Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ASP 2.0, C#, LDAP Login, and Forms impersonation?

Reply
Thread Tools

ASP 2.0, C#, LDAP Login, and Forms impersonation?

 
 
Karl
Guest
Posts: n/a
 
      09-18-2006
Will a forms authentication allow me to impersonate a user?

I am working on an application that will run on a kiosk, and allow a user to
login and view their homedirectory.

I have a form with the new login control which works great.

I get logged in, and find the user's homedirectory.

I then write Click here to access your home directory, and include a file
URL pointing to the homedirectory

All of this works, until the user clicks the link. At this point, a user
cannot access their user drive without logging in again.

So, now I am trying to map a drive using WNetAddConnection2A, and it fails
with an error 5 on my development PC (Access Denied)

I get a formsauthentication ticket via
FormsIdentity fi = (FormsIdentity)User.Identity;
FormsAuthenticationTicket fat = fi.Ticket;

fat.name populates correctly

Then, i call WNetAddConnection2A using the structure of:
dwType= RESOURCETYPE_DISK
lpLocalName = "m:"
lpRemoteName = "\\\\usawvfs04\\userskl\\karlm"
lpProvider= null

My lpPassword is null, my lpUsername I set to fat.name.tostring()
I do not set any dwFlags.

If I hard code my own null terminated username and password, I get an error
1312 (ERROR_NO_SUCH_LOGON_SESSION)

Here is the relevent code:
FormsIdentity fi = (FormsIdentity)User.Identity;
FormsAuthenticationTicket fat = fi.Ticket;
IIdentity WinId= HttpContext.Current.User.Identity;

try
{
char[] splitter = { '\\' };
string SearchString ="";

// Access resources using the identity of the authenticated user
DirectoryEntry obEntry = new
DirectoryEntry("LDAP:servername/DC=/DC=/DC=");
SearchString = "anr=" + fi.Ticket.Name.ToString();

DirectorySearcher search = new DirectorySearcher(obEntry,
SearchString);
SearchResult res = search.FindOne();
strUserDrive = (string)res.Properties["homedirectory"][0];

Response.Write("Hello, " +
(string)res.Properties["givenname"][0]+".");
Response.Write("<br/><br/>Your User Drive is now
available.<br/>");

NETRESOURCEA[] n = new NETRESOURCEA[1];
n[0] = new NETRESOURCEA();
n[0].dwType = 1;
int dwFlags = 1;
n[0].lpLocalName = @"m:";
n[0].lpRemoteName = (string)res.Properties["homedirectory"][0];
n[0].lpProvider = null;

FAILS HERE:
int result = CMyMprTest.WNetAddConnection2A(n, null, fi.Name,
dwFlags);

Response.Write("<br/>Click here to access your <a
href=file://m:> user drive</a>");
Response.Write("<br/><br/>Remember to click Logout when you are
done with your user drive.");


 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      09-18-2006
No, forms auth does not support impersonation like Windows auth does. You
would need to code your own thing to do that. Since you are gathering the
user's credentials, that should be possible, but you'll need to store them
somewhere (like session or something), as you won't have them after the
forms login is processed.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Karl" <(E-Mail Removed)> wrote in message
news:ITAPg.925$(E-Mail Removed)...
> Will a forms authentication allow me to impersonate a user?
>
> I am working on an application that will run on a kiosk, and allow a user
> to
> login and view their homedirectory.
>
> I have a form with the new login control which works great.
>
> I get logged in, and find the user's homedirectory.
>
> I then write Click here to access your home directory, and include a file
> URL pointing to the homedirectory
>
> All of this works, until the user clicks the link. At this point, a user
> cannot access their user drive without logging in again.
>
> So, now I am trying to map a drive using WNetAddConnection2A, and it fails
> with an error 5 on my development PC (Access Denied)
>
> I get a formsauthentication ticket via
> FormsIdentity fi = (FormsIdentity)User.Identity;
> FormsAuthenticationTicket fat = fi.Ticket;
>
> fat.name populates correctly
>
> Then, i call WNetAddConnection2A using the structure of:
> dwType= RESOURCETYPE_DISK
> lpLocalName = "m:"
> lpRemoteName = "\\\\usawvfs04\\userskl\\karlm"
> lpProvider= null
>
> My lpPassword is null, my lpUsername I set to fat.name.tostring()
> I do not set any dwFlags.
>
> If I hard code my own null terminated username and password, I get an
> error 1312 (ERROR_NO_SUCH_LOGON_SESSION)
>
> Here is the relevent code:
> FormsIdentity fi = (FormsIdentity)User.Identity;
> FormsAuthenticationTicket fat = fi.Ticket;
> IIdentity WinId= HttpContext.Current.User.Identity;
>
> try
> {
> char[] splitter = { '\\' };
> string SearchString ="";
>
> // Access resources using the identity of the authenticated
> user
> DirectoryEntry obEntry = new
> DirectoryEntry("LDAP:servername/DC=/DC=/DC=");
> SearchString = "anr=" + fi.Ticket.Name.ToString();
>
> DirectorySearcher search = new DirectorySearcher(obEntry,
> SearchString);
> SearchResult res = search.FindOne();
> strUserDrive = (string)res.Properties["homedirectory"][0];
>
> Response.Write("Hello, " +
> (string)res.Properties["givenname"][0]+".");
> Response.Write("<br/><br/>Your User Drive is now
> available.<br/>");
>
> NETRESOURCEA[] n = new NETRESOURCEA[1];
> n[0] = new NETRESOURCEA();
> n[0].dwType = 1;
> int dwFlags = 1;
> n[0].lpLocalName = @"m:";
> n[0].lpRemoteName = (string)res.Properties["homedirectory"][0];
> n[0].lpProvider = null;
>
> FAILS HERE:
> int result = CMyMprTest.WNetAddConnection2A(n, null, fi.Name,
> dwFlags);
>
> Response.Write("<br/>Click here to access your <a
> href=file://m:> user drive</a>");
> Response.Write("<br/><br/>Remember to click Logout when you are
> done with your user drive.");
>



 
Reply With Quote
 
 
 
 
Karl
Guest
Posts: n/a
 
      09-18-2006
Or, I could just start over with a windows authentication login, and after
getting authenticated, open default.aspx wtth the

Click Here to access your User Drive and a logout button, I suppose?

I am new (obviously) to asp, and thought "Why not use this nifty login
control"

Seems like a fairly useless control - i will go back to asp.net 1.x and
windows authentication.

Thanks

karl

"Joe Kaplan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> No, forms auth does not support impersonation like Windows auth does. You
> would need to code your own thing to do that. Since you are gathering the
> user's credentials, that should be possible, but you'll need to store them
> somewhere (like session or something), as you won't have them after the
> forms login is processed.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "Karl" <(E-Mail Removed)> wrote in message
> news:ITAPg.925$(E-Mail Removed)...
>> Will a forms authentication allow me to impersonate a user?
>>
>> I am working on an application that will run on a kiosk, and allow a user
>> to
>> login and view their homedirectory.
>>
>> I have a form with the new login control which works great.
>>
>> I get logged in, and find the user's homedirectory.
>>
>> I then write Click here to access your home directory, and include a file
>> URL pointing to the homedirectory
>>
>> All of this works, until the user clicks the link. At this point, a user
>> cannot access their user drive without logging in again.
>>
>> So, now I am trying to map a drive using WNetAddConnection2A, and it
>> fails with an error 5 on my development PC (Access Denied)
>>
>> I get a formsauthentication ticket via
>> FormsIdentity fi = (FormsIdentity)User.Identity;
>> FormsAuthenticationTicket fat = fi.Ticket;
>>
>> fat.name populates correctly
>>
>> Then, i call WNetAddConnection2A using the structure of:
>> dwType= RESOURCETYPE_DISK
>> lpLocalName = "m:"
>> lpRemoteName = "\\\\usawvfs04\\userskl\\karlm"
>> lpProvider= null
>>
>> My lpPassword is null, my lpUsername I set to fat.name.tostring()
>> I do not set any dwFlags.
>>
>> If I hard code my own null terminated username and password, I get an
>> error 1312 (ERROR_NO_SUCH_LOGON_SESSION)
>>
>> Here is the relevent code:
>> FormsIdentity fi = (FormsIdentity)User.Identity;
>> FormsAuthenticationTicket fat = fi.Ticket;
>> IIdentity WinId= HttpContext.Current.User.Identity;
>>
>> try
>> {
>> char[] splitter = { '\\' };
>> string SearchString ="";
>>
>> // Access resources using the identity of the authenticated
>> user
>> DirectoryEntry obEntry = new
>> DirectoryEntry("LDAP:servername/DC=/DC=/DC=");
>> SearchString = "anr=" + fi.Ticket.Name.ToString();
>>
>> DirectorySearcher search = new DirectorySearcher(obEntry,
>> SearchString);
>> SearchResult res = search.FindOne();
>> strUserDrive = (string)res.Properties["homedirectory"][0];
>>
>> Response.Write("Hello, " +
>> (string)res.Properties["givenname"][0]+".");
>> Response.Write("<br/><br/>Your User Drive is now
>> available.<br/>");
>>
>> NETRESOURCEA[] n = new NETRESOURCEA[1];
>> n[0] = new NETRESOURCEA();
>> n[0].dwType = 1;
>> int dwFlags = 1;
>> n[0].lpLocalName = @"m:";
>> n[0].lpRemoteName =
>> (string)res.Properties["homedirectory"][0];
>> n[0].lpProvider = null;
>>
>> FAILS HERE:
>> int result = CMyMprTest.WNetAddConnection2A(n, null, fi.Name,
>> dwFlags);
>>
>> Response.Write("<br/>Click here to access your <a
>> href=file://m:> user drive</a>");
>> Response.Write("<br/><br/>Remember to click Logout when you
>> are done with your user drive.");
>>

>
>



 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      09-19-2006
Well, the control isn't useless. It is just that you don't need forms auth
here, so it doesn't really do anything for you. You need Windows auth, so
you might as well just use it. I wouldn't go back to .NET 1.1, though.
There's more to love in 2.0 than just the login control.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Karl" <(E-Mail Removed)> wrote in message
news:WuDPg.944$(E-Mail Removed)...
> Or, I could just start over with a windows authentication login, and after
> getting authenticated, open default.aspx wtth the
>
> Click Here to access your User Drive and a logout button, I suppose?
>
> I am new (obviously) to asp, and thought "Why not use this nifty login
> control"
>
> Seems like a fairly useless control - i will go back to asp.net 1.x and
> windows authentication.
>
> Thanks
>
> karl
>
> "Joe Kaplan" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> No, forms auth does not support impersonation like Windows auth does.
>> You would need to code your own thing to do that. Since you are
>> gathering the user's credentials, that should be possible, but you'll
>> need to store them somewhere (like session or something), as you won't
>> have them after the forms login is processed.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "Karl" <(E-Mail Removed)> wrote in message
>> news:ITAPg.925$(E-Mail Removed)...
>>> Will a forms authentication allow me to impersonate a user?
>>>
>>> I am working on an application that will run on a kiosk, and allow a
>>> user to
>>> login and view their homedirectory.
>>>
>>> I have a form with the new login control which works great.
>>>
>>> I get logged in, and find the user's homedirectory.
>>>
>>> I then write Click here to access your home directory, and include a
>>> file
>>> URL pointing to the homedirectory
>>>
>>> All of this works, until the user clicks the link. At this point, a user
>>> cannot access their user drive without logging in again.
>>>
>>> So, now I am trying to map a drive using WNetAddConnection2A, and it
>>> fails with an error 5 on my development PC (Access Denied)
>>>
>>> I get a formsauthentication ticket via
>>> FormsIdentity fi = (FormsIdentity)User.Identity;
>>> FormsAuthenticationTicket fat = fi.Ticket;
>>>
>>> fat.name populates correctly
>>>
>>> Then, i call WNetAddConnection2A using the structure of:
>>> dwType= RESOURCETYPE_DISK
>>> lpLocalName = "m:"
>>> lpRemoteName = "\\\\usawvfs04\\userskl\\karlm"
>>> lpProvider= null
>>>
>>> My lpPassword is null, my lpUsername I set to fat.name.tostring()
>>> I do not set any dwFlags.
>>>
>>> If I hard code my own null terminated username and password, I get an
>>> error 1312 (ERROR_NO_SUCH_LOGON_SESSION)
>>>
>>> Here is the relevent code:
>>> FormsIdentity fi = (FormsIdentity)User.Identity;
>>> FormsAuthenticationTicket fat = fi.Ticket;
>>> IIdentity WinId= HttpContext.Current.User.Identity;
>>>
>>> try
>>> {
>>> char[] splitter = { '\\' };
>>> string SearchString ="";
>>>
>>> // Access resources using the identity of the authenticated
>>> user
>>> DirectoryEntry obEntry = new
>>> DirectoryEntry("LDAP:servername/DC=/DC=/DC=");
>>> SearchString = "anr=" + fi.Ticket.Name.ToString();
>>>
>>> DirectorySearcher search = new DirectorySearcher(obEntry,
>>> SearchString);
>>> SearchResult res = search.FindOne();
>>> strUserDrive = (string)res.Properties["homedirectory"][0];
>>>
>>> Response.Write("Hello, " +
>>> (string)res.Properties["givenname"][0]+".");
>>> Response.Write("<br/><br/>Your User Drive is now
>>> available.<br/>");
>>>
>>> NETRESOURCEA[] n = new NETRESOURCEA[1];
>>> n[0] = new NETRESOURCEA();
>>> n[0].dwType = 1;
>>> int dwFlags = 1;
>>> n[0].lpLocalName = @"m:";
>>> n[0].lpRemoteName =
>>> (string)res.Properties["homedirectory"][0];
>>> n[0].lpProvider = null;
>>>
>>> FAILS HERE:
>>> int result = CMyMprTest.WNetAddConnection2A(n, null, fi.Name,
>>> dwFlags);
>>>
>>> Response.Write("<br/>Click here to access your <a
>>> href=file://m:> user drive</a>");
>>> Response.Write("<br/><br/>Remember to click Logout when you
>>> are done with your user drive.");
>>>

>>
>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
python-ldap/win32 or python/ldap/win32 rcmn Python 1 11-06-2006 11:47 PM
Need to wrtie LDAP class to *answer* LDAP queries. junk1@davidbevan.co.uk Java 1 02-21-2006 09:59 PM
ruby-ldap: uninitialized constant LDAP::LDAP_CONTROL_PAGEDRESULTS James Hughes Ruby 4 12-13-2005 11:46 PM
[ANN] Ruby/LDAP 0.9.1: LDAP API (RFC1823) library. Ian Macdonald Ruby 0 03-15-2005 11:23 PM
using LDAP Controls in ruby-ldap Jason Wold Ruby 5 11-07-2004 03:35 AM



Advertisments