Using LogonUser API in ASP.net with an account other than ASPNet account

[nilapenn]

I am trying to use the LogonUser API function from ASP.Net. This works
fine on my machine which is Windows XP but fails with error code 1314
on windows 2000 server. I searched the web and found out that "Act as
part of operating system" is permission is needed for using LogonUser
API in windows 2000. When I give this permission to the asp.net account
it works fine. Since giving "Act as part of operating system" is a
security issue I created a local account with least privileges and gave
that "Act as part of operating system" permission to this account
and impersonated my asp.net application with this account. But still it
gives the same error. Any one has idea on how to user LogonUser by
giving "Act as part of operating system" to an account other than
ASP.Net?


Regards
Sriram.V

[Joe Kaplan \(MVP - ADSI\)]

How did you do the impersonation of the other account? If you used the
<identity impersonate="true" username="xxx" password="xxxx" /> thing, then
ASPNET still needs "act as part of OS" to do that in the first place.

Honestly, the best answer is to switch to Windows Server 2003. If that
isn't an option though, you might also consider either moving the LogonUser
code to a COM+ component that runs under the other user's identity or
changing the worker process account to use the new account. However,
granting any account other than SYSTEM this privilege is a serious security
hole and one you want to think a lot about before doing. Why do you need
LogonUser to begin with?

Joe K.

"nilapenn" <nilapenn@gmail.com> wrote in message
news:1108116321.275754.304590@g14g2000cwa.googlegr oups.com...

>I am trying to use the LogonUser API function from ASP.Net. This works
> fine on my machine which is Windows XP but fails with error code 1314
> on windows 2000 server. I searched the web and found out that "Act as
> part of operating system" is permission is needed for using LogonUser
> API in windows 2000. When I give this permission to the asp.net account
> it works fine. Since giving "Act as part of operating system" is a
> security issue I created a local account with least privileges and gave
> that "Act as part of operating system" permission to this account
> and impersonated my asp.net application with this account. But still it
> gives the same error. Any one has idea on how to user LogonUser by
> giving "Act as part of operating system" to an account other than
> ASP.Net?
>
>
> Regards
> Sriram.V
>

[nilapenn]

Hi

Thanks forthe reply. My requirement is to connect to Analysis server on
different remote machine through DSO from ASP.net code. For this I am
using the LogonUser API to connect to logon to the server and then
connect to the Analysis server.

Regards
Sriram.V
Joe Kaplan (MVP - ADSI) wrote:

> How did you do the impersonation of the other account? If you used

the

> <identity impersonate="true" username="xxx" password="xxxx" /> thing,

then

> ASPNET still needs "act as part of OS" to do that in the first place.
>
> Honestly, the best answer is to switch to Windows Server 2003. If

that

> isn't an option though, you might also consider either moving the

LogonUser

> code to a COM+ component that runs under the other user's identity or

> changing the worker process account to use the new account. However,

> granting any account other than SYSTEM this privilege is a serious

security

> hole and one you want to think a lot about before doing. Why do you

need

> LogonUser to begin with?
>
> Joe K.
>
> "nilapenn" <nilapenn@gmail.com> wrote in message
> news:1108116321.275754.304590@g14g2000cwa.googlegr oups.com...

> >I am trying to use the LogonUser API function from ASP.Net. This

works

> > fine on my machine which is Windows XP but fails with error code

1314

> > on windows 2000 server. I searched the web and found out that "Act

as

> > part of operating system" is permission is needed for using

LogonUser

> > API in windows 2000. When I give this permission to the asp.net

account

> > it works fine. Since giving "Act as part of operating system" is a
> > security issue I created a local account with least privileges and

gave

> > that "Act as part of operating system" permission to this account
> > and impersonated my asp.net application with this account. But

still it

> > gives the same error. Any one has idea on how to user LogonUser by
> > giving "Act as part of operating system" to an account other than
> > ASP.Net?
> >
> >
> > Regards
> > Sriram.V
> >

[Joe Kaplan \(MVP - ADSI\)]

Another thing you could do in your case is put the code that accesses
Analysis Services in a COM+ component and put that under a specific
identity. This will help avoid this problem for you. You could also run
your worker process as a domain account and disable impersonation.

HTH,

Joe K.

"nilapenn" <nilapenn@gmail.com> wrote in message
news:1108373023.463275.154400@o13g2000cwo.googlegr oups.com...

> Hi
>
> Thanks forthe reply. My requirement is to connect to Analysis server on
> different remote machine through DSO from ASP.net code. For this I am
> using the LogonUser API to connect to logon to the server and then
> connect to the Analysis server.
>
> Regards
> Sriram.V
> Joe Kaplan (MVP - ADSI) wrote:

>> How did you do the impersonation of the other account? If you used

> the

>> <identity impersonate="true" username="xxx" password="xxxx" /> thing,

> then

>> ASPNET still needs "act as part of OS" to do that in the first place.
>>
>> Honestly, the best answer is to switch to Windows Server 2003. If

> that

>> isn't an option though, you might also consider either moving the

> LogonUser

>> code to a COM+ component that runs under the other user's identity or

>

>> changing the worker process account to use the new account. However,

>

>> granting any account other than SYSTEM this privilege is a serious

> security

>> hole and one you want to think a lot about before doing. Why do you

> need

>> LogonUser to begin with?
>>
>> Joe K.
>>
>> "nilapenn" <nilapenn@gmail.com> wrote in message
>> news:1108116321.275754.304590@g14g2000cwa.googlegr oups.com...

>> >I am trying to use the LogonUser API function from ASP.Net. This

> works

>> > fine on my machine which is Windows XP but fails with error code

> 1314

>> > on windows 2000 server. I searched the web and found out that "Act

> as

>> > part of operating system" is permission is needed for using

> LogonUser

>> > API in windows 2000. When I give this permission to the asp.net

> account

>> > it works fine. Since giving "Act as part of operating system" is a
>> > security issue I created a local account with least privileges and

> gave

>> > that "Act as part of operating system" permission to this account
>> > and impersonated my asp.net application with this account. But

> still it

>> > gives the same error. Any one has idea on how to user LogonUser by
>> > giving "Act as part of operating system" to an account other than
>> > ASP.Net?
>> >
>> >
>> > Regards
>> > Sriram.V
>> >

>

[David Yee via DotNetMonster.com]

Hi Sriram,

I am David and would like to know more on the logonuser API that you are
using. Hope you could help me. Currently we are in a project to retrieve
OLAP database metadata for display in a web application.

Following are the settings of our environment:

1. IIS Directory Security with "Unanonymous Access" unchecked.
2. Machine.config (Process Model with username="machine")
3. Web.config (impersonate="true" userName="" password="")
4. aspCompat = "true"
5. The IIS is running in Windows XP and accessing Windows 2003 Server OLAP
Database.

Description of Test:
Test 1: Impersonate but without connection to OLAP Server.
Test 2: Impersonate and with connection to OLAP Server.
Test 3: I have another application with impersonation set manually at
web.config file without any programming impersonation as this one with a
connection to OLAP Server. It works. I can read the metadata.

Output is as after the vb coding down below.

This is the vb coding:
###############################
Imports System
Imports System.Web
Imports System.Web.Security
Imports System.Runtime.InteropServices
Imports System.Security.Principal
Imports System.Security.Permissions
Imports Microsoft.VisualBasic
<Assembly: SecurityPermissionAttribute(SecurityAction.Request Minimum,
UnmanagedCode:=True), _
Assembly: PermissionSetAttribute(SecurityAction.RequestMinim um,
Name:="FullTrust")>

Public Class Login
Inherits System.Web.UI.Page

Private dsoServer As New DSO.Server
Private impersonateUser As WindowsImpersonationContext
'Impersonation Constants
Const LOGON32_PROVIDER_DEFAULT As Integer = 0
Const LOGON32_LOGON_INTERACTIVE As Integer = 2

'Impersonation
'#############
Private Declare Auto Function RevertToSelf Lib "advapi32.dll" () As Long

'Impersonation
'#############
Private Declare Auto Function ImpersonateLoggedOnUser Lib
"advapi32.dll" (ByVal hToken As IntPtr) As Long

'Impersonation
'#############
Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
lpszUsername As [String], _
ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, _
ByRef phToken As IntPtr) As Boolean

'Impersonation
'#############
Public Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal
handle As IntPtr) As Boolean

'Impersonation
'#############
Public Declare Auto Function DuplicateToken Lib "advapi32.dll" (ByVal
ExistingTokenHandle As IntPtr, _
ByVal SECURITY_IMPERSONATION_LEVEL As Integer, _
ByRef DuplicateTokenHandle As IntPtr) As Boolean

'Impersonation
'#############
<DllImport("kernel32.dll")> _
Public Shared Function FormatMessage(ByVal dwFlags As Integer, ByRef
lpSource As IntPtr, _
ByVal dwMessageId As Integer, ByVal dwLanguageId As Integer, ByRef
lpBuffer As [String], _
ByVal nSize As Integer, ByRef Arguments As IntPtr) As Integer
End Function

'Impersonation
'#############
Public Shared Function GetErrorMessage(ByVal errorCode As Integer) As
String
Dim FORMAT_MESSAGE_ALLOCATE_BUFFER As Integer = &H100
Dim FORMAT_MESSAGE_IGNORE_INSERTS As Integer = &H200
Dim FORMAT_MESSAGE_FROM_SYSTEM As Integer = &H1000

Dim messageSize As Integer = 255
Dim lpMsgBuf As String
Dim dwFlags As Integer = FORMAT_MESSAGE_ALLOCATE_BUFFER Or
FORMAT_MESSAGE_FROM_SYSTEM Or FORMAT_MESSAGE_IGNORE_INSERTS

Dim ptrlpSource As IntPtr = IntPtr.Zero
Dim prtArguments As IntPtr = IntPtr.Zero

Dim retVal As Integer = FormatMessage(dwFlags, ptrlpSource,
errorCode, 0, lpMsgBuf, _
messageSize, prtArguments)
If 0 = retVal Then
Throw New Exception("Failed to format message for error code "
+ errorCode.ToString() + ". ")
End If

Return lpMsgBuf
End Function

Private Function impersonateValidUser(ByVal userName As String, ByVal
domain As String, ByVal password As String) As Boolean
Dim tempWindowsIdentity As WindowsIdentity
Dim token As IntPtr = IntPtr.Zero
Dim tokenDuplicate As IntPtr = IntPtr.Zero
impersonateValidUser = False

If RevertToSelf() Then
If LogonUser(userName, domain, password,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
tempWindowsIdentity = New WindowsIdentity
(tokenDuplicate)
impersonateUser = tempWindowsIdentity.Impersonate()

If Not impersonateUser Is Nothing Then
impersonateValidUser = True
End If
End If
End If
End If

If Not tokenDuplicate.Equals(IntPtr.Zero) Then
CloseHandle(tokenDuplicate)
End If

If Not token.Equals(IntPtr.Zero) Then
CloseHandle(token)
End If
End Function

Private Sub undoImpersonation()
'RevertToSelf()
impersonateUser.Undo()
End Sub

#Region " Web Form Designer Generated Code "

'This call is required by the Web Form Designer.
<System.Diagnostics.DebuggerStepThrough()> Private Sub
InitializeComponent()

End Sub
Protected WithEvents txbDomain As System.Web.UI.WebControls.TextBox
Protected WithEvents txbUserName As System.Web.UI.WebControls.TextBox
Protected WithEvents txbPassword As System.Web.UI.WebControls.TextBox
Protected WithEvents lblDomain As System.Web.UI.WebControls.Label
Protected WithEvents lblUserName As System.Web.UI.WebControls.Label
Protected WithEvents lblPassword As System.Web.UI.WebControls.Label
Protected WithEvents btnLogin As System.Web.UI.WebControls.Button
Protected WithEvents entries As
System.Web.UI.HtmlControls.HtmlGenericControl

'NOTE: The following placeholder declaration is required by the Web
Form Designer.
'Do not delete or move it.
Private designerPlaceholderDeclaration As System.Object

Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Init
'CODEGEN: This method call is required by the Web Form Designer
'Do not modify it using the code editor.
InitializeComponent()
End Sub

#End Region

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
'Put user code to initialize the page here

End Sub

Private Sub btnLogin_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles btnLogin.Click
entries.InnerHtml = entries.InnerHtml & "<p>" & "Before : " &
WindowsIdentity.GetCurrent().Name

If impersonateValidUser(txbUserName.Text, txbDomain.Text,
txbPassword.Text) Then
entries.InnerHtml = entries.InnerHtml & "<p>" & "After : " &
WindowsIdentity.GetCurrent().Name

'dsoServer.Connect("sj-isbidw01d")

undoImpersonation()

entries.InnerHtml = entries.InnerHtml & "<p>" & "Undo : " &
WindowsIdentity.GetCurrent().Name
Else
entries.InnerHtml = entries.InnerHtml & "<p>Impersonation Fails"
End If

'Response.Redirect("http://pg-cpyee/WindowsAuth/Main.aspx")
End Sub
End Class
###############################

Output 1:

Before : ALTERA\CPYEE
After : altera\cpyee-sa
Undo : PG-CPYEE\ASPNET

Output 2:

Cannot open connection to Analysis server 'sj-isbidw01d'. Error in data
[Possible data corruption] ''

--
Message posted via [url]http://www.dotnetmonster.com[/url]

[MH]

Hello Sriram and David,

I'm having the same problem i.e. The logonuser on Windows 2000 gives me
the error code 1314 and even after I set up the 'Act as part of the
operating system' for my asp.net account, it does not work. It then
gives me a "page not found" error instead of 1314.
I then moved the app to a Windows 2003 Server and I'm getting the same
"page not found" error.
Here is the code I'm using: P L E A S E H E L P !!!!

using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Diagnostics;
using System.Web;
using System.Web.Services;
using System.Net;
using System.Security.Permissions;
using System.Runtime.InteropServices;
//using System.Management;

[assembly:SecurityPermissionAttribute(SecurityActio n.RequestMinimum,
UnmanagedCode=true)]

namespace NTLMAuth
{
/// <summary>
/// Summary description for Service1.
/// </summary>
public class NTLMAuth : System.Web.Services.WebService
{
public NTLMAuth()
{


//CODEGEN: This call is required by the ASP.NET Web Services Designer
InitializeComponent();
}

//ManagementObject mo = new ManagementObject(new ManagementPath( ));
//mo.Scope.Options.EnablePrivileges = true;


// Declare the logon types as constants
const long LOGON32_LOGON_INTERACTIVE = 2;
const long LOGON32_LOGON_NETWORK = 3;

// Declare the logon providers as constants
const long LOGON32_PROVIDER_DEFAULT = 0;
const long LOGON32_PROVIDER_WINNT50 = 3;
const long LOGON32_PROVIDER_WINNT40 = 2;
const long LOGON32_PROVIDER_WINNT35 = 1;

[DllImport("C:\\winnt\\System32\\advapi32.dll")]
public static extern bool LogonUser(string lpszUsername, string
lpszDomain, string lpszPassword, long dwLogonType, long dwLogonProvider,
out int phToken);

[DllImport("C:\\winnt\\System32\\Kernel32.dll")]
public static extern int GetLastError();

#region Component Designer generated code

//Required by the Web Services Designer
private IContainer components = null;

/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
}

/// <summary>
/// Clean up any resources being used.
/// </summary>
protected override void Dispose( bool disposing )
{
if(disposing && components != null)
{
components.Dispose();
}
base.Dispose(disposing);
}

#endregion

// WEB SERVICE EXAMPLE
// The HelloWorld() example service returns the string Hello World
// To build, uncomment the following lines then save and build the
project
// To test this web service, press F5

[WebMethod]
public int NTLMLogin(string UserName, string Password)
{
string domain = "FREMONT";
int token;

bool passed = LogonUser(UserName, domain, Password,
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_WINNT50, out token);

int errorLoginCode = 0;

if (!passed)
{
errorLoginCode = GetLastError();
}

return errorLoginCode;
}

}
}



*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[luis luis via DotNetMonster.com]

I have the same problem last week and i could resolve this.

try with this article, you have to assign the permissions to the account
that is running the asp .net process, iwam_machine, because my server is a
domain controller or aspnet account.

[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;824308[/url]

i hope this help you

--
Message posted via [url]http://www.dotnetmonster.com[/url]