some example code so that I can try it.

cu
Bjoern Wolfgardt


"Jerry" <jerryy@solutionbuildersinc.com> wrote in message news:<Of09gKPXDHA.888@TK2MSFTNGP10.phx.gbl>...

> I'm not sure if that is correct.. I've tried using the windows auth. and
> setting the impersonate to true..
> but that only works b/w the client machine and the webserver.. if you have
> server component that needs to
> access other network resources... the above is not enough..
> It's fine if you are running the website from your desktop and accessing the
> page from that machine.. the minute you
> deploy that to another machine.. you will not have acces...
>
> I have code that is trying to access other servers in the network and see
> what windows services are running.. I'm getting
> access problems.. still working on the issue.
>
> -jerry
>
>
>
> "Bjoern Wolfgardt" <bjoern.wolfgardt@donotspamme-i-ventions.de> wrote in
> message news:OaLAhV4TDHA.2648@TK2MSFTNGP10.phx.gbl...

> > Sorry,
> >
> > if you talk about an intranet application you just have to activate the
> > impersonation. The logged on user (on the client will) will be used for
> > impersonation if integrated authentication is enabled on your webserver

> (or

> > webapplication).
> >
> > But if you work with anonymous access you can use the domainuser account.
> >
> > cu
> > Bjoern Wolfgardt
> >
> > "Sanjay Poojari" <sanjay@rheal.com> schrieb im Newsbeitrag
> > news:O1nxXv3TDHA.2008@TK2MSFTNGP11.phx.gbl...

> > > Hi All,
> > >
> > > I have an ASP.Net application in which I need to run certain sections of

> the

> > > code in another user context (other than that aspnet user). The

> scenerio
> is

> > > like this:
> > >
> > > I have a file server (a different machine from the web server) that

> stores

> > > directories and documents (files). My application needs to access the

> files

> > > and directories from the other machine. But the aspnet user will not be
> > > given access rights to the other machine. So in the code sections that
> > > access the file server, has to be run in a different user context (a

> user

> > > account that HAS access to the file server).
> > >
> > > Can anyone tell me what would be the best way to implement this. Would

> like

> > > to know all the issues involved and also how difficult (or easy) it

> would
> be

> > > to implement. Any suggestion/advice/pointers would be appreciated.
> > >
> > > Thanks in advance.
> > > Sanjay
> > >
> > >

> >
> >

[Bjoern Wolfgardt]

Hi,

I have checked this. I created a textfile on another server. I gave
only my user read access. I than build a asp.net application on my
client. I disabled all access types but windows integrated. I enabled
impersonation in my web.config and it works. I than deployed the
application to another server and it also worked.
Config:
Windows 2000 Server
Windows XP Pro.

Maybe you will give me some example code so that I can try it.

cu
Bjoern Wolfgardt


"Jerry" <jerryy@solutionbuildersinc.com> wrote in message news:<Of09gKPXDHA.888@TK2MSFTNGP10.phx.gbl>...

> I'm not sure if that is correct.. I've tried using the windows auth. and
> setting the impersonate to true..
> but that only works b/w the client machine and the webserver.. if you have
> server component that needs to
> access other network resources... the above is not enough..
> It's fine if you are running the website from your desktop and accessing the
> page from that machine.. the minute you
> deploy that to another machine.. you will not have acces...
>
> I have code that is trying to access other servers in the network and see
> what windows services are running.. I'm getting
> access problems.. still working on the issue.
>
> -jerry
>
>
>
> "Bjoern Wolfgardt" <bjoern.wolfgardt@donotspamme-i-ventions.de> wrote in
> message news:OaLAhV4TDHA.2648@TK2MSFTNGP10.phx.gbl...

> > Sorry,
> >
> > if you talk about an intranet application you just have to activate the
> > impersonation. The logged on user (on the client will) will be used for
> > impersonation if integrated authentication is enabled on your webserver

> (or

> > webapplication).
> >
> > But if you work with anonymous access you can use the domainuser account.
> >
> > cu
> > Bjoern Wolfgardt
> >
> > "Sanjay Poojari" <sanjay@rheal.com> schrieb im Newsbeitrag
> > news:O1nxXv3TDHA.2008@TK2MSFTNGP11.phx.gbl...

> > > Hi All,
> > >
> > > I have an ASP.Net application in which I need to run certain sections of

> the

> > > code in another user context (other than that aspnet user). The

> scenerio
> is

> > > like this:
> > >
> > > I have a file server (a different machine from the web server) that

> stores

> > > directories and documents (files). My application needs to access the

> files

> > > and directories from the other machine. But the aspnet user will not be
> > > given access rights to the other machine. So in the code sections that
> > > access the file server, has to be run in a different user context (a

> user

> > > account that HAS access to the file server).
> > >
> > > Can anyone tell me what would be the best way to implement this. Would

> like

> > > to know all the issues involved and also how difficult (or easy) it

> would
> be

> > > to implement. Any suggestion/advice/pointers would be appreciated.
> > >
> > > Thanks in advance.
> > > Sanjay
> > >
> > >

> >
> >

[Jerry]

I wonder if the same is true if all machine involved are Win2000 with Active
Directory.

-jerry


"Bjoern Wolfgardt" <aalamar@gmx.de> wrote in message
news:14ad014.0308072330.1f3524d8@posting.google.co m...

> Hi,
>
> I have checked this. I created a textfile on another server. I gave
> only my user read access. I than build a asp.net application on my
> client. I disabled all access types but windows integrated. I enabled
> impersonation in my web.config and it works. I than deployed the
> application to another server and it also worked.
> Config:
> Windows 2000 Server
> Windows XP Pro.
>
> Maybe you will give me some example code so that I can try it.
>
> cu
> Bjoern Wolfgardt
>
>
> "Jerry" <jerryy@solutionbuildersinc.com> wrote in message

news:<Of09gKPXDHA.888@TK2MSFTNGP10.phx.gbl>...

> > I'm not sure if that is correct.. I've tried using the windows auth.

and

> > setting the impersonate to true..
> > but that only works b/w the client machine and the webserver.. if you

have

> > server component that needs to
> > access other network resources... the above is not enough..
> > It's fine if you are running the website from your desktop and accessing

the

> > page from that machine.. the minute you
> > deploy that to another machine.. you will not have acces...
> >
> > I have code that is trying to access other servers in the network and

see

> > what windows services are running.. I'm getting
> > access problems.. still working on the issue.
> >
> > -jerry
> >
> >
> >
> > "Bjoern Wolfgardt" <bjoern.wolfgardt@donotspamme-i-ventions.de> wrote in
> > message news:OaLAhV4TDHA.2648@TK2MSFTNGP10.phx.gbl...

> > > Sorry,
> > >
> > > if you talk about an intranet application you just have to activate

the

> > > impersonation. The logged on user (on the client will) will be used

for

> > > impersonation if integrated authentication is enabled on your

webserver

> > (or

> > > webapplication).
> > >
> > > But if you work with anonymous access you can use the domainuser

account.

> > >
> > > cu
> > > Bjoern Wolfgardt
> > >
> > > "Sanjay Poojari" <sanjay@rheal.com> schrieb im Newsbeitrag
> > > news:O1nxXv3TDHA.2008@TK2MSFTNGP11.phx.gbl...
> > > > Hi All,
> > > >
> > > > I have an ASP.Net application in which I need to run certain

sections of

> > the

> > > > code in another user context (other than that aspnet user). The

> > scenerio
> > is

> > > > like this:
> > > >
> > > > I have a file server (a different machine from the web server) that

> > stores

> > > > directories and documents (files). My application needs to access

the

> > files

> > > > and directories from the other machine. But the aspnet user will

not be

> > > > given access rights to the other machine. So in the code sections

that

> > > > access the file server, has to be run in a different user context (a

> > user

> > > > account that HAS access to the file server).
> > > >
> > > > Can anyone tell me what would be the best way to implement this.

Would

> > like

> > > > to know all the issues involved and also how difficult (or easy) it

> > would
> > be

> > > > to implement. Any suggestion/advice/pointers would be appreciated.
> > > >
> > > > Thanks in advance.
> > > > Sanjay
> > > >
> > > >
> > >
> > >

[Jerry]

I wonder if the same is true if all machine involved are Win2000 with Active
Directory.

-jerry


"Bjoern Wolfgardt" <aalamar@gmx.de> wrote in message
news:14ad014.0308072330.1f3524d8@posting.google.co m...

> Hi,
>
> I have checked this. I created a textfile on another server. I gave
> only my user read access. I than build a asp.net application on my
> client. I disabled all access types but windows integrated. I enabled
> impersonation in my web.config and it works. I than deployed the
> application to another server and it also worked.
> Config:
> Windows 2000 Server
> Windows XP Pro.
>
> Maybe you will give me some example code so that I can try it.
>
> cu
> Bjoern Wolfgardt
>
>
> "Jerry" <jerryy@solutionbuildersinc.com> wrote in message

news:<Of09gKPXDHA.888@TK2MSFTNGP10.phx.gbl>...

> > I'm not sure if that is correct.. I've tried using the windows auth.

and

> > setting the impersonate to true..
> > but that only works b/w the client machine and the webserver.. if you

have

> > server component that needs to
> > access other network resources... the above is not enough..
> > It's fine if you are running the website from your desktop and accessing

the

> > page from that machine.. the minute you
> > deploy that to another machine.. you will not have acces...
> >
> > I have code that is trying to access other servers in the network and

see

> > what windows services are running.. I'm getting
> > access problems.. still working on the issue.
> >
> > -jerry
> >
> >
> >
> > "Bjoern Wolfgardt" <bjoern.wolfgardt@donotspamme-i-ventions.de> wrote in
> > message news:OaLAhV4TDHA.2648@TK2MSFTNGP10.phx.gbl...

> > > Sorry,
> > >
> > > if you talk about an intranet application you just have to activate

the

> > > impersonation. The logged on user (on the client will) will be used

for

> > > impersonation if integrated authentication is enabled on your

webserver

> > (or

> > > webapplication).
> > >
> > > But if you work with anonymous access you can use the domainuser

account.

> > >
> > > cu
> > > Bjoern Wolfgardt
> > >
> > > "Sanjay Poojari" <sanjay@rheal.com> schrieb im Newsbeitrag
> > > news:O1nxXv3TDHA.2008@TK2MSFTNGP11.phx.gbl...
> > > > Hi All,
> > > >
> > > > I have an ASP.Net application in which I need to run certain

sections of

> > the

> > > > code in another user context (other than that aspnet user). The

> > scenerio
> > is

> > > > like this:
> > > >
> > > > I have a file server (a different machine from the web server) that

> > stores

> > > > directories and documents (files). My application needs to access

the

> > files

> > > > and directories from the other machine. But the aspnet user will

not be

> > > > given access rights to the other machine. So in the code sections

that

> > > > access the file server, has to be run in a different user context (a

> > user

> > > > account that HAS access to the file server).
> > > >
> > > > Can anyone tell me what would be the best way to implement this.

Would

> > like

> > > > to know all the issues involved and also how difficult (or easy) it

> > would
> > be

> > > > to implement. Any suggestion/advice/pointers would be appreciated.
> > > >
> > > > Thanks in advance.
> > > > Sanjay
> > > >
> > > >
> > >
> > >

[Samuel Shum]

Hello, I have a problem on the impersonation in asp.net: I've developed some
components which can create user accounts on the web server. The asp files
resided on the server will call these components to do the job BUT the
"aspnet" (asp.net worker process account) doesn't have enough privilege to
do so... (as the components are called in the context of this "low
privilege" account). I understand that .Net framework has something called
"impersonation" which can run the worker process in the context of some
"higher" account (in this case, accounts under administrators group). The
problem seems to be solved with this approach but now the problem is that
the "impersonated" account, which is the "admin" account's name and
password, is stored in "cleartext" in the web.config file which imposes
serious security issue... A solution solving this is to store the username
and password in the registry and encrypt them... however, the debugger
returns error that the "password" entry cannot be read from the registry...
even I did give the permission "read" to the worker process... so how can
this be resolved? Or is this the right way to do this kind of job?

Thanks in advance.

Samuel

[Mark Duregon]

Use the DPAPI or one of the .NET encryption methods to encrpt the information in the web.config file. Information on this topic is in the Building Secure ASP.NET practices paper [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp?frame=true[/url]


"Samuel Shum" wrote:

> Hello, I have a problem on the impersonation in asp.net: I've developed some
> components which can create user accounts on the web server. The asp files
> resided on the server will call these components to do the job BUT the
> "aspnet" (asp.net worker process account) doesn't have enough privilege to
> do so... (as the components are called in the context of this "low
> privilege" account). I understand that .Net framework has something called
> "impersonation" which can run the worker process in the context of some
> "higher" account (in this case, accounts under administrators group). The
> problem seems to be solved with this approach but now the problem is that
> the "impersonated" account, which is the "admin" account's name and
> password, is stored in "cleartext" in the web.config file which imposes
> serious security issue... A solution solving this is to store the username
> and password in the registry and encrypt them... however, the debugger
> returns error that the "password" entry cannot be read from the registry...
> even I did give the permission "read" to the worker process... so how can
> this be resolved? Or is this the right way to do this kind of job?
>
> Thanks in advance.
>
> Samuel
>
>
>

[Samuel Shum]

Thanks Mark for the information, sorry if my query mislead you. I'd done the
encryption part: the username and password are encrypted and stored in the
registry with the tool "aspnet_setreg"
([url]http://support.microsoft.com/default.aspx?scid=kb;en-us;329290[/url]) and those
can be retrieved by stating the following entry in the web.config file:

<identity impersonate="true"
userName="registry:HKLM\Software\DummyApplication\ Identity\ASPNET_SETREG,use
rName"
password="registry:HKLM\Software\DummyApplication\ Identity\ASPNET_SETREG,pas
sword" />

I follow the procedures exactly but the browser returns the following error:
***
Configuration Error
Description: An error occurred during the processing of a configuration file
required to service this request. Please review the specific error details
below and modify your configuration file appropriately.

Parser Error Message: Error reading the password from the registry.

Source Error:

Line 83: <globalization requestEncoding="utf-8" responseEncoding="utf-8"
/>
Line 84:
Line 85: <identity impersonate="true"
userName="registry:HKLM\Software\DummyApplication\ Identity\ASPNET_SETREG,use
rName"
password="registry:HKLM\Software\DummyApplication\ Identity\ASPNET_SETREG,pas
sword" />
Line 86: </system.web>

Source File: c:\inetpub\wwwroot\Encryption\web.config Line: 85

----------------------------------------------------------------------------
----
Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET
Version:1.1.4322.573
***

I'd given the "aspnet" account the permission to read the entries, just
don't know what the error exactly means.

Samuel

[Stephen Shirley, MCSD .NET]

Possible Solution: I have wrestled with this one also. I finally got
it to work by giving the MachineName(change this)\ASPNET account
permissions to read the registry key ASPNET_SETREG directly, not the
Identity key. Note, everytime you run aspnet_setreg it will drop and
recreate the key, so you will have to add the permissions everytime
you run it. Hope this helps.

Stephen Shirley,
MCSD .NET

"Samuel Shum" <samuelshum@hotmail.com> wrote in message news:<eKaIf6WaEHA.2908@TK2MSFTNGP10.phx.gbl>...

> Thanks Mark for the information, sorry if my query mislead you. I'd done the
> encryption part: the username and password are encrypted and stored in the
> registry with the tool "aspnet_setreg"
> ([url]http://support.microsoft.com/default.aspx?scid=kb;en-us;329290[/url]) and those
> can be retrieved by stating the following entry in the web.config file:
>
> <identity impersonate="true"
> userName="registry:HKLM\Software\DummyApplication\ Identity\ASPNET_SETREG,use
> rName"
> password="registry:HKLM\Software\DummyApplication\ Identity\ASPNET_SETREG,pas
> sword" />
>
> I follow the procedures exactly but the browser returns the following error:
> ***
> Configuration Error
> Description: An error occurred during the processing of a configuration file
> required to service this request. Please review the specific error details
> below and modify your configuration file appropriately.
>
> Parser Error Message: Error reading the password from the registry.
>
> Source Error:
>
> Line 83: <globalization requestEncoding="utf-8" responseEncoding="utf-8"
> />
> Line 84:
> Line 85: <identity impersonate="true"
> userName="registry:HKLM\Software\DummyApplication\ Identity\ASPNET_SETREG,use
> rName"
> password="registry:HKLM\Software\DummyApplication\ Identity\ASPNET_SETREG,pas
> sword" />
> Line 86: </system.web>
>
> Source File: c:\inetpub\wwwroot\Encryption\web.config Line: 85
>
> ----------------------------------------------------------------------------
> ----
> Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET
> Version:1.1.4322.573
> ***
>
> I'd given the "aspnet" account the permission to read the entries, just
> don't know what the error exactly means.
>
> Samuel

[Hananiel]

I want an asp.net buttonclick_onserver event to run a process as a
given domain user on the server. What is the easiest way to do this.

For some reason "LogonUser" fails with "Unknown user or password"
LocalMachine/Administrator also failed.

[Dominick Baier]

Look at WindowsIdentiy.Impersonate() in the documentation



---
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]

nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<e338e321.0410151204.47822a55@posting.google.com >

I want an asp.net buttonclick_onserver event to run a process as a
given domain user on the server. What is the easiest way to do this.

For some reason "LogonUser" fails with "Unknown user or password"
LocalMachine/Administrator also failed.

[microsoft.public.dotnet.framework.aspnet.security]

[Joe Kaplan \(MVP - ADSI\)]

Do a search in this group or microsoft.public.dotnet.security with Google
for a thread that discussed using WMI to do this.

Essentially, you can't use impersonation and the standard .NET Process class
to do this as it doesn't pick up the impersonated identity and will alway
use the process identity. Other people have tried calling
CreateProcessWithLogonW or the AsUser or WithTokenW via p/invoke and haven't
had much luck either. The WMI approach seems to work very well.

You do need the users plaintext password for this though I'm pretty sure.
You definitely need a primary token one way or the other.

Best of luck,

Joe K.

"Hananiel" <hananiel@yahoo.com> wrote in message
news:e338e321.0410151204.47822a55@posting.google.c om...

>I want an asp.net buttonclick_onserver event to run a process as a
> given domain user on the server. What is the easiest way to do this.
>
> For some reason "LogonUser" fails with "Unknown user or password"
> LocalMachine/Administrator also failed.

[Bonj]

Hi
I would like to know how to use impersonation, in order to write to a file
on a network share.
The user will be logging on to this web app, and will then click a button
which will write to a file on the network share. Currently though, I am
getting permissions errors. I don't want to set identity impersonate = "true"
because I gather that exposes security weaknesses. Rather, I would like the
user to have to actually enter their windows password. I would then call an
impersonate method, and then try to do it. But it is not working at the
moment, I suspect due to permissions.

Here is the code used to impersonate:
Public Function Impersonate(ByVal UserName As String, ByVal Domain As
String, ByVal Password As String) As Boolean
Dim tempWindowsIdentity As WindowsIdentity
Dim token As IntPtr

Dim tokenDuplicate As IntPtr
If LogonUser(UserName, Domain, Password, LOGON32_LOGON_INTERACTIVE, _
LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
impersonationContext = tempWindowsIdentity.Impersonate()

Return Not (impersonationContext Is Nothing)
End If
End If
End Function

(written in VB.NET, but equally in C#)

Running the same code to write to the text file in a windows forms
application works fine.
This throws a permissions error in ASP.NET, even though the impersonation
method appears to be successful.

Any help much appreciated

Thanks