Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Access denied. delegation scenario accessing to a shared resource in cluster

Reply
Thread Tools

Access denied. delegation scenario accessing to a shared resource in cluster

 
 
jose.cortijo@gmail.com
Guest
Posts: n/a
 
      08-11-2006
Hi,
I have an asp.net app and in one aspx I need to read and write in a
shared direcotry in a cluster.
My code is the following:

log.Debug("I am...." +
System.Security.Principal.WindowsIdentity.GetCurre nt().Name);
DirectoryInfo raiz = new DirectoryInfo(ruta_Excel);
FileInfo[] archivos = raiz.GetFiles();

I set the delegation to the users, servers, modify the web.conf but
what can I do access to the cluster shared directory.

After read tons of documentation:

How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/kb/810572/
Authentication delegation through Kerberos does not work in
load-balanced architectures
http://support.microsoft.com/kb/325608/
Kerberos authentication and troubleshooting delegation issues
http://support.microsoft.com/kb/907272/en-us
.....

Is it imposible to do it? I read the workaround of accesing to the
fully qualified domain name (FQDN) but in my system adm doesnt allo me
to do it.

I tried to impersonate by code with new credentials using the following
code:

[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain, String lpszPassword,int dwLogonType, int dwLogonProvider,
ref IntPtr phToken);

[DllImport("kernel32.dll", CharSet =
System.Runtime.InteropServices.CharSet.Auto)]
private unsafe static extern int FormatMessage(int dwFlags, ref IntPtr
lpSource,
int dwMessageId, int dwLanguageId, ref String lpBuffer, int nSize,
IntPtr* Arguments);

[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public extern static bool CloseHandle(IntPtr handle);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError =
true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);

private static WindowsImpersonationContext impersonatedUser;
private static IntPtr tokenHandle;

private static int iDesImpersonar()
{
// Stop impersonating the user.
impersonatedUser.Undo();


// Free the tokens.
if (tokenHandle != IntPtr.Zero)
CloseHandle(tokenHandle);
return 1;
}

private static int iImpersonar(string psUsuario,string psPassword)
{
IntPtr dupeTokenHandle = new IntPtr(0);
try
{
string userName, domainName;
domainName = psUsuario.Split("\\".ToCharArray())[0];
userName = psUsuario.Split("\\".ToCharArray())[1];


const int LOGON32_PROVIDER_DEFAULT = 0;
//This parameter causes LogonUser to create a primary token.
const int LOGON32_LOGON_INTERACTIVE = 2;

tokenHandle = IntPtr.Zero;

// Call LogonUser to obtain a handle to an access token.
bool returnValue = LogonUser(userName, domainName, psPassword,
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
ref tokenHandle);


if (false == returnValue)
{
int ret = Marshal.GetLastWin32Error();
Console.WriteLine("LogonUser failed with error code : {0}", ret);
throw new System.ComponentModel.Win32Exception(ret);
}


// Use the token handle returned by LogonUser.
WindowsIdentity newId = new WindowsIdentity(tokenHandle);
impersonatedUser = newId.Impersonate();


return 1;

}
catch(Exception ex)
{
Console.WriteLine("Exception occurred. " + ex.Message);
return 0;
}

}
but now when I execute

iImpersonar(@"DOMAIN\user1","jdf0tj07"));
I get an access error executing
log.Debug("I am...." +
System.Security.Principal.WindowsIdentity.GetCurre nt().Name);
It shows like I don't have enough rights to execute WindowsIdentity...

what Can I do to set some credentials to access to the shared resource
in cluster and afterwards continue with my impersonate/delegation
webapp??

Thanks in advance.
Jose

 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      08-12-2006
You should be able to delegate to the remote resource, but it requires that
your web server can do a Kerberos authentication to the remote resource
(file system in this case). Depending on how your web server is configured
for delegation (whether you can use protocol transition in this case), you
may also need to ensure that you can authenticate the clients to the web
application via Kerberos too.

Do you know if you AD is 2003 or not? Can you do protocol transition (S4U)
and constrained delegation? That changes your options a little bit from the
web server perspective. Also, how is the web server process account
configured for delegation (Kerberos-only or "any protocol")?

The best debugging technique is to enable logon event auditing on both the
web server and the cluster server and find out what kind of authentication
is being performed. You'll see NTLM or Kerberos and other details. It is
especially important that you can authenticate to the backend via Kerberos
if you want to delegate.

Unfortunately, troubleshooting Kerberos authentication and delegation
scenarios can be pretty painful, but it can be done and it does with with
the file system (as well as other services like LDAP, SQL and HTTP).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi,
> I have an asp.net app and in one aspx I need to read and write in a
> shared direcotry in a cluster.
> My code is the following:
>
> log.Debug("I am...." +
> System.Security.Principal.WindowsIdentity.GetCurre nt().Name);
> DirectoryInfo raiz = new DirectoryInfo(ruta_Excel);
> FileInfo[] archivos = raiz.GetFiles();
>
> I set the delegation to the users, servers, modify the web.conf but
> what can I do access to the cluster shared directory.
>
> After read tons of documentation:
>
> How to configure an ASP.NET application for a delegation scenario
> http://support.microsoft.com/kb/810572/
> Authentication delegation through Kerberos does not work in
> load-balanced architectures
> http://support.microsoft.com/kb/325608/
> Kerberos authentication and troubleshooting delegation issues
> http://support.microsoft.com/kb/907272/en-us
> ....
>
> Is it imposible to do it? I read the workaround of accesing to the
> fully qualified domain name (FQDN) but in my system adm doesnt allo me
> to do it.
>
> I tried to impersonate by code with new credentials using the following
> code:
>
> [DllImport("advapi32.dll", SetLastError = true)]
> public static extern bool LogonUser(String lpszUsername, String
> lpszDomain, String lpszPassword,int dwLogonType, int dwLogonProvider,
> ref IntPtr phToken);
>
> [DllImport("kernel32.dll", CharSet =
> System.Runtime.InteropServices.CharSet.Auto)]
> private unsafe static extern int FormatMessage(int dwFlags, ref IntPtr
> lpSource,
> int dwMessageId, int dwLanguageId, ref String lpBuffer, int nSize,
> IntPtr* Arguments);
>
> [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
> public extern static bool CloseHandle(IntPtr handle);
>
> [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError =
> true)]
> public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
> int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
>
> private static WindowsImpersonationContext impersonatedUser;
> private static IntPtr tokenHandle;
>
> private static int iDesImpersonar()
> {
> // Stop impersonating the user.
> impersonatedUser.Undo();
>
>
> // Free the tokens.
> if (tokenHandle != IntPtr.Zero)
> CloseHandle(tokenHandle);
> return 1;
> }
>
> private static int iImpersonar(string psUsuario,string psPassword)
> {
> IntPtr dupeTokenHandle = new IntPtr(0);
> try
> {
> string userName, domainName;
> domainName = psUsuario.Split("\\".ToCharArray())[0];
> userName = psUsuario.Split("\\".ToCharArray())[1];
>
>
> const int LOGON32_PROVIDER_DEFAULT = 0;
> //This parameter causes LogonUser to create a primary token.
> const int LOGON32_LOGON_INTERACTIVE = 2;
>
> tokenHandle = IntPtr.Zero;
>
> // Call LogonUser to obtain a handle to an access token.
> bool returnValue = LogonUser(userName, domainName, psPassword,
> LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
> ref tokenHandle);
>
>
> if (false == returnValue)
> {
> int ret = Marshal.GetLastWin32Error();
> Console.WriteLine("LogonUser failed with error code : {0}", ret);
> throw new System.ComponentModel.Win32Exception(ret);
> }
>
>
> // Use the token handle returned by LogonUser.
> WindowsIdentity newId = new WindowsIdentity(tokenHandle);
> impersonatedUser = newId.Impersonate();
>
>
> return 1;
>
> }
> catch(Exception ex)
> {
> Console.WriteLine("Exception occurred. " + ex.Message);
> return 0;
> }
>
> }
> but now when I execute
>
> iImpersonar(@"DOMAIN\user1","jdf0tj07"));
> I get an access error executing
> log.Debug("I am...." +
> System.Security.Principal.WindowsIdentity.GetCurre nt().Name);
> It shows like I don't have enough rights to execute WindowsIdentity...
>
> what Can I do to set some credentials to access to the shared resource
> in cluster and afterwards continue with my impersonate/delegation
> webapp??
>
> Thanks in advance.
> Jose
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. Mark B ASP .Net 2 09-11-2009 07:09 AM
delegation question, where I want prototype style delegation Sam Roberts Ruby 4 05-07-2008 05:48 AM
Very annoying error: Access to the path is denied. ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity Jay ASP .Net 2 08-20-2007 07:38 PM
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. Dhruba Bandopadhyay ASP .Net 1 05-25-2006 01:06 AM
ASP.Net page Accessing Shared Resource baldwin ASP .Net 2 01-19-2006 10:13 AM



Advertisments