Professional Web Applications Themes

Using LogonUser API in ASP.net with an account other than ASPNet account - ASP.NET Security

I am trying to use the LogonUser API function from ASP.Net. This works fine on my machine which is Windows XP but fails with error code 1314 on windows 2000 server. I searched the web and found out that "Act as part of operating system" is permission is needed for using LogonUser API in windows 2000. When I give this permission to the asp.net account it works fine. Since giving "Act as part of operating system" is a security issue I created a local account with least privileges and gave that "Act as part of operating system" permission to this ...

  1. #1

    Default Using LogonUser API in ASP.net with an account other than ASPNet account

    I am trying to use the LogonUser API function from ASP.Net. This works
    fine on my machine which is Windows XP but fails with error code 1314
    on windows 2000 server. I searched the web and found out that "Act as
    part of operating system" is permission is needed for using LogonUser
    API in windows 2000. When I give this permission to the asp.net account
    it works fine. Since giving "Act as part of operating system" is a
    security issue I created a local account with least privileges and gave
    that "Act as part of operating system" permission to this account
    and impersonated my asp.net application with this account. But still it
    gives the same error. Any one has idea on how to user LogonUser by
    giving "Act as part of operating system" to an account other than
    ASP.Net?


    Regards
    Sriram.V

    nilapenn Guest

  2. Moderated Post

    Default Re: Using LogonUser API in ASP.net with an account other than ASPNet account

    Removed by Administrator
    Joe Kaplan \(MVP - ADSI\) Guest
    Moderated Post

  3. Moderated Post

    Default Re: Using LogonUser API in ASP.net with an account other than ASPNet account

    Removed by Administrator
    nilapenn Guest
    Moderated Post

  4. Moderated Post

    Default Re: Using LogonUser API in ASP.net with an account other than ASPNet account

    Removed by Administrator
    Joe Kaplan \(MVP - ADSI\) Guest
    Moderated Post

  5. #5

    Default Re: Using LogonUser API in ASP.net with an account other than ASPNet account

    Hi Sriram,

    I am David and would like to know more on the logonuser API that you are
    using. Hope you could help me. Currently we are in a project to retrieve
    OLAP database metadata for display in a web application.

    Following are the settings of our environment:

    1. IIS Directory Security with "Unanonymous Access" unchecked.
    2. Machine.config (Process Model with username="machine")
    3. Web.config (impersonate="true" userName="" password="")
    4. aspCompat = "true"
    5. The IIS is running in Windows XP and accessing Windows 2003 Server OLAP
    Database.

    Description of Test:
    Test 1: Impersonate but without connection to OLAP Server.
    Test 2: Impersonate and with connection to OLAP Server.
    Test 3: I have another application with impersonation set manually at
    web.config file without any programming impersonation as this one with a
    connection to OLAP Server. It works. I can read the metadata.

    Output is as after the vb coding down below.

    This is the vb coding:
    ###############################
    Imports System
    Imports System.Web
    Imports System.Web.Security
    Imports System.Runtime.InteropServices
    Imports System.Security.Principal
    Imports System.Security.Permissions
    Imports Microsoft.VisualBasic
    <Assembly: SecurityPermissionAttribute(SecurityAction.Request Minimum,
    UnmanagedCode:=True), _
    Assembly: PermissionSetAttribute(SecurityAction.RequestMinim um,
    Name:="FullTrust")>

    Public Class Login
    Inherits System.Web.UI.Page

    Private dsoServer As New DSO.Server
    Private impersonateUser As WindowsImpersonationContext
    'Impersonation Constants
    Const LOGON32_PROVIDER_DEFAULT As Integer = 0
    Const LOGON32_LOGON_INTERACTIVE As Integer = 2

    'Impersonation
    '#############
    Private Declare Auto Function RevertToSelf Lib "advapi32.dll" () As Long

    'Impersonation
    '#############
    Private Declare Auto Function ImpersonateLoggedOnUser Lib
    "advapi32.dll" (ByVal hToken As IntPtr) As Long

    'Impersonation
    '#############
    Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
    lpszUsername As [String], _
    ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
    ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, _
    ByRef phToken As IntPtr) As Boolean

    'Impersonation
    '#############
    Public Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal
    handle As IntPtr) As Boolean

    'Impersonation
    '#############
    Public Declare Auto Function DuplicateToken Lib "advapi32.dll" (ByVal
    ExistingTokenHandle As IntPtr, _
    ByVal SECURITY_IMPERSONATION_LEVEL As Integer, _
    ByRef DuplicateTokenHandle As IntPtr) As Boolean

    'Impersonation
    '#############
    <DllImport("kernel32.dll")> _
    Public Shared Function FormatMessage(ByVal dwFlags As Integer, ByRef
    lpSource As IntPtr, _
    ByVal dwMessageId As Integer, ByVal dwLanguageId As Integer, ByRef
    lpBuffer As [String], _
    ByVal nSize As Integer, ByRef Arguments As IntPtr) As Integer
    End Function

    'Impersonation
    '#############
    Public Shared Function GetErrorMessage(ByVal errorCode As Integer) As
    String
    Dim FORMAT_MESSAGE_ALLOCATE_BUFFER As Integer = &H100
    Dim FORMAT_MESSAGE_IGNORE_INSERTS As Integer = &H200
    Dim FORMAT_MESSAGE_FROM_SYSTEM As Integer = &H1000

    Dim messageSize As Integer = 255
    Dim lpMsgBuf As String
    Dim dwFlags As Integer = FORMAT_MESSAGE_ALLOCATE_BUFFER Or
    FORMAT_MESSAGE_FROM_SYSTEM Or FORMAT_MESSAGE_IGNORE_INSERTS

    Dim ptrlpSource As IntPtr = IntPtr.Zero
    Dim prtArguments As IntPtr = IntPtr.Zero

    Dim retVal As Integer = FormatMessage(dwFlags, ptrlpSource,
    errorCode, 0, lpMsgBuf, _
    messageSize, prtArguments)
    If 0 = retVal Then
    Throw New Exception("Failed to format message for error code "
    + errorCode.ToString() + ". ")
    End If

    Return lpMsgBuf
    End Function

    Private Function impersonateValidUser(ByVal userName As String, ByVal
    domain As String, ByVal password As String) As Boolean
    Dim tempWindowsIdentity As WindowsIdentity
    Dim token As IntPtr = IntPtr.Zero
    Dim tokenDuplicate As IntPtr = IntPtr.Zero
    impersonateValidUser = False

    If RevertToSelf() Then
    If LogonUser(userName, domain, password,
    LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
    If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
    tempWindowsIdentity = New WindowsIdentity
    (tokenDuplicate)
    impersonateUser = tempWindowsIdentity.Impersonate()

    If Not impersonateUser Is Nothing Then
    impersonateValidUser = True
    End If
    End If
    End If
    End If

    If Not tokenDuplicate.Equals(IntPtr.Zero) Then
    CloseHandle(tokenDuplicate)
    End If

    If Not token.Equals(IntPtr.Zero) Then
    CloseHandle(token)
    End If
    End Function

    Private Sub undoImpersonation()
    'RevertToSelf()
    impersonateUser.Undo()
    End Sub

    #Region " Web Form Designer Generated Code "

    'This call is required by the Web Form Designer.
    <System.Diagnostics.DebuggerStepThrough()> Private Sub
    InitializeComponent()

    End Sub
    Protected WithEvents txbDomain As System.Web.UI.WebControls.TextBox
    Protected WithEvents txbUserName As System.Web.UI.WebControls.TextBox
    Protected WithEvents txbPassword As System.Web.UI.WebControls.TextBox
    Protected WithEvents lblDomain As System.Web.UI.WebControls.Label
    Protected WithEvents lblUserName As System.Web.UI.WebControls.Label
    Protected WithEvents lblPassword As System.Web.UI.WebControls.Label
    Protected WithEvents btnLogin As System.Web.UI.WebControls.Button
    Protected WithEvents entries As
    System.Web.UI.HtmlControls.HtmlGenericControl

    'NOTE: The following placeholder declaration is required by the Web
    Form Designer.
    'Do not delete or move it.
    Private designerPlaceholderDeclaration As System.Object

    Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Init
    'CODEGEN: This method call is required by the Web Form Designer
    'Do not modify it using the code editor.
    InitializeComponent()
    End Sub

    #End Region

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Load
    'Put user code to initialize the page here

    End Sub

    Private Sub btnLogin_Click(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles btnLogin.Click
    entries.InnerHtml = entries.InnerHtml & "<p>" & "Before : " &
    WindowsIdentity.GetCurrent().Name

    If impersonateValidUser(txbUserName.Text, txbDomain.Text,
    txbPassword.Text) Then
    entries.InnerHtml = entries.InnerHtml & "<p>" & "After : " &
    WindowsIdentity.GetCurrent().Name

    'dsoServer.Connect("sj-isbidw01d")

    undoImpersonation()

    entries.InnerHtml = entries.InnerHtml & "<p>" & "Undo : " &
    WindowsIdentity.GetCurrent().Name
    Else
    entries.InnerHtml = entries.InnerHtml & "<p>Impersonation Fails"
    End If

    'Response.Redirect("http://pg-cpyee/WindowsAuth/Main.aspx")
    End Sub
    End Class
    ###############################

    Output 1:

    Before : ALTERA\CPYEE
    After : altera\cpyee-sa
    Undo : PG-CPYEE\ASPNET

    Output 2:

    Cannot open connection to ysis server 'sj-isbidw01d'. Error in data
    [Possible data corruption] ''

    --
    Message posted via [url]http://www.dotnetmonster.com[/url]
    David Yee via DotNetMonster.com Guest

  6. #6

    Default Re: Using LogonUser API in ASP.net with an account other than ASPNet account


    Hello Sriram and David,

    I'm having the same problem i.e. The logonuser on Windows 2000 gives me
    the error code 1314 and even after I set up the 'Act as part of the
    operating system' for my asp.net account, it does not work. It then
    gives me a "page not found" error instead of 1314.
    I then moved the app to a Windows 2003 Server and I'm getting the same
    "page not found" error.
    Here is the code I'm using: P L E A S E H E L P !!!!

    using System;
    using System.Collections;
    using System.ComponentModel;
    using System.Data;
    using System.Diagnostics;
    using System.Web;
    using System.Web.Services;
    using System.Net;
    using System.Security.Permissions;
    using System.Runtime.InteropServices;
    //using System.Management;

    [assembly:SecurityPermissionAttribute(SecurityActio n.RequestMinimum,
    UnmanagedCode=true)]

    namespace NTLMAuth
    {
    /// <summary>
    /// Summary description for Service1.
    /// </summary>
    public class NTLMAuth : System.Web.Services.WebService
    {
    public NTLMAuth()
    {


    //CODEGEN: This call is required by the ASP.NET Web Services Designer
    InitializeComponent();
    }

    //ManagementObject mo = new ManagementObject(new ManagementPath( ));
    //mo.Scope.Options.EnablePrivileges = true;


    // Declare the logon types as constants
    const long LOGON32_LOGON_INTERACTIVE = 2;
    const long LOGON32_LOGON_NETWORK = 3;

    // Declare the logon providers as constants
    const long LOGON32_PROVIDER_DEFAULT = 0;
    const long LOGON32_PROVIDER_WINNT50 = 3;
    const long LOGON32_PROVIDER_WINNT40 = 2;
    const long LOGON32_PROVIDER_WINNT35 = 1;

    [DllImport("C:\\winnt\\System32\\advapi32.dll")]
    public static extern bool LogonUser(string lpszUsername, string
    lpszDomain, string lpszPassword, long dwLogonType, long dwLogonProvider,
    out int phToken);

    [DllImport("C:\\winnt\\System32\\Kernel32.dll")]
    public static extern int GetLastError();

    #region Component Designer generated code

    //Required by the Web Services Designer
    private IContainer components = null;

    /// <summary>
    /// Required method for Designer support - do not modify
    /// the contents of this method with the code editor.
    /// </summary>
    private void InitializeComponent()
    {
    }

    /// <summary>
    /// Clean up any resources being used.
    /// </summary>
    protected override void Dispose( bool disposing )
    {
    if(disposing && components != null)
    {
    components.Dispose();
    }
    base.Dispose(disposing);
    }

    #endregion

    // WEB SERVICE EXAMPLE
    // The HelloWorld() example service returns the string Hello World
    // To build, uncomment the following lines then save and build the
    project
    // To test this web service, press F5

    [WebMethod]
    public int NTLMLogin(string UserName, string Password)
    {
    string domain = "FREMONT";
    int token;

    bool passed = LogonUser(UserName, domain, Password,
    LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_WINNT50, out token);

    int errorLoginCode = 0;

    if (!passed)
    {
    errorLoginCode = GetLastError();
    }

    return errorLoginCode;
    }

    }
    }



    *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
    Don't just participate in USENET...get rewarded for it!
    MH Guest

  7. #7

    Default Re: Using LogonUser API in ASP.net with an account other than ASPNet account

    I have the same problem last week and i could resolve this.

    try with this article, you have to assign the permissions to the account
    that is running the asp .net process, iwam_machine, because my server is a
    domain controller or aspnet account.

    [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;824308[/url]

    i hope this help you

    --
    Message posted via [url]http://www.dotnetmonster.com[/url]
    luis luis via DotNetMonster.com Guest

Similar Threads

  1. ASPNET account locking out
    By Crimson1b in forum ASP.NET Security
    Replies: 1
    Last Post: May 9th, 01:40 PM
  2. How to run aspnet with system account
    By Zeng in forum ASP.NET Security
    Replies: 22
    Last Post: April 8th, 12:40 PM
  3. ASPNET Account
    By Rich in forum ASP.NET General
    Replies: 7
    Last Post: January 9th, 02:31 PM
  4. ASPNET Account not created
    By ScoutLee in forum ASP.NET Security
    Replies: 5
    Last Post: January 7th, 01:44 PM
  5. ASPNET account on Win2k3
    By Ovidiu Platon in forum ASP.NET Security
    Replies: 1
    Last Post: November 17th, 08:48 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139