Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Impersonation and accessing Windows file share

Reply
Thread Tools

Impersonation and accessing Windows file share

 
 
Julie
Guest
Posts: n/a
 
      03-29-2006
Hi all,

I have an ASP .NET application and am experiencing an interesting issue.

The application runs under Windows integrated authentication and anonymous
access is turned off; I need the current logged in user's ID for some initial
processing. Partway through the code, I impersonate a system account using
WindowsIdentity objects with the objective of retrieving a file from another
server.

I have the username and password for the system account encrypted in my
code. I can verify using Environment.Username that the impersonation is
working - the username of my system account is returned. However, I'm unable
to authenticate to the file server. It doesn't seem to me that this is a
"double-hop" as I'm just hopping from my web server to this file server - I
do not need to pass the logged-in user's credentials to the file server, just
this system account's credentials that I configure from within my code. (And
unfortunately I cannot make changes to the file system security.)

Any feedback as to whether this is possible would be appreciated. If
necessary, I can switch to moving the service account's credentials to the
web.config file in the <impersonate> tag but I'm hoping there's a way to
switch between the user accounts in the same application.

Thanks!
 
Reply With Quote
 
 
 
 
Luke Zhang [MSFT]
Guest
Posts: n/a
 
      03-30-2006
Hello,

First, you can use the following code to determine what user the thread is
executing as:

System.Security.Principal.WindowsIdentity.GetCurre nt().Name

Also, you if logon as the System account on the server, can you access the
Windows file share like "\\Myserver\Myshare"?

Regards,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
 
 
 
Julie
Guest
Posts: n/a
 
      03-30-2006
I use that code and I can confirm that impersonation is impersonating the
correct user. And yes, I can access the file share as the system account -
thanks for checking.


"Luke Zhang [MSFT]" wrote:

> Hello,
>
> First, you can use the following code to determine what user the thread is
> executing as:
>
> System.Security.Principal.WindowsIdentity.GetCurre nt().Name
>
> Also, you if logon as the System account on the server, can you access the
> Windows file share like "\\Myserver\Myshare"?
>
> Regards,
>
> Luke Zhang
> Microsoft Online Community Support
>
> ==================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================
>
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>

 
Reply With Quote
 
Luke Zhang [MSFT]
Guest
Posts: n/a
 
      03-31-2006
In IIS manager, find the application pool for your web application, and
change the identiy to the system account you used to impersonated in the
code, and then restart the IIS server. Will this help?

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      03-31-2006
If you enable logon event auditing on the file server, what does the logon
failure say on that end? That may give you some clues.

Also, when you called LogonUser, what type of logon did you do? You need to
make sure you use one that gives you network credentials.

Joe K.

"Julie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I use that code and I can confirm that impersonation is impersonating the
> correct user. And yes, I can access the file share as the system
> account -
> thanks for checking.
>
>
> "Luke Zhang [MSFT]" wrote:
>
>> Hello,
>>
>> First, you can use the following code to determine what user the thread
>> is
>> executing as:
>>
>> System.Security.Principal.WindowsIdentity.GetCurre nt().Name
>>
>> Also, you if logon as the System account on the server, can you access
>> the
>> Windows file share like "\\Myserver\Myshare"?
>>
>> Regards,
>>
>> Luke Zhang
>> Microsoft Online Community Support
>>
>> ==================================================
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>> ==================================================
>>
>> (This posting is provided "AS IS", with no warranties, and confers no
>> rights.)
>>
>>



 
Reply With Quote
 
Julie
Guest
Posts: n/a
 
      03-31-2006
I can see on the Event log on my web server that the service account is
logging in successfully.
However, on the file server, the event log shows that the user is connecting
to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.

My Logon code looks like this:
Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
lpszUsername As [String], _
ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, _
ByRef phToken As IntPtr) As Boolean


Private Function Logon() As WindowsIdentity
Dim handle As IntPtr = New IntPtr(0)
handle = IntPtr.Zero

Const LOGON32_LOGON_NETWORK As Integer = 3
Const LOGON32_PROVIDER_DEFAULT As Integer = 0

Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, handle)

If Not logonSucceeded Then
Dim errorCode As Integer = Marshal.GetLastWin32Error
Throw New Exception("User logon failed. Error number: " &
errorCode)
Exit Function
End If

Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
CloseHandle(handle)
Return winIdentity
End Function




"Joe Kaplan (MVP - ADSI)" wrote:

> If you enable logon event auditing on the file server, what does the logon
> failure say on that end? That may give you some clues.
>
> Also, when you called LogonUser, what type of logon did you do? You need to
> make sure you use one that gives you network credentials.
>
> Joe K.
>
> "Julie" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I use that code and I can confirm that impersonation is impersonating the
> > correct user. And yes, I can access the file share as the system
> > account -
> > thanks for checking.
> >
> >
> > "Luke Zhang [MSFT]" wrote:
> >
> >> Hello,
> >>
> >> First, you can use the following code to determine what user the thread
> >> is
> >> executing as:
> >>
> >> System.Security.Principal.WindowsIdentity.GetCurre nt().Name
> >>
> >> Also, you if logon as the System account on the server, can you access
> >> the
> >> Windows file share like "\\Myserver\Myshare"?
> >>
> >> Regards,
> >>
> >> Luke Zhang
> >> Microsoft Online Community Support
> >>
> >> ==================================================
> >> When responding to posts, please "Reply to Group" via your newsreader so
> >> that others may learn and benefit from your issue.
> >> ==================================================
> >>
> >> (This posting is provided "AS IS", with no warranties, and confers no
> >> rights.)
> >>
> >>

>
>
>

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      03-31-2006
I think I see your problem. You are using LOGON32_LOGON_NETWORK, but if you
read the docs for LogonUser in MSDN carefully, you'll see that this type of
logon doesn't have network credentials. You probably should switch to
LOGON32_LOGON_NETWORK_CLEARTEXT.

Joe K.

"Julie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I can see on the Event log on my web server that the service account is
> logging in successfully.
> However, on the file server, the event log shows that the user is
> connecting
> to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.
>
> My Logon code looks like this:
> Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
> lpszUsername As [String], _
> ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
> ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer,
> _
> ByRef phToken As IntPtr) As Boolean
>
>
> Private Function Logon() As WindowsIdentity
> Dim handle As IntPtr = New IntPtr(0)
> handle = IntPtr.Zero
>
> Const LOGON32_LOGON_NETWORK As Integer = 3
> Const LOGON32_PROVIDER_DEFAULT As Integer = 0
>
> Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
> Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, handle)
>
> If Not logonSucceeded Then
> Dim errorCode As Integer = Marshal.GetLastWin32Error
> Throw New Exception("User logon failed. Error number: " &
> errorCode)
> Exit Function
> End If
>
> Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
> CloseHandle(handle)
> Return winIdentity
> End Function
>
>
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> If you enable logon event auditing on the file server, what does the
>> logon
>> failure say on that end? That may give you some clues.
>>
>> Also, when you called LogonUser, what type of logon did you do? You need
>> to
>> make sure you use one that gives you network credentials.
>>
>> Joe K.
>>
>> "Julie" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> >I use that code and I can confirm that impersonation is impersonating
>> >the
>> > correct user. And yes, I can access the file share as the system
>> > account -
>> > thanks for checking.
>> >
>> >
>> > "Luke Zhang [MSFT]" wrote:
>> >
>> >> Hello,
>> >>
>> >> First, you can use the following code to determine what user the
>> >> thread
>> >> is
>> >> executing as:
>> >>
>> >> System.Security.Principal.WindowsIdentity.GetCurre nt().Name
>> >>
>> >> Also, you if logon as the System account on the server, can you access
>> >> the
>> >> Windows file share like "\\Myserver\Myshare"?
>> >>
>> >> Regards,
>> >>
>> >> Luke Zhang
>> >> Microsoft Online Community Support
>> >>
>> >> ==================================================
>> >> When responding to posts, please "Reply to Group" via your newsreader
>> >> so
>> >> that others may learn and benefit from your issue.
>> >> ==================================================
>> >>
>> >> (This posting is provided "AS IS", with no warranties, and confers no
>> >> rights.)
>> >>
>> >>

>>
>>
>>



 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      03-31-2006
correct me if i am wrong - but when delegation is configured, NETWORK logons
do have network credentials ??!

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I think I see your problem. You are using LOGON32_LOGON_NETWORK, but
> if you read the docs for LogonUser in MSDN carefully, you'll see that
> this type of logon doesn't have network credentials. You probably
> should switch to LOGON32_LOGON_NETWORK_CLEARTEXT.
>
> Joe K.
>
> "Julie" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>> I can see on the Event log on my web server that the service account
>> is
>> logging in successfully.
>> However, on the file server, the event log shows that the user is
>> connecting
>> to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.
>> My Logon code looks like this:
>> Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
>> lpszUsername As [String], _
>> ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
>> ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer,
>> _
>> ByRef phToken As IntPtr) As Boolean
>> Private Function Logon() As WindowsIdentity
>> Dim handle As IntPtr = New IntPtr(0)
>> handle = IntPtr.Zero
>> Const LOGON32_LOGON_NETWORK As Integer = 3
>> Const LOGON32_PROVIDER_DEFAULT As Integer = 0
>> Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
>> Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT,
>> handle)
>>
>> If Not logonSucceeded Then
>> Dim errorCode As Integer = Marshal.GetLastWin32Error
>> Throw New Exception("User logon failed. Error number: " &
>> errorCode)
>> Exit Function
>> End If
>> Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
>> CloseHandle(handle)
>> Return winIdentity
>> End Function
>> "Joe Kaplan (MVP - ADSI)" wrote:
>>
>>> If you enable logon event auditing on the file server, what does the
>>> logon
>>> failure say on that end? That may give you some clues.
>>> Also, when you called LogonUser, what type of logon did you do? You
>>> need
>>> to
>>> make sure you use one that gives you network credentials.
>>> Joe K.
>>>
>>> "Julie" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> I use that code and I can confirm that impersonation is
>>>> impersonating
>>>> the
>>>> correct user. And yes, I can access the file share as the system
>>>> account -
>>>> thanks for checking.
>>>> "Luke Zhang [MSFT]" wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> First, you can use the following code to determine what user the
>>>>> thread
>>>>> is
>>>>> executing as:
>>>>> System.Security.Principal.WindowsIdentity.GetCurre nt().Name
>>>>>
>>>>> Also, you if logon as the System account on the server, can you
>>>>> access
>>>>> the
>>>>> Windows file share like "\\Myserver\Myshare"?
>>>>> Regards,
>>>>>
>>>>> Luke Zhang
>>>>> Microsoft Online Community Support
>>>>> ==================================================
>>>>> When responding to posts, please "Reply to Group" via your
>>>>> newsreader
>>>>> so
>>>>> that others may learn and benefit from your issue.
>>>>> ==================================================
>>>>> (This posting is provided "AS IS", with no warranties, and confers
>>>>> no rights.)
>>>>>



 
Reply With Quote
 
Julie
Guest
Posts: n/a
 
      03-31-2006
That worked!!!!!!!!!!!! I changed the Const LOGON32_LOGON_NETWORK = 3 to
LOGON32_LOGON_NETWORK_CLEARTEXT = 8.
Thank you thank you thank you!

"Joe Kaplan (MVP - ADSI)" wrote:

> I think I see your problem. You are using LOGON32_LOGON_NETWORK, but if you
> read the docs for LogonUser in MSDN carefully, you'll see that this type of
> logon doesn't have network credentials. You probably should switch to
> LOGON32_LOGON_NETWORK_CLEARTEXT.
>
> Joe K.
>
> "Julie" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I can see on the Event log on my web server that the service account is
> > logging in successfully.
> > However, on the file server, the event log shows that the user is
> > connecting
> > to the file server as NT AUTHORITY\ANONYMOUS LOGON. Interesting.
> >
> > My Logon code looks like this:
> > Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
> > lpszUsername As [String], _
> > ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
> > ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer,
> > _
> > ByRef phToken As IntPtr) As Boolean
> >
> >
> > Private Function Logon() As WindowsIdentity
> > Dim handle As IntPtr = New IntPtr(0)
> > handle = IntPtr.Zero
> >
> > Const LOGON32_LOGON_NETWORK As Integer = 3
> > Const LOGON32_PROVIDER_DEFAULT As Integer = 0
> >
> > Dim logonSucceeded As Boolean = LogonUser(Me.sUsername, Me.sDomain,
> > Me.sPassword, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, handle)
> >
> > If Not logonSucceeded Then
> > Dim errorCode As Integer = Marshal.GetLastWin32Error
> > Throw New Exception("User logon failed. Error number: " &
> > errorCode)
> > Exit Function
> > End If
> >
> > Dim winIdentity As WindowsIdentity = New WindowsIdentity(handle)
> > CloseHandle(handle)
> > Return winIdentity
> > End Function
> >
> >
> >
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >
> >> If you enable logon event auditing on the file server, what does the
> >> logon
> >> failure say on that end? That may give you some clues.
> >>
> >> Also, when you called LogonUser, what type of logon did you do? You need
> >> to
> >> make sure you use one that gives you network credentials.
> >>
> >> Joe K.
> >>
> >> "Julie" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> >I use that code and I can confirm that impersonation is impersonating
> >> >the
> >> > correct user. And yes, I can access the file share as the system
> >> > account -
> >> > thanks for checking.
> >> >
> >> >
> >> > "Luke Zhang [MSFT]" wrote:
> >> >
> >> >> Hello,
> >> >>
> >> >> First, you can use the following code to determine what user the
> >> >> thread
> >> >> is
> >> >> executing as:
> >> >>
> >> >> System.Security.Principal.WindowsIdentity.GetCurre nt().Name
> >> >>
> >> >> Also, you if logon as the System account on the server, can you access
> >> >> the
> >> >> Windows file share like "\\Myserver\Myshare"?
> >> >>
> >> >> Regards,
> >> >>
> >> >> Luke Zhang
> >> >> Microsoft Online Community Support
> >> >>
> >> >> ==================================================
> >> >> When responding to posts, please "Reply to Group" via your newsreader
> >> >> so
> >> >> that others may learn and benefit from your issue.
> >> >> ==================================================
> >> >>
> >> >> (This posting is provided "AS IS", with no warranties, and confers no
> >> >> rights.)
> >> >>
> >> >>
> >>
> >>
> >>

>
>
>

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      03-31-2006
My understanding is that this is correct. However, in this case she was
calling LogonUser explicitly to use a service account to access the file
share. From what I can tell by the docs, you can't use LOGON_NETWORK for
that type of logon as it doesn't cache credentials.

I'm not actually sure what happens when you do Kerberos auth with IWA,
except that I assume that IIS calls AcceptSecurityContext instead of
LogonUser and something different happens under the hood. I really don't
know what the mechanics of those differences are.

In any event, it seems to have worked...

Joe K.

"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed). com...
> correct me if i am wrong - but when delegation is configured, NETWORK
> logons do have network credentials ??!
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> I think I see your problem. You are using LOGON32_LOGON_NETWORK, but
>> if you read the docs for LogonUser in MSDN carefully, you'll see that
>> this type of logon doesn't have network credentials. You probably
>> should switch to LOGON32_LOGON_NETWORK_CLEARTEXT.
>>
>> Joe K.
>>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Share-Point-2010 ,Share-Point -2010 Training , Share-point-2010Hyderabad , Share-point-2010 Institute Saraswati lakki ASP .Net 0 01-06-2012 06:39 AM
Asp.net Impersonation:Accessing file Server from https er_amitthakur ASP .Net 0 12-07-2009 08:33 AM
impersonation - network share - access denied bren@ebesser.com ASP .Net Security 3 03-10-2006 03:27 PM
Impersonation and Network Share Jason MacKenzie ASP .Net 1 06-03-2005 05:30 PM
Impersonation for a network share from aspx page Chuck Haeberle ASP .Net 0 07-10-2003 04:16 PM



Advertisments